Bug#776395: java-package: Does not use the system's keystore
Then it's fine. No hurries. Good luck with the Jessie release! Cheers! Francesc On 23 February 2015 at 16:00, Emmanuel Bourg ebo...@apache.org wrote: Le 23/02/2015 15:43, Francesc Zacarias a écrit : Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? There is no problem, I'm just busy on other things and since we are still under the Jessie freeze I haven't rushed to upload it. If you need this quickly I can upload it to experimental though. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? KInd regards, Francesc On 29 January 2015 at 16:10, Emmanuel Bourg ebo...@apache.org wrote: This looks excellent, thank you very much. I'll merge it in the next upload. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Le 23/02/2015 15:43, Francesc Zacarias a écrit : Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? There is no problem, I'm just busy on other things and since we are still under the Jessie freeze I haven't rushed to upload it. If you need this quickly I can upload it to experimental though. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi Emmanuel,
Good point! I'm attaching a new patch adding a switch to enable or
disable this feature. The default is disabled, so the script will work
as before unless explicitly stated.
Please, tell me if I need to do something else to get this merged.
Cheers!
Francesc
On 28 January 2015 at 00:07, Emmanuel Bourg ebo...@apache.org wrote:
Hi Francesc,
Thank you for the patch, this is an interesting suggestion. I wonder if
we should really go that far with the system integration of the
generated package though. I can imagine that someone may want to install
a stock Oracle JRE with no Debian interferences. So maybe this
integration could be enabled optionally with a
--with-system-certificates parameter on the command line.
Emmanuel Bourg
From de83ea689caf8bc072155d3da57ed06f78127a40 Mon Sep 17 00:00:00 2001
From: Francesc Zacarias franc...@spotify.com
Date: Tue, 27 Jan 2015 17:07:43 +0100
Subject: [PATCH] Add option to integrate with the system's keystore
---
lib/javase.sh | 10 +-
lib/jdk.sh| 3 +++
lib/jre.sh| 5 -
make-jpkg | 17 ++---
make-jpkg.1 | 5 +
5 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/lib/javase.sh b/lib/javase.sh
index 3e539b3..9bfd3ec 100644
--- a/lib/javase.sh
+++ b/lib/javase.sh
@@ -126,8 +126,16 @@ if [ \$1 = configure ]; then
update-alternatives --install \$link_path/\$link_name \$plugin_name \$plugin $j2se_priority
fi
}
-
EOF
+if [ $create_cert_softlinks == true ];then
+cat $debian_dir/postinst EOF
+for subdir in lib/security jre/lib/security;do
+if [ -f $jvm_base$j2se_name/\$subdir/cacerts ]; then
+ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/\$subdir/cacerts
+fi
+done
+EOF
+fi
eval $j2se_install $debian_dir/postinst
cat $debian_dir/postinst EOF
diff --git a/lib/jdk.sh b/lib/jdk.sh
index 1c75876..46dec6f 100644
--- a/lib/jdk.sh
+++ b/lib/jdk.sh
@@ -13,6 +13,9 @@ j2sdk_control() {
# No browser on ARM yet
java_browser_plugin=
fi
+if [ $create_cert_softlinks == true ]; then
+depends=$depends, ca-certificates-java
+fi
for i in `seq 5 ${j2se_release}`;
do
provides_runtime=${provides_runtime} java${i}-runtime,
diff --git a/lib/jre.sh b/lib/jre.sh
index 93aed8b..7b339d8 100644
--- a/lib/jre.sh
+++ b/lib/jre.sh
@@ -1,6 +1,9 @@
j2re_control() {
j2se_control
+if [ $create_cert_softlinks == true ]; then
+depends=ca-certificates-java
+fi
for i in `seq 5 ${j2se_release}`;
do
provides_runtime=${provides_runtime} java${i}-runtime,
@@ -9,7 +12,7 @@ j2re_control() {
cat EOF
Package: $j2se_package
Architecture: any
-Depends: \${misc:Depends}, \${shlibs:Depends}
+Depends: \${misc:Depends}, \${shlibs:Depends}, $depends
Recommends: netbase
Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime java-runtime-headless, java2-runtime-headless, $provides_headless java-browser-plugin
Description: $j2se_title
diff --git a/make-jpkg b/make-jpkg
index a90c26e..6e53003 100755
--- a/make-jpkg
+++ b/make-jpkg
@@ -79,14 +79,15 @@ Supported java binary distributions currently include:
The following options are recognized:
- --full-name NAME full name used in the maintainer field of the package
- --email EMAIL email address used in the maintainer field of the package
- --changes create a .changes file
- --revision add debian revision
- --source build a source package instead of a binary deb package
+ --full-name NAME full name used in the maintainer field of the package
+ --email EMAILemail address used in the maintainer field of the package
+ --changescreate a .changes file
+ --revision add debian revision
+ --source build a source package instead of a binary deb package
+ --with-system-certs integrate with the system's keystore
- --help display this help and exit
- --version output version information and exit
+ --help display this help and exit
+ --versionoutput version information and exit
EOF
}
@@ -131,6 +132,8 @@ while [[ $# -gt 0 x$1 == x--* ]]; do
genchanges=true
elif [[ x$1 == x--source ]]; then
build_source=true
+elif [[ x$1 == x--with-system-certs ]]; then
+create_cert_softlinks=true
else
unrecognized_option $1
fi
diff --git a/make-jpkg.1 b/make-jpkg.1
index bceec92..ba1d000 100644
--- a/make-jpkg.1
+++ b/make-jpkg.1
@@ -52,6 +52,11 @@ add debian revision
.B --source
build a source package instead of a binary deb package
.TP
+.B --with-system-certs
+Replace the JVMs keystore with a softlink to the system's keystore,
+(/etc/ssl/certs/java/cacerts) which is managed automatically by the
+ca-certificates and ca-certificates-java packages.
+.TP
.B --help
display help text and exit
.TP
--
2.1.4
Bug#776395: java-package: Does not use the system's keystore
This looks excellent, thank you very much. I'll merge it in the next upload. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi Francesc, Thank you for the patch, this is an interesting suggestion. I wonder if we should really go that far with the system integration of the generated package though. I can imagine that someone may want to install a stock Oracle JRE with no Debian interferences. So maybe this integration could be enabled optionally with a --with-system-certificates parameter on the command line. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Package: java-package
Version: 0.56
Severity: important
Tags: patch
Dear Maintainer,
JVMs supported by Debian create a symlink for the keystore in
$JAVA_HOME/lib/security/cacerts pointing to /etc/ssl/certs/java/cacerts.
This, together with package ca-certificates-java, unifies the
management of the keystore of all Debian JVMs very nicely.
Packages generated with java-package do not create that symlink and
do not depend on ca-certificates-java which means that the standard
process to install SSL certificates (see
/usr/share/doc/ca-certificates/README.Debian) is broken.
The attached patch fixes this issue.
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages java-package depends on:
ii debhelper 9.20141022
ii dpkg-dev1.17.23
ii fakeroot1.20.2-1
ii libasound2 1.0.28-1
ii libx11-62:1.6.2-3
ii unzip 6.0-14
Versions of packages java-package recommends:
ii gcc 4:4.9.1-5
Versions of packages java-package suggests:
ii openjdk-7-jre 7u71-2.5.3-2
-- no debconf information
From 31ae773023ded5aa6e7d20bc2b63a33ab20d48b9 Mon Sep 17 00:00:00 2001
From: Francesc Zacarias franc...@spotify.com
Date: Tue, 27 Jan 2015 17:07:43 +0100
Subject: [PATCH] Unify cacerts
---
lib/jdk.sh| 2 +-
lib/jre.sh| 2 +-
lib/oracle-jdk.sh | 2 ++
lib/oracle-jre.sh | 2 ++
4 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/jdk.sh b/lib/jdk.sh
index 1c75876..45ebb30 100644
--- a/lib/jdk.sh
+++ b/lib/jdk.sh
@@ -22,7 +22,7 @@ j2sdk_control() {
cat EOF
Package: $j2se_package
Architecture: any
-Depends: \${misc:Depends}, $depends
+Depends: \${misc:Depends}, $depends, ca-certificates-java
Recommends: netbase
Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime $java_browser_plugin java-compiler, java2-compiler, java-runtime-headless, java2-runtime-headless, $provides_headless java-sdk, java2-sdk, $provides_sdk
Description: $j2se_title
diff --git a/lib/jre.sh b/lib/jre.sh
index 93aed8b..eb9a3cd 100644
--- a/lib/jre.sh
+++ b/lib/jre.sh
@@ -9,7 +9,7 @@ j2re_control() {
cat EOF
Package: $j2se_package
Architecture: any
-Depends: \${misc:Depends}, \${shlibs:Depends}
+Depends: \${misc:Depends}, \${shlibs:Depends}, ca-certificates-java
Recommends: netbase
Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime java-runtime-headless, java2-runtime-headless, $provides_headless java-browser-plugin
Description: $j2se_title
diff --git a/lib/oracle-jdk.sh b/lib/oracle-jdk.sh
index 1fa6657..6b3d45a 100644
--- a/lib/oracle-jdk.sh
+++ b/lib/oracle-jdk.sh
@@ -131,6 +131,8 @@ for b in $browser_plugin_dirs;do
install_browser_plugin /usr/lib/\$b/plugins libjavaplugin.so \$b-javaplugin.so \$plugin_dir/libnpjp2.so
done
fi
+
+ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/jre/lib/security/cacerts
EOF
}
diff --git a/lib/oracle-jre.sh b/lib/oracle-jre.sh
index 2e1ab8c..6941a04 100644
--- a/lib/oracle-jre.sh
+++ b/lib/oracle-jre.sh
@@ -100,6 +100,8 @@ plugin_dir=$jvm_base$j2se_name/lib/$DEB_BUILD_ARCH
for b in $browser_plugin_dirs;do
install_browser_plugin /usr/lib/\$b/plugins libjavaplugin.so \$b-javaplugin.so \$plugin_dir/libnpjp2.so
done
+
+ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/lib/security/cacerts
EOF
}
--
2.1.4
