Bug#776395: java-package: Does not use the system's keystore
Then it's fine. No hurries. Good luck with the Jessie release! Cheers! Francesc On 23 February 2015 at 16:00, Emmanuel Bourg ebo...@apache.org wrote: Le 23/02/2015 15:43, Francesc Zacarias a écrit : Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? There is no problem, I'm just busy on other things and since we are still under the Jessie freeze I haven't rushed to upload it. If you need this quickly I can upload it to experimental though. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? KInd regards, Francesc On 29 January 2015 at 16:10, Emmanuel Bourg ebo...@apache.org wrote: This looks excellent, thank you very much. I'll merge it in the next upload. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Le 23/02/2015 15:43, Francesc Zacarias a écrit : Hi! It's been nearly a month and the patch does not seem to applied to experimental or unstable yet. Is there a problem? There is no problem, I'm just busy on other things and since we are still under the Jessie freeze I haven't rushed to upload it. If you need this quickly I can upload it to experimental though. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi Emmanuel, Good point! I'm attaching a new patch adding a switch to enable or disable this feature. The default is disabled, so the script will work as before unless explicitly stated. Please, tell me if I need to do something else to get this merged. Cheers! Francesc On 28 January 2015 at 00:07, Emmanuel Bourg ebo...@apache.org wrote: Hi Francesc, Thank you for the patch, this is an interesting suggestion. I wonder if we should really go that far with the system integration of the generated package though. I can imagine that someone may want to install a stock Oracle JRE with no Debian interferences. So maybe this integration could be enabled optionally with a --with-system-certificates parameter on the command line. Emmanuel Bourg From de83ea689caf8bc072155d3da57ed06f78127a40 Mon Sep 17 00:00:00 2001 From: Francesc Zacarias franc...@spotify.com Date: Tue, 27 Jan 2015 17:07:43 +0100 Subject: [PATCH] Add option to integrate with the system's keystore --- lib/javase.sh | 10 +- lib/jdk.sh| 3 +++ lib/jre.sh| 5 - make-jpkg | 17 ++--- make-jpkg.1 | 5 + 5 files changed, 31 insertions(+), 9 deletions(-) diff --git a/lib/javase.sh b/lib/javase.sh index 3e539b3..9bfd3ec 100644 --- a/lib/javase.sh +++ b/lib/javase.sh @@ -126,8 +126,16 @@ if [ \$1 = configure ]; then update-alternatives --install \$link_path/\$link_name \$plugin_name \$plugin $j2se_priority fi } - EOF +if [ $create_cert_softlinks == true ];then +cat $debian_dir/postinst EOF +for subdir in lib/security jre/lib/security;do +if [ -f $jvm_base$j2se_name/\$subdir/cacerts ]; then +ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/\$subdir/cacerts +fi +done +EOF +fi eval $j2se_install $debian_dir/postinst cat $debian_dir/postinst EOF diff --git a/lib/jdk.sh b/lib/jdk.sh index 1c75876..46dec6f 100644 --- a/lib/jdk.sh +++ b/lib/jdk.sh @@ -13,6 +13,9 @@ j2sdk_control() { # No browser on ARM yet java_browser_plugin= fi +if [ $create_cert_softlinks == true ]; then +depends=$depends, ca-certificates-java +fi for i in `seq 5 ${j2se_release}`; do provides_runtime=${provides_runtime} java${i}-runtime, diff --git a/lib/jre.sh b/lib/jre.sh index 93aed8b..7b339d8 100644 --- a/lib/jre.sh +++ b/lib/jre.sh @@ -1,6 +1,9 @@ j2re_control() { j2se_control +if [ $create_cert_softlinks == true ]; then +depends=ca-certificates-java +fi for i in `seq 5 ${j2se_release}`; do provides_runtime=${provides_runtime} java${i}-runtime, @@ -9,7 +12,7 @@ j2re_control() { cat EOF Package: $j2se_package Architecture: any -Depends: \${misc:Depends}, \${shlibs:Depends} +Depends: \${misc:Depends}, \${shlibs:Depends}, $depends Recommends: netbase Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime java-runtime-headless, java2-runtime-headless, $provides_headless java-browser-plugin Description: $j2se_title diff --git a/make-jpkg b/make-jpkg index a90c26e..6e53003 100755 --- a/make-jpkg +++ b/make-jpkg @@ -79,14 +79,15 @@ Supported java binary distributions currently include: The following options are recognized: - --full-name NAME full name used in the maintainer field of the package - --email EMAIL email address used in the maintainer field of the package - --changes create a .changes file - --revision add debian revision - --source build a source package instead of a binary deb package + --full-name NAME full name used in the maintainer field of the package + --email EMAILemail address used in the maintainer field of the package + --changescreate a .changes file + --revision add debian revision + --source build a source package instead of a binary deb package + --with-system-certs integrate with the system's keystore - --help display this help and exit - --version output version information and exit + --help display this help and exit + --versionoutput version information and exit EOF } @@ -131,6 +132,8 @@ while [[ $# -gt 0 x$1 == x--* ]]; do genchanges=true elif [[ x$1 == x--source ]]; then build_source=true +elif [[ x$1 == x--with-system-certs ]]; then +create_cert_softlinks=true else unrecognized_option $1 fi diff --git a/make-jpkg.1 b/make-jpkg.1 index bceec92..ba1d000 100644 --- a/make-jpkg.1 +++ b/make-jpkg.1 @@ -52,6 +52,11 @@ add debian revision .B --source build a source package instead of a binary deb package .TP +.B --with-system-certs +Replace the JVMs keystore with a softlink to the system's keystore, +(/etc/ssl/certs/java/cacerts) which is managed automatically by the +ca-certificates and ca-certificates-java packages. +.TP .B --help display help text and exit .TP -- 2.1.4
Bug#776395: java-package: Does not use the system's keystore
This looks excellent, thank you very much. I'll merge it in the next upload. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Hi Francesc, Thank you for the patch, this is an interesting suggestion. I wonder if we should really go that far with the system integration of the generated package though. I can imagine that someone may want to install a stock Oracle JRE with no Debian interferences. So maybe this integration could be enabled optionally with a --with-system-certificates parameter on the command line. Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776395: java-package: Does not use the system's keystore
Package: java-package Version: 0.56 Severity: important Tags: patch Dear Maintainer, JVMs supported by Debian create a symlink for the keystore in $JAVA_HOME/lib/security/cacerts pointing to /etc/ssl/certs/java/cacerts. This, together with package ca-certificates-java, unifies the management of the keystore of all Debian JVMs very nicely. Packages generated with java-package do not create that symlink and do not depend on ca-certificates-java which means that the standard process to install SSL certificates (see /usr/share/doc/ca-certificates/README.Debian) is broken. The attached patch fixes this issue. -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages java-package depends on: ii debhelper 9.20141022 ii dpkg-dev1.17.23 ii fakeroot1.20.2-1 ii libasound2 1.0.28-1 ii libx11-62:1.6.2-3 ii unzip 6.0-14 Versions of packages java-package recommends: ii gcc 4:4.9.1-5 Versions of packages java-package suggests: ii openjdk-7-jre 7u71-2.5.3-2 -- no debconf information From 31ae773023ded5aa6e7d20bc2b63a33ab20d48b9 Mon Sep 17 00:00:00 2001 From: Francesc Zacarias franc...@spotify.com Date: Tue, 27 Jan 2015 17:07:43 +0100 Subject: [PATCH] Unify cacerts --- lib/jdk.sh| 2 +- lib/jre.sh| 2 +- lib/oracle-jdk.sh | 2 ++ lib/oracle-jre.sh | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/jdk.sh b/lib/jdk.sh index 1c75876..45ebb30 100644 --- a/lib/jdk.sh +++ b/lib/jdk.sh @@ -22,7 +22,7 @@ j2sdk_control() { cat EOF Package: $j2se_package Architecture: any -Depends: \${misc:Depends}, $depends +Depends: \${misc:Depends}, $depends, ca-certificates-java Recommends: netbase Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime $java_browser_plugin java-compiler, java2-compiler, java-runtime-headless, java2-runtime-headless, $provides_headless java-sdk, java2-sdk, $provides_sdk Description: $j2se_title diff --git a/lib/jre.sh b/lib/jre.sh index 93aed8b..eb9a3cd 100644 --- a/lib/jre.sh +++ b/lib/jre.sh @@ -9,7 +9,7 @@ j2re_control() { cat EOF Package: $j2se_package Architecture: any -Depends: \${misc:Depends}, \${shlibs:Depends} +Depends: \${misc:Depends}, \${shlibs:Depends}, ca-certificates-java Recommends: netbase Provides: java-virtual-machine, java-runtime, java2-runtime, $provides_runtime java-runtime-headless, java2-runtime-headless, $provides_headless java-browser-plugin Description: $j2se_title diff --git a/lib/oracle-jdk.sh b/lib/oracle-jdk.sh index 1fa6657..6b3d45a 100644 --- a/lib/oracle-jdk.sh +++ b/lib/oracle-jdk.sh @@ -131,6 +131,8 @@ for b in $browser_plugin_dirs;do install_browser_plugin /usr/lib/\$b/plugins libjavaplugin.so \$b-javaplugin.so \$plugin_dir/libnpjp2.so done fi + +ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/jre/lib/security/cacerts EOF } diff --git a/lib/oracle-jre.sh b/lib/oracle-jre.sh index 2e1ab8c..6941a04 100644 --- a/lib/oracle-jre.sh +++ b/lib/oracle-jre.sh @@ -100,6 +100,8 @@ plugin_dir=$jvm_base$j2se_name/lib/$DEB_BUILD_ARCH for b in $browser_plugin_dirs;do install_browser_plugin /usr/lib/\$b/plugins libjavaplugin.so \$b-javaplugin.so \$plugin_dir/libnpjp2.so done + +ln -sf /etc/ssl/certs/java/cacerts $jvm_base$j2se_name/lib/security/cacerts EOF } -- 2.1.4