** Description changed: + [ Impact ] + In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt install openjdk-25-jre-headless` will also install openjdk-11-jre- headless. This is undesirable because openjdk-11 is end-of-life. The openjdk-17-jre-headless and openjdk-21-jre-headless packages do not exhibit this problem. The issue seems to be the dependency chain in which openjdk-25-jre- headless has Depends: ca-certificates-java, ca-certificates-java has Depends: default-jre-headless | java8-runtime-headless, and default-jre- headless has Depends: openjdk-11-jre-headless - openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way. + openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way. Provides: java-runtime-headless (= 21), [... many javaN-runtime-headless ...], java8-runtime-headless So they can satisfy the `| java8-runtime-headless` branch of ca- certificates-java, and apt ends up installing only the requested openjdk version.. + But openjdk-25-jre-headless has only `Provides: java-runtime-headless (= + 25)` and none of the other individual entries. - But openjdk-25-jre-headless has only `Provides: java-runtime-headless (= 25)` and none of the other individual entries. + These changes seem to be intentional on the debian side, see + https://salsa.debian.org/openjdk- + team/openjdk/-/commit/2fa0698ece274ae9e1539b5fa2289a59d332c6b3. And ca- + certificates likewise dropped the depends entry in + https://salsa.debian.org/java-team/ca-certificates- + java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6 + + But the security backport of openjdk-25-jre-headless is not consistent + with the version of ca-certificates-java in jammy. + + The updated ca-certificates-java in jammy need to depend on java- + runtime-headless (>=8) to be compatible with openjdk-25. + + ca-certificates-java in noble and up do not depend on Java runtime and + are not affected. + + [ Test Plan ] + + * `can-install-jre` autopkgtest tests that only one jre package is installed. + * The same test can be performed manually in Jammy chroot/vm: + $ apt install openjdk-25-jdk + ... + $ apt list | grep openjdk- + + Check that only openjdk-25 packages are installed. + + + [ Where problems could occur ] + + The package still depends on Java runtime and has a race condition with + jre installation. In the past we have added workarounds, e.g. + https://bugs.launchpad.net/ubuntu/+source/ca-certificates- + java/+bug/2019908 to allow partially installed jre package execute + certificate import. + + OpenJDK autopkgtests test Java installation so this mitigates the risk, but we will still have to do ca-certificates-java SRUs and users will occasionally get installation errors: + https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-vpa1977-ca-certificates-java/jammy/armhf/c/ca-certificates-java/20260219_192736_7cf50@/log.gz + + The permanent solution will be backporting Noble package, but this will + require an additional upload for openjdk-18 which was not updated for + the new ca-certificates-java. + + + [ Other Info ] + + n/a + + + Original Description: + + + In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt install openjdk-25-jre-headless` will also install openjdk-11-jre-headless. This is undesirable because openjdk-11 is end-of-life. + + The openjdk-17-jre-headless and openjdk-21-jre-headless packages do not + exhibit this problem. + + The issue seems to be the dependency chain in which openjdk-25-jre- + headless has Depends: ca-certificates-java, ca-certificates-java has + Depends: default-jre-headless | java8-runtime-headless, and default-jre- + headless has Depends: openjdk-11-jre-headless + + openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way. + Provides: java-runtime-headless (= 21), [... many javaN-runtime-headless ...], java8-runtime-headless + + So they can satisfy the `| java8-runtime-headless` branch of ca- + certificates-java, and apt ends up installing only the requested openjdk + version.. + + But openjdk-25-jre-headless has only `Provides: java-runtime-headless (= + 25)` and none of the other individual entries. These changes seem to be intentional on the debian side, see https://salsa.debian.org/openjdk- team/openjdk/-/commit/2fa0698ece274ae9e1539b5fa2289a59d332c6b3. And ca- certificates likewise dropped the depends entry in https://salsa.debian.org/java-team/ca-certificates- java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6 But the security backport of openjdk-25-jre-headless is not consistent with the version of ca-certificates-java in jammy - either it needs the Provides: java8-runtime-headless put back, or ca-certificates-java needs the corresponding update to adjust its Depends.
** Description changed: [ Impact ] In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt install openjdk-25-jre-headless` will also install openjdk-11-jre- headless. This is undesirable because openjdk-11 is end-of-life. The openjdk-17-jre-headless and openjdk-21-jre-headless packages do not exhibit this problem. The issue seems to be the dependency chain in which openjdk-25-jre- headless has Depends: ca-certificates-java, ca-certificates-java has Depends: default-jre-headless | java8-runtime-headless, and default-jre- headless has Depends: openjdk-11-jre-headless openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way. Provides: java-runtime-headless (= 21), [... many javaN-runtime-headless ...], java8-runtime-headless So they can satisfy the `| java8-runtime-headless` branch of ca- certificates-java, and apt ends up installing only the requested openjdk version.. But openjdk-25-jre-headless has only `Provides: java-runtime-headless (= 25)` and none of the other individual entries. These changes seem to be intentional on the debian side, see https://salsa.debian.org/openjdk- team/openjdk/-/commit/2fa0698ece274ae9e1539b5fa2289a59d332c6b3. And ca- certificates likewise dropped the depends entry in https://salsa.debian.org/java-team/ca-certificates- java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6 But the security backport of openjdk-25-jre-headless is not consistent with the version of ca-certificates-java in jammy. The updated ca-certificates-java in jammy need to depend on java- runtime-headless (>=8) to be compatible with openjdk-25. ca-certificates-java in noble and up do not depend on Java runtime and are not affected. [ Test Plan ] - * `can-install-jre` autopkgtest tests that only one jre package is installed. - * The same test can be performed manually in Jammy chroot/vm: - $ apt install openjdk-25-jdk - ... - $ apt list | grep openjdk- + * `can-install-jre` autopkgtest tests that only one jre package is installed. + * The same test can be performed manually in Jammy chroot/vm: + $ apt install openjdk-25-jdk + ... + $ apt list | grep openjdk- - Check that only openjdk-25 packages are installed. - + Check that only openjdk-25 packages are installed. [ Where problems could occur ] - The package still depends on Java runtime and has a race condition with + The package still depends on Java runtime and has a race condition with jre installation. In the past we have added workarounds, e.g. https://bugs.launchpad.net/ubuntu/+source/ca-certificates- java/+bug/2019908 to allow partially installed jre package execute certificate import. OpenJDK autopkgtests test Java installation so this mitigates the risk, but we will still have to do ca-certificates-java SRUs and users will occasionally get installation errors: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-vpa1977-ca-certificates-java/jammy/armhf/c/ca-certificates-java/20260219_192736_7cf50@/log.gz The permanent solution will be backporting Noble package, but this will require an additional upload for openjdk-18 which was not updated for the new ca-certificates-java. - [ Other Info ] n/a + [ Original Description: ] - Original Description: - - - In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt install openjdk-25-jre-headless` will also install openjdk-11-jre-headless. This is undesirable because openjdk-11 is end-of-life. + In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt + install openjdk-25-jre-headless` will also install openjdk-11-jre- + headless. This is undesirable because openjdk-11 is end-of-life. The openjdk-17-jre-headless and openjdk-21-jre-headless packages do not exhibit this problem. The issue seems to be the dependency chain in which openjdk-25-jre- headless has Depends: ca-certificates-java, ca-certificates-java has Depends: default-jre-headless | java8-runtime-headless, and default-jre- headless has Depends: openjdk-11-jre-headless openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way. Provides: java-runtime-headless (= 21), [... many javaN-runtime-headless ...], java8-runtime-headless So they can satisfy the `| java8-runtime-headless` branch of ca- certificates-java, and apt ends up installing only the requested openjdk version.. But openjdk-25-jre-headless has only `Provides: java-runtime-headless (= 25)` and none of the other individual entries. These changes seem to be intentional on the debian side, see https://salsa.debian.org/openjdk- team/openjdk/-/commit/2fa0698ece274ae9e1539b5fa2289a59d332c6b3. And ca- certificates likewise dropped the depends entry in https://salsa.debian.org/java-team/ca-certificates- java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6 But the security backport of openjdk-25-jre-headless is not consistent with the version of ca-certificates-java in jammy - either it needs the Provides: java8-runtime-headless put back, or ca-certificates-java needs the corresponding update to adjust its Depends. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141785 Title: openjdk-25-jre-headless in jammy depends on openjdk-11 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2141785/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
