Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12576

Re: ca-certificate-java/openjdk installation issues

Show key headers only | View raw

On Wed, 22 Feb 2023, Vladimir Petko wrote:

>Just a small clarification, openssl itself allows importing a single
>certificate and its chain and overwrites the store in the process, so
>we need something like p11-kit.
>Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment

Ugh.

How about doing it the “low-tech” way:

– ship a minimal JKS keystore with bin:ca-certificates-java,
  generated at build time, that contains a manually vetted
  list of roots, perhaps just what’s relevant for Debian
– use a Recommends to get at a JRE
– with trigger, generate a full keystore, once a JRE is there

(The shipped one would need to be in /usr/share/!(doc) and
copied so overwriting it with the generated one works and
we’ll probably need to track hashes of shipped ones so we
can honour admin choices to override the keystore if needed.)

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

                        ****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
╱ ╲ header encryption!
                        ****************************************************

Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:20 +0100
  Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 21:10 +0100
  Re: ca-certificate-java/openjdk installation issues Emmanuel Bourg <ebourg@apache.org> - 2023-02-21 21:30 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 21:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 22:10 +0100
      Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 22:40 +0100
        Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:00 +0100
          Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 23:00 +0100
            Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:40 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 04:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 20:50 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-24 05:20 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-24 06:30 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-27 08:20 +0100

csiph-web