Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Thorsten Glaser Newsgroups: linux.debian.maint.java Subject: Re: ca-certificate-java/openjdk installation issues Date: Tue, 21 Feb 2023 22:40:01 +0100 Message-ID: References: X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Feb 21 21:30:24 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-5.6 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .tarent. - helo: .mail-wm1-x332.google. - helo-domain: .google.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -5.5 X-Gm-Message-State: AO0yUKXkKqVXQM4OI5zjKgKwfz9KJbLnCfBsQm2+O62ppe5gg0L6zgTr wfQ1cHprZDx48tMadHPnk4MAyw== X-Google-SMTP-Source: AK7set+Jpt6w8XKIWAKDS+t56/bq66k4vaKyp34qduf3ngJqL3vi6db3EjUvFD2Q/BCKCrbjyUZKBA== X-Received: by 2002:a05:600c:35cf:b0:3dc:53da:328b with SMTP id r15-20020a05600c35cf00b003dc53da328bmr5101975wmq.14.1677015001870; Tue, 21 Feb 2023 13:30:01 -0800 (PST) Content-Language: de-DE-1901 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Mailing-List: archive/latest/23231 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de Approved: robomod@news.nic.it Lines: 42 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org X-Original-Date: Tue, 21 Feb 2023 22:30:00 +0100 (CET) X-Original-Message-ID: <665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de> X-Original-References: Xref: csiph.com linux.debian.maint.java:12576 On Wed, 22 Feb 2023, Vladimir Petko wrote: >Just a small clarification, openssl itself allows importing a single >certificate and its chain and overwrites the store in the process, so >we need something like p11-kit. >Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment Ugh. How about doing it the =E2=80=9Clow-tech=E2=80=9D way: =E2=80=93 ship a minimal JKS keystore with bin:ca-certificates-java, generated at build time, that contains a manually vetted list of roots, perhaps just what=E2=80=99s relevant for Debian =E2=80=93 use a Recommends to get at a JRE =E2=80=93 with trigger, generate a full keystore, once a JRE is there (The shipped one would need to be in /usr/share/!(doc) and copied so overwriting it with the generated one works and we=E2=80=99ll probably need to track hashes of shipped ones so we can honour admin choices to override the keystore if needed.) bye, //mirabilos --=20 Infrastrukturexperte =E2=80=A2 tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn =E2=80=A2 http://www.tarent.de/ Telephon +49 228 54881-393 =E2=80=A2 Fax: +49 228 54881-235 HRB AG Bonn 5168 =E2=80=A2 USt-ID (VAT): DE122264941 Gesch=C3=A4ftsf=C3=BChrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Ale= xander Steeg ***************************************************= * /=E2=81=80\ The UTF-8 Ribbon =E2=95=B2=C2=A0=E2=95=B1 Campaign against Mit dem tarent-Newsletter ni= chts mehr verpassen: =C2=A0=E2=95=B3=C2=A0 HTML eMail! Also, https://www.tarent.de/newslette= r =E2=95=B1=C2=A0=E2=95=B2 header encryption! ***************************************************= *