Path: csiph.com!1.us.feeder.erje.net!3.us.feeder.erje.net!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!bofh.it!news.nic.it!robomod
From: Vladimir Petko <vladimir.petko@canonical.com>
Newsgroups: linux.debian.maint.java
Subject: Re: ca-certificate-java/openjdk installation issues
Date: Tue, 21 Feb 2023 23:40:01 +0100
Message-ID: <G1JsJ-7yFr-11@gated-at.bofh.it>
References: <FWBFv-4dUm-5@gated-at.bofh.it> <G1HqW-7xt9-5@gated-at.bofh.it> <G1I3D-7xWb-13@gated-at.bofh.it> <G1IwF-7y5I-11@gated-at.bofh.it> <G1IQ1-7ycD-7@gated-at.bofh.it> <G1IQ1-7ycD-9@gated-at.bofh.it>
X-Mailbox-Line: From debian-java-request@lists.debian.org  Tue Feb 21 22:30:56 2023
Old-Return-Path: <vladimir.petko@canonical.com>
X-Amavis-Spam-Status: No, score=-9.401 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
X-Policyd-Weight: using cached result; rate: -5.5
X-Gm-Message-State: AO0yUKVp0fiDyQmYwplPLCHyPuwONd4M9JJCXBsu/24aaScOMrfVyYNg P5S55PP5egswoDdoNPxI1GqKnJtvsJEE0Q9OS2uHL8JZjIR7WCm+OULhbgDcofvRuBBetWDR1s1 zVf4qfeobtSJKb0M0MPEr2g9egcwKVGUsm7lLAW8oBSFpA5ZPY3bYRq7QdQ==
X-Received: by 2002:a17:90b:38ca:b0:233:b531:23b1 with SMTP id nn10-20020a17090b38ca00b00233b53123b1mr1397126pjb.97.1677018631065; Tue, 21 Feb 2023 14:30:31 -0800 (PST)
X-Google-SMTP-Source: AK7set+3lD8JDyMyLmY080sHghg757MbSHtS1jjPPcocl/eDWFZ7U1Kq6EW28yOPm/B+Gx2FMDWCtfcqdFvqx1AmDTo=
X-Received: by 2002:a17:90b:38ca:b0:233:b531:23b1 with SMTP id nn10-20020a17090b38ca00b00233b53123b1mr1397123pjb.97.1677018630800; Tue, 21 Feb 2023 14:30:30 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailing-List: <debian-java@lists.debian.org> archive/latest/23234
List-ID: <debian-java.lists.debian.org>
List-URL: <https://lists.debian.org/debian-java/>
List-Archive: https://lists.debian.org/msgid-search/CALFf3kerkvEc6WxN7zcEVo3CHeJKkfTHw3dWhtX6LP2t24NZsg@mail.gmail.com
Approved: robomod@news.nic.it
Lines: 56
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: debian-java@lists.debian.org
X-Original-Date: Wed, 22 Feb 2023 11:30:19 +1300
X-Original-Message-ID: <CALFf3kerkvEc6WxN7zcEVo3CHeJKkfTHw3dWhtX6LP2t24NZsg@mail.gmail.com>
X-Original-References: <CALFf3kckwyx6X93=1JNjcnBdyctJe9AtfXYQsOoJf5qeUUjNEw@mail.gmail.com> <c2ec8737fb5a03f1039a2e90ab925594@apache.org> <CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com> <665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de> <CALFf3kfRb7fi=wZUZtQdAq35YRudj0x=hHZ-ZyA8qTrX0MoxdA@mail.gmail.com> <ba7f6b37-973a-7c11-3fc5-e83b97f57833@tarent.de>
Xref: csiph.com linux.debian.maint.java:12579

Hi,

I would really love to prototype the approach, but might need a little
advice here: in order to use openjdk-20 onwards we need to run the
trigger after openjdk-20 jre is installed (all files are present on
file system, all property files renamed from .dpkg_new).
The existing trigger "interest /usr/lib/jvm" causes the import to run
before the package is configured and results in a failure to install
[1]. I wonder if we can use some non-file trigger for that from the
postinst script? But this will require updating all JDKs (?)
Alternative is to go with two packages: one for Java 11 and onwards
that does not use Java-based import, and the other - classic
ca-certificates-java with the trigger updated to watch Java 8?
Or am I getting too confused here?

[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/199=
8697


On Wed, Feb 22, 2023 at 10:59 AM Thorsten Glaser <t.glaser@tarent.de> wrote=
:
>
> On Wed, 22 Feb 2023, Vladimir Petko wrote:
>
> >in sync. A possible scenario is CA being revoked, which results in an
>
> That=E2=80=99s why I was suggesting to keep it down to manually vetted
> relevant ones.
>
> But if that=E2=80=99s unpalatable (do talk to the security people!),
> ship an empty JKS keystore by default. The JKS keystore will
> have no n=C5=8Dn-Java users, and soon as the JRE is there it=E2=80=99ll
> be regenerated.
>
> This all won=E2=80=99t make bookworm any more either, so no need to
> be hasty.
>
> bye,
> //mirabilos
> --
> Infrastrukturexperte =E2=80=A2 tarent solutions GmbH
> Am Dickobskreuz 10, D-53121 Bonn =E2=80=A2 http://www.tarent.de/
> Telephon +49 228 54881-393 =E2=80=A2 Fax: +49 228 54881-235
> HRB AG Bonn 5168 =E2=80=A2 USt-ID (VAT): DE122264941
> Gesch=C3=A4ftsf=C3=BChrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, A=
lexander Steeg
>
>                         *************************************************=
***
> /=E2=81=80\ The UTF-8 Ribbon
> =E2=95=B2 =E2=95=B1 Campaign against      Mit dem tarent-Newsletter nicht=
s mehr verpassen:
>  =E2=95=B3  HTML eMail! Also,     https://www.tarent.de/newsletter
> =E2=95=B1 =E2=95=B2 header encryption!
>                         *************************************************=
***