Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #10073

RE: ca-certificates-java changes

From "Ingo Bauersachs" <ingo@jitsi.org>
Newsgroups linux.debian.maint.java
Subject RE: ca-certificates-java changes
Date 2017-10-13 00:40 +0200
Message-ID <uzUj2-3ov-71@gated-at.bofh.it> (permalink)
References <uvqMx-5eq-9@gated-at.bofh.it> <uvqMx-5eq-7@gated-at.bofh.it> <uvryV-5MV-7@gated-at.bofh.it> <uzUj3-3ov-73@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

> Le 30/09/2017 à 17:09, Thorsten Glaser a écrit :
> 
>> IMHO consistency within Debian is *much* more important.
>> 
>> I would be seriously fucked off if I could connect to a host
>> using something like wget but not a Java™ application, after
>> installing the custom CA into /etc/ssl/certs or similar, or
>> even with the defaults.
> 
> Similarly I would be seriously fucked off if the application I developed
> on another OS would behave differently once deployed on my Debian server
> with the same version of Java ;)

I wholeheartedly disagree with that statement if the only reason the application behaves different are the system's root CAs. This is one of the areas where I consider Java to be seriously broken. There is absolutely no reason for a programming framework to decide which CAs it trusts or not; the operating system has means to provide the trusted CAs (files on Debian, APIs on Windows/Mac). The operating system or supporting tools also have the means to manage the trusted CAs, for the entire system (e.g. with Puppet and friends, Group Policies, MDM profiles).

> Both use cases are valid I think, maybe we could have it both ways with
> something like this:
> 1. Let the openjdk package build and install its own cacerts file.
> 2. ca-certificates-java still generates a keystore from the Debian
> certificates but with a different name (cacerts-debian for example).
> 3. Patch openjdk to use cacerts-debian in priority if it exists, and
> default to cacerts otherwise.
> 4. Downgrade ca-certificates-java to a suggested or recommended
> dependency of openjdk-*-jre-headless

Such a change would most likely break many existing setups. I also could not find a definitive list of OpenJDK supported CAs, and from what I can tell Oracle's JRE/JDK still trusts the Symantec and WoSign/StartCom certificates.

> This way ca-certificates-java becomes optional, and installing it forces
> the JRE to use the Debian certificates. This would also get rid of the
> circular dependency.
> 
> Emmanuel Bourg

Ingo

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Emmanuel Bourg <ebourg@apache.org> - 2017-09-30 16:20 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Thorsten Glaser <t.glaser@tarent.de> - 2017-09-30 17:10 +0200
    RE: ca-certificates-java changes "Ingo Bauersachs" <ingo@jitsi.org> - 2017-10-13 00:40 +0200
    Re: ca-certificates-java changes Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 00:40 +0200
    Re: ca-certificates-java changes Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 01:00 +0200
      Re: ca-certificates-java changes Thorsten Glaser <t.glaser@tarent.de> - 2017-10-13 01:20 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Matthias Klose <doko@debian.org> - 2017-09-30 20:30 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable Tiago Daitx <tiago.daitx@canonical.com> - 2017-10-02 23:20 +0200
    Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 00:20 +0200

csiph-web