Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #10081

Re: ca-certificates-java changes

From Emmanuel Bourg <ebourg@apache.org>
Newsgroups linux.debian.maint.java
Subject Re: ca-certificates-java changes
Date 2017-10-13 01:00 +0200
Message-ID <uzUj3-3ov-73@gated-at.bofh.it> (permalink)
References <uvqMx-5eq-9@gated-at.bofh.it> <uvqMx-5eq-7@gated-at.bofh.it> <uvryV-5MV-7@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Le 30/09/2017 à 17:09, Thorsten Glaser a écrit :

> IMHO consistency within Debian is *much* more important.
> 
> I would be seriously fucked off if I could connect to a host
> using something like wget but not a Java™ application, after
> installing the custom CA into /etc/ssl/certs or similar, or
> even with the defaults.

Similarly I would be seriously fucked off if the application I developed
on another OS would behave differently once deployed on my Debian server
with the same version of Java ;)

Both use cases are valid I think, maybe we could have it both ways with
something like this:
1. Let the openjdk package build and install its own cacerts file.
2. ca-certificates-java still generates a keystore from the Debian
certificates but with a different name (cacerts-debian for example).
3. Patch openjdk to use cacerts-debian in priority if it exists, and
default to cacerts otherwise.
4. Downgrade ca-certificates-java to a suggested or recommended
dependency of openjdk-*-jre-headless

This way ca-certificates-java becomes optional, and installing it forces
the JRE to use the Debian certificates. This would also get rid of the
circular dependency.

Emmanuel Bourg

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Emmanuel Bourg <ebourg@apache.org> - 2017-09-30 16:20 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Thorsten Glaser <t.glaser@tarent.de> - 2017-09-30 17:10 +0200
    RE: ca-certificates-java changes "Ingo Bauersachs" <ingo@jitsi.org> - 2017-10-13 00:40 +0200
    Re: ca-certificates-java changes Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 00:40 +0200
    Re: ca-certificates-java changes Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 01:00 +0200
      Re: ca-certificates-java changes Thorsten Glaser <t.glaser@tarent.de> - 2017-10-13 01:20 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Matthias Klose <doko@debian.org> - 2017-09-30 20:30 +0200
  Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable Tiago Daitx <tiago.daitx@canonical.com> - 2017-10-02 23:20 +0200
    Re: ca-certificates-java_20170930_source.changes ACCEPTED into  unstable Emmanuel Bourg <ebourg@apache.org> - 2017-10-13 00:20 +0200

csiph-web