Re: ca-certificate-java/openjdk installation issues

To: Thorsten Glaser <t.glaser@tarent.de>
Cc: debian-java@lists.debian.org
Subject: Re: ca-certificate-java/openjdk installation issues
From: Vladimir Petko <vladimir.petko@canonical.com>
Date: Wed, 22 Feb 2023 11:30:19 +1300
Message-id: <[🔎] CALFf3kerkvEc6WxN7zcEVo3CHeJKkfTHw3dWhtX6LP2t24NZsg@mail.gmail.com>
In-reply-to: <[🔎] ba7f6b37-973a-7c11-3fc5-e83b97f57833@tarent.de>
References: <[🔎] CALFf3kckwyx6X93=1JNjcnBdyctJe9AtfXYQsOoJf5qeUUjNEw@mail.gmail.com> <[🔎] c2ec8737fb5a03f1039a2e90ab925594@apache.org> <[🔎] CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com> <[🔎] 665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de> <[🔎] CALFf3kfRb7fi=wZUZtQdAq35YRudj0x=hHZ-ZyA8qTrX0MoxdA@mail.gmail.com> <[🔎] ba7f6b37-973a-7c11-3fc5-e83b97f57833@tarent.de>

Hi,

I would really love to prototype the approach, but might need a little
advice here: in order to use openjdk-20 onwards we need to run the
trigger after openjdk-20 jre is installed (all files are present on
file system, all property files renamed from .dpkg_new).
The existing trigger "interest /usr/lib/jvm" causes the import to run
before the package is configured and results in a failure to install
[1]. I wonder if we can use some non-file trigger for that from the
postinst script? But this will require updating all JDKs (?)
Alternative is to go with two packages: one for Java 11 and onwards
that does not use Java-based import, and the other - classic
ca-certificates-java with the trigger updated to watch Java 8?
Or am I getting too confused here?

[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998697

On Wed, Feb 22, 2023 at 10:59 AM Thorsten Glaser <t.glaser@tarent.de> wrote:
>
> On Wed, 22 Feb 2023, Vladimir Petko wrote:
>
> >in sync. A possible scenario is CA being revoked, which results in an
>
> That’s why I was suggesting to keep it down to manually vetted
> relevant ones.
>
> But if that’s unpalatable (do talk to the security people!),
> ship an empty JKS keystore by default. The JKS keystore will
> have no nōn-Java users, and soon as the JRE is there it’ll
> be regenerated.
>
> This all won’t make bookworm any more either, so no need to
> be hasty.
>
> bye,
> //mirabilos
> --
> Infrastrukturexperte • tarent solutions GmbH
> Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
> Telephon +49 228 54881-393 • Fax: +49 228 54881-235
> HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
> Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
>
>                         ****************************************************
> /⁀\ The UTF-8 Ribbon
> ╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
>  ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
> ╱ ╲ header encryption!
>                         ****************************************************

Reply to:

Follow-Ups:
- Re: ca-certificate-java/openjdk installation issues
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: ca-certificate-java/openjdk installation issues
  - From: Thorsten Glaser <t.glaser@tarent.de>

References:
- ca-certificate-java/openjdk installation issues
  - From: Vladimir Petko <vladimir.petko@canonical.com>
- Re: ca-certificate-java/openjdk installation issues
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: ca-certificate-java/openjdk installation issues
  - From: Vladimir Petko <vladimir.petko@canonical.com>
- Re: ca-certificate-java/openjdk installation issues
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: ca-certificate-java/openjdk installation issues
  - From: Vladimir Petko <vladimir.petko@canonical.com>
- Re: ca-certificate-java/openjdk installation issues
  - From: Thorsten Glaser <t.glaser@tarent.de>

Prev by Date: Re: ca-certificate-java/openjdk installation issues
Next by Date: Re: ca-certificate-java/openjdk installation issues
Previous by thread: Re: ca-certificate-java/openjdk installation issues
Next by thread: Re: ca-certificate-java/openjdk installation issues
Index(es):
- Date
- Thread