Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x

To: Paul Gevers <elbrus@debian.org>, Jonathan Wiltshire <jmw@debian.org>, 1040925@bugs.debian.org
Cc: pkg-java-maintainers@lists.alioth.debian.org, security@debian.org
Subject: Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
From: Andreas Beckmann <anbe@debian.org>
Date: Fri, 18 Aug 2023 21:52:36 +0200
Message-id: <[🔎] 75d4fc30-4f41-ebed-8952-61c9cf2eb9a7@debian.org>
Reply-to: Andreas Beckmann <anbe@debian.org>, 1040925@bugs.debian.org
In-reply-to: <[🔎] ecd14ff2-c9a7-4e76-bc14-2b6e2099d057@debian.org>
References: <168916591280.2009803.13837042242706242269.reportbug@zam504.zam.kfa-juelich.de> <168916591280.2009803.13837042242706242269.reportbug@zam504.zam.kfa-juelich.de> <[🔎] ZN+g1wJGOz51mvr4@powdarrmonkey.net> <[🔎] ecd14ff2-c9a7-4e76-bc14-2b6e2099d057@debian.org> <168916591280.2009803.13837042242706242269.reportbug@zam504.zam.kfa-juelich.de>

On 18/08/2023 20.49, Paul Gevers wrote:

Hi Jonathan,

On 18-08-2023 18:48, Jonathan Wiltshire wrote:
I'm therefore inclined to make a stable update sooner than the point
release. How does this text sound?

| ca-certificates-java, a package to update the cacerts JKS keystore used
| for many java runtimes, may fail to install alongside OpenJDK because
| of a circular dependency. This is a regression in Debian 11 and 12.
The regression is that the problem seems to occur more frequently. I'mnot convinced it's an actual regression as the circular dependencyproblem is known from *before* the bullseye release.

The actual regression is in openjdk-XX which removed some undocumentedundefined behavior. This was not neccessarily on purpose.ca-certificates-java relied on the fact that an unconfiguredopenjdk-jre-XX-headless could be used for its configuration, which is nolonger the case. ca-certificates-java now has to pre-configure java to ausable state if ca-certificates-java gets configured beforeopenjdk-XX-jre-headless was ever configured. That may happen due to thecircular dependency.

The current fix may actually cause dpkg trigger cycles (due to thecircular dependency), but that's a rare event. IIRC in my piuparts testsof this fix I encountered one new trigger cycle, while fixing about50-250 installation failures due to the ca-certificates-java failure.(exact numbers are hard to estimate since that failure may not propagatetransitively: if installing foo which depends on ca-certifictes-javafails, installing bar which depends on foo (and thereforeca-certificates-java, too) may succeed if apt swaps the configurationorder of ca-certificates-java and openjdk-XX-jre-headless.

In the long run I'd like to bring the changes to bookworm that break thedependency cycle and postpone the ca-certificates-java setup to atrigger that runs after openjdk-xx-jre-headless got configured.(That won't work for bullseye, since there is too much infrastructuremissing in the ca-certificates stack, but in bookworm everything shouldbe prepared, it was just not enabled.)

backporting ca-certificates-java from sid to bookworm needs carefulauditing of the versions in package relationships and my last attempt onthat failed since stable-pu didn't have a sufficiently new openjdk, yet.



Andreas

Reply to:

Follow-Ups:
- Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
  - From: Jonathan Wiltshire <jmw@debian.org>

References:
- Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
  - From: Jonathan Wiltshire <jmw@debian.org>
- Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#1049379: bookworm-pu: package freedombox/23.6.2+deb12u1
Next by Date: Bug#1050044: bullseye-pu: package rar/2:5.5.0-1
Previous by thread: Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
Next by thread: Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
Index(es):
- Date
- Thread