[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1056987: marked as done (bookworm-pu: package ca-certificates-java/20230710~deb12u1)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056987,
regarding bookworm-pu: package ca-certificates-java/20230710~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1056987: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056987
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
After openjdk was updated in bookworm, we can backport the proper fixes for
the dependency and trigger loops and defer java certificate population
to a trigger. That allows to remove the HACK needed to allow
configuration with a not yet configured jre package.

[ Impact ]
Certain package combinations can result in dpkg failing with trigger
loops on installation or upgrade.

[ Tests ]
Local piuparts tests of all upgrade paths starting in buster or bullseye
and going to bookworm that involve ca-certificates-java as a dependency.

[ Risks ]
Most trigger infrastructure was already prepared in
ca-certificates-java, it just needed activation (after making the jre
packages ready). There haven't been any problems reported since that was
activated in sid, so it should be low-risk to do the same in bookworm.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Postpone java certificate setup to triggers from jre packages that get
activated only after a java binary is usable.
Stop searching for a java binary in a possibly not yet configured jre
package.
Break dependency cycle.

[ Other info ]
This is a rebuild of the package from sid with no further changes.


Andreas

diff --git a/debian/ca-certificates-java.postinst b/debian/ca-certificates-java.postinst
index 963e248..f53c4ee 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -18,37 +18,6 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
 ETCCERTSDIR=/etc/ssl/certs
 CACERTS=$ETCCERTSDIR/java/cacerts
 
-setup_path()
-{
-	for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
-		for jvm in \
-			java-${version}-openjdk-${arch} \
-			java-${version}-openjdk \
-			oracle-java${version}-jre-${arch} \
-			oracle-java${version}-server-jre-${arch} \
-			oracle-java${version}-jdk-${arch}
-		do
-			if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-				export JAVA_HOME=/usr/lib/jvm/$jvm
-				PATH=$JAVA_HOME/bin:$PATH
-				# copy java.security to allow import to function
-				security_conf=/etc/java-${version}-openjdk/security
-				if [ -f ${security_conf}/java.security.dpkg-new ] \
-					&& [ ! -f ${security_conf}/java.security ]; then
-						cp ${security_conf}/java.security.dpkg-new \
-							${security_conf}/java.security
-				fi
-				break 2
-			fi
-		done
-	done
-
-	if ! which java >/dev/null; then
-		echo "No JRE found. Skipping Java certificates setup."
-		exit 0
-	fi
-}
-
 check_proc()
 {
     if ! mountpoint -q /proc; then
@@ -97,7 +66,10 @@ update_cacerts()
 		exit 0
 	fi
 
-	setup_path
+	if ! which java >/dev/null; then
+		echo "No JRE found. Skipping Java certificates setup."
+		exit 0
+	fi
 
 	if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
 		convert_pkcs12_keystore_to_jks
@@ -110,7 +82,17 @@ update_cacerts()
 
 		if [ -f "$CACERTS" ]; then
 			check_proc
-			cacerts_aliases=$(keytool -cacerts -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+			# Java 8 does not have -cacerts option
+			if java -version 2>&1 | grep "1.8" > /dev/null ;
+			then
+				castore="-keystore ${CACERTS}"
+			else
+				castore="-cacerts"
+			fi
+
+			cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
 			etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
 			for alias in $cacerts_aliases ; do
 				case " $etc_ssl_certs_aliases " in
@@ -184,5 +166,9 @@ if [ "$1" = "triggered" ]; then
 			;;
 	esac
 
+	if [ ! -f $CACERTS ]; then
+		touch /var/lib/ca-certificates-java/fresh
+	fi
+
 	update_cacerts
 fi
diff --git a/debian/ca-certificates-java.triggers b/debian/ca-certificates-java.triggers
index bde4336..e97bbf5 100644
--- a/debian/ca-certificates-java.triggers
+++ b/debian/ca-certificates-java.triggers
@@ -1,3 +1,2 @@
-interest update-ca-certificates-java
-interest update-ca-certificates-java-fresh
-interest /usr/lib/jvm
+interest-await update-ca-certificates-java
+interest-await update-ca-certificates-java-fresh
diff --git a/debian/changelog b/debian/changelog
index d6bb30f..80a833c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,38 @@
+ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bookworm.  (Closes: #1041419, #1037478, #929685)
+
+ -- Andreas Beckmann <anbe@debian.org>  Mon, 27 Nov 2023 14:32:55 +0100
+
+ca-certificates-java (20230710) unstable; urgency=medium
+
+  * Add apt-utils to the test dependencies.
+
+ -- Matthias Klose <doko@debian.org>  Mon, 10 Jul 2023 09:59:59 +0200
+
+ca-certificates-java (20230707) unstable; urgency=medium
+
+  [ Vladimir Petko ]
+  * Resolve circular JRE dependency:
+    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
+      stage.
+    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
+      not found. Certificates are refreshed only in response to the trigger
+      activated by OpenJDK packages.
+    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
+      Java 8.
+    - debian/control: remove JRE dependency.
+    - debian/control: add Breaks condition.
+    - debian/tests: add smoke tests.
+    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
+      explicitly declare triggers as -await.
+
+  [ Matthias Klose ]
+  * Adjust the breaks for Debian versions.
+
+ -- Matthias Klose <doko@debian.org>  Fri, 07 Jul 2023 11:13:17 +0200
+
 ca-certificates-java (20230620~deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index 88c04e9..6d93f7b 100644
--- a/debian/control
+++ b/debian/control
@@ -20,7 +20,13 @@ Multi-Arch: foreign
 Depends:
  ca-certificates (>= 20210120),
  ${misc:Depends},
- default-jre-headless (>= 2:1.8) | java8-runtime-headless,
+Breaks: openjdk-8-jre-headless  (<< 8u382~b04-2~),
+        openjdk-11-jre-headless (<< 11.0.19+7~1~),
+        openjdk-17-jre-headless (<< 17.0.8~6-3~),
+        openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~),
+        openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~),
+        openjdk-20-jre-headless (<< 20.0.1+9~1~),
+        openjdk-21-jre-headless (<< 21~9ea-1~)
 Description: Common CA certificates (JKS keystore)
  This package uses the hooks of the ca-certificates package to update the
  cacerts JKS keystore used for many java runtimes.
diff --git a/debian/tests/can-convert-keystore b/debian/tests/can-convert-keystore
new file mode 100644
index 0000000..b5cdf80
--- /dev/null
+++ b/debian/tests/can-convert-keystore
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# GIVEN a PKCS12 Java keystore
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+rm $CACERTS
+keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
+apt-get remove -y ca-certificates-java
+
+mkdir -p /etc/ssl/certs/java/
+mkdir -p /var/lib/ca-certificates-java/
+mv test.store $CACERTS
+# WHEN ca-certificates-java is requested to convert the keystore
+touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+
+# THEN conversion is successful
+output=`mktemp`
+apt-get install -y openjdk-8-jre-headless | tee ${output}
+
+if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
+then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi
diff --git a/debian/tests/can-install-jre b/debian/tests/can-install-jre
new file mode 100644
index 0000000..ce6879e
--- /dev/null
+++ b/debian/tests/can-install-jre
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+versions=$(apt-cache search jre-headless | awk '{print $1}')
+for version in ${versions}
+do
+# WHEN openjdk-jre-headless package is installed from scratch
+
+    # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
+    # builds. Ignore it in certificate tests
+    if [[ ${version} == "openjdk-18-jre-headless" ]];
+    then
+        continue
+    fi
+    output=`mktemp`
+    echo "installing ${version}"
+    apt-get install -y ${version} | tee ${output}
+# THEN installation is successfull
+# AND certificates are updated
+    if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+        echo "Certificates were not imported !!!"
+        exit 255
+    fi
+    rm $output
+    # purge in order to remove keytstore
+    apt-get purge -y ca-certificates-java ${version}
+done
diff --git a/debian/tests/can-install-libreoffice b/debian/tests/can-install-libreoffice
new file mode 100644
index 0000000..2177e15
--- /dev/null
+++ b/debian/tests/can-install-libreoffice
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+apt-get install -y libreoffice
diff --git a/debian/tests/can-install-multiple-jdks b/debian/tests/can-install-multiple-jdks
new file mode 100644
index 0000000..977b40b
--- /dev/null
+++ b/debian/tests/can-install-multiple-jdks
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+output=`mktemp`
+# WHEN multiple JDKs are installed
+apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
+
+# THEN installation is successful
+if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi
+rm $output
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..1a51f2e
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,9 @@
+Tests: can-convert-keystore
+Depends: apt-utils, bash, default-jre-headless
+Restrictions: needs-root
+
+Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
+# No depends, this is a test for a clean install
+Depends: apt-utils, bash
+Restrictions: needs-root
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: