1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.JAVA

  • Re: ca-certificates and backport to bullseye => ca-certificates-java pr

    From =?UTF-8?Q?Julien_Plissonneau_Duqu=C@21:1/5 to All on Thu Jul 31 15:20:02 2025
    Hi,

    I can't help you much there as I didn't check what could break in your
    case (bullseye). The last time this was discussed on the list was

    https://lists.debian.org/debian-java/2023/02/msg00011.html

    According to the PT in bullseye it depends on default-jre-headless which depends on openjdk-11-jre-headless which depends on
    ca-certificates-java, but I don't see how updating it could cause
    issues.

    Maybe Emmanuel or doko could share more details about what could go
    wrong?

    Cheers,

    --
    Julien Plissonneau Duquène

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vladimir Petko@21:1/5 to sre4ever@free.fr on Thu Jul 31 22:40:01 2025
    Hi,

    As far as I remember, 20230707 removes the circular dependency that
    caused upgrade issues[1][2][3]. It also requires openjdk to trigger ca-certificates-java:
    ----JB-jre-headless.postinst.in----
    # Now that java is fully registered and configured,
    # call update-ca-certificates-java
    dpkg-trigger update-ca-certificates-java
    ------
    Please check that this snippet is present in bullseye's JB-jre-headless.postinst.in of openjdk package.

    Best Regards,
    Vladimir.

    [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2003750 [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1999103 [3] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2004061

    On Fri, Aug 1, 2025 at 1:14 AM Julien Plissonneau Duquène
    <sre4ever@free.fr> wrote:

    Hi,

    I can't help you much there as I didn't check what could break in your
    case (bullseye). The last time this was discussed on the list was

    https://lists.debian.org/debian-java/2023/02/msg00011.html

    According to the PT in bullseye it depends on default-jre-headless which depends on openjdk-11-jre-headless which depends on
    ca-certificates-java, but I don't see how updating it could cause
    issues.

    Maybe Emmanuel or doko could share more details about what could go
    wrong?

    Cheers,

    --
    Julien Plissonneau Duquène


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien Roucaries@21:1/5 to All on Thu Jul 31 22:43:07 2025
    Le jeudi 31 juillet 2025, 22:30:11 heure d’été d’Europe centrale Vladimir
    Petko a écrit :
    Hi,

    As far as I remember, 20230707 removes the circular dependency that
    caused upgrade issues[1][2][3]. It also requires openjdk to trigger ca-certificates-java:
    ----JB-jre-headless.postinst.in----
    # Now that java is fully registered and configured,
    # call update-ca-certificates-java
    dpkg-trigger update-ca-certificates-java
    ------
    Please check that this snippet is present in bullseye's JB-jre-headless.postinst.in of openjdk package.

    No it is not, so that it the path to fix this ?

    1. first upload a openjdk that trigger update-ca-certificates-java
    2. upload a backport of ca-certificates-java
    3. upload ca-certificates

    rouca

    Best Regards,
    Vladimir.

    [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2003750 [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1999103 [3] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2004061

    On Fri, Aug 1, 2025 at 1:14 AM Julien Plissonneau Duquène

    <sre4ever@free.fr> wrote:
    Hi,

    I can't help you much there as I didn't check what could break in your
    case (bullseye). The last time this was discussed on the list was

    https://lists.debian.org/debian-java/2023/02/msg00011.html

    According to the PT in bullseye it depends on default-jre-headless which depends on openjdk-11-jre-headless which depends on
    ca-certificates-java, but I don't see how updating it could cause
    issues.

    Maybe Emmanuel or doko could share more details about what could go
    wrong?

    Cheers,

    --
    Julien Plissonneau Duquène


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiL1VsACgkQADoaLapB CF8NkRAAmRYE+gpsQtve9ss7C+453zNqw7r9d8DNnbroNo35YDJiaeYTMKVpbjmz vUREtr3Tn7ETmDqzvizyac8NZDRQ7Ys/M6CBuqIeX9wsf00TyENrZ502imAhK4aP mBygGMtcKMjseUGWjgHo7wNxJTj6DellSe7r0Ou4PRDdVvsIlybnUehnFz4KckUC lLA6FzTktmWaBgzotroHQOU2YT/RGiKBPDialO41XqtozSgakihl+PCiDRCEEr1T yVQgTBFNEhGTliOKGw3xH3B4YXVASh33P1BpHQA3MNcwT4orAlFonrdq40odN6jd HIGbWKHzDVJ8LKjrvWXXJ0grcSxKbhNDz78OBsN3/nyg+HXuYwCyRjo+SbVXo8Ty T95H8v3jc5aZOYXDQtIXI0T1u4ZDFk0bG9fzdyjLQlXPUaaOtFem3CUeGMqn/l/1 GcvtVtINvDlt7hqgU2+y8OWJQEXl2t3UXZDpQN/HMHgosIC8DHy6ODA4iLS3iFGX PYuoOZC2eDYq+rlbIIVTfOI0N0eIPSWP0U1zPcKrUSYLtB6XD/fyTJKzp1xg7JdT NDwYdF9cs1qpjAU2cBskHcW0gUJ/pEawF3O/bMeIlkcgDvTqVhA2gPuN3xcKWVnn toGXhbVph4a+aBONb1ZPRDf3Q+xY9hInwkpLK8Uz6Chb5x38nY8=
    =admq
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien Roucaries@21:1/5 to All on Fri Aug 1 00:35:01 2025
    Le jeudi 31 juillet 2025, 23:39:22 heure d’été d’Europe centrale Utkarsh Gupta a écrit :
    Hi Bastien,

    On Fri, Aug 1, 2025 at 2:13 AM Bastien Roucaries <rouca@debian.org> wrote:
    1. first upload a openjdk that trigger update-ca-certificates-java
    2. upload a backport of ca-certificates-java
    3. upload ca-certificates

    Correct - that's the right sequence. Following up with Vladimir also
    tells me that
    - The first step will get you openjdk reconfiguring ca-certificates-java twice. - Then you immediately upload a backport that breaks circular dependency. - And then you can refresh ca-certificates.

    Note that this needs to happen for all the openjdk in bullseye - which
    means openjdk-11, openjdk-17, *and* nvidia-openjdk-8-jre.
    * 11 is ok : https://salsa.debian.org/openjdk-team/openjdk/-/blob/openjdk-11/debian/JB-jre-headless.postinst.in#L129
    * 17 is ok : https://salsa.debian.org/openjdk-team/openjdk/-/blob/openjdk-17/debian/JB-jre-headless.postinst.in#L97
    * nvidia-openjdk-8-jre is not ok and it does not use ca-certificates-java

    Vladimir Petko can you see if I should open a RC bug against nvidia-openjdk-8-jre ?



    Let me know if you need anything else. Also, please go ahead with or
    without adding them to dla-needed, whatever you find convenient.


    - u


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiL75UACgkQADoaLapB CF8lthAAs29eFObw7Ofz6YYAax7Y89bhvgHfv/A9OqSRCFrGMq/CNbNZbH/wXscQ XGuaCAeB7LkTY7cSxtmjrRqIneLLIkQC6q4G6TxPkW2hGPEqIqVtASuZmyeP7Irw yzuYrpOyEr85X/bcGebgmJYCEEwUJQ4eZcU8mS3GUlfhy3FUAQNnwP8PUhsJ55QW MQ0BAS5LaFCl2Oqty/uEF8pktmaWOWqIuVHu7bH6+g0pLQfdMdYrHnUlJmhc5enr dlcItdnS3a1tjXFCmL1jzpQwBXzayAZNpoT4V8KF7A7YWayVaE8znNw9QfJ84xte is1HQnpCgCOw4XkSlOur7Gh5XdVNAV9XAxd4Qu2VQSn3QC00IKiWwZS1cPfdKUEz uEINZKltILHFLhYH7W8SlRVXqQTGiAGD5fEX4+ozAGqRKtf/x8jxFxXeQmagiu60 4u26Br7pjhPgN19JeDlGS2kggngX0CUKom8SuiDBaDLtA028rNVans3fPhJ6oDsV kUla02rCBmLAJcfSbV8D70y9DFaGptaXBD+7ZlzxoUQzo96FetBXgVPQ9mwCACSW 7Nf26jDFHmM2csU1hXpFmlGddlQQUq/0VkAALE9prUAlsliMgs3r9JDbhvicyurk cD1KaNvVjA3urNGi1MtebLssGhRn6rzuDV64VGbRrNR8j0xfRFc=
    =sHM3
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien Roucaries@21:1/5 to All on Fri Aug 1 19:08:04 2025
    Le jeudi 31 juillet 2025, 22:30:11 heure d’été d’Europe centrale Vladimir
    Petko a écrit :
    Hi,

    Hi,

    As far as I remember, 20230707 removes the circular dependency that
    caused upgrade issues[1][2][3]. It also requires openjdk to trigger ca-certificates-java:
    ----JB-jre-headless.postinst.in----
    # Now that java is fully registered and configured,
    # call update-ca-certificates-java
    dpkg-trigger update-ca-certificates-java
    ------
    Please check that this snippet is present in bullseye's JB-jre-headless.postinst.in of openjdk package.

    Can someone enable salsa-ci on ca-certificates-java ? It will help

    Bastien

    Best Regards,
    Vladimir.

    [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2003750 [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1999103 [3] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2004061

    On Fri, Aug 1, 2025 at 1:14 AM Julien Plissonneau Duquène

    <sre4ever@free.fr> wrote:
    Hi,

    I can't help you much there as I didn't check what could break in your
    case (bullseye). The last time this was discussed on the list was

    https://lists.debian.org/debian-java/2023/02/msg00011.html

    According to the PT in bullseye it depends on default-jre-headless which depends on openjdk-11-jre-headless which depends on
    ca-certificates-java, but I don't see how updating it could cause
    issues.

    Maybe Emmanuel or doko could share more details about what could go
    wrong?

    Cheers,

    --
    Julien Plissonneau Duquène


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiM9HQACgkQADoaLapB CF8+Kg/7BPOhyNn6zTQiNs7UnpZuE1RS2YRXuJWK/GgHDXuOTEvC4oLGyRqgJzot Igc+tPhDd/oYmwImfj0IpdeVaF6EKOrEuY5fxISlbiXdmL2G1bRc2yeXLdlPu9fJ 602o+Mz8fd5WqWwhVwlkULmFxquJ1TOQBqwI73k0kF8jKA/LOklakYeGDgDkbc/r elG46I+WEt1ticwe8Mpc2aaCcoq/lfF90JG+Yv+qIDj7xi/tA817AiVTdYnKjQil FxmhVnzIJFHyGvwD2CHcpGyMleykh1/GplHUrfDye1ksjJWyWhJJXxjy08Ej4Xd4 ulSEAvxb9QZ6+o7CbEMSUbRrW//eya25QGfJya99/Vak6j38j/I86weJPfQdapjo BWyXMUF1Srdp64v6Lk8ChbIFGZVnrtrTLAJxhAhGb3+HIjvjWDzEWQaBJAhbfKgi GIQjxH1tNRZGGSNIakJ41ooRijLZgJoJGQi/uZhPm0SzmG8qqVC3bByMTgjf1dvp MnNTFaL2U0B4p/wW8NXstpZolWeCt/g+QgOsIbj/3DBxmQlOgfbDNBtfySuiXkBv cf/BZOGLItJAeePwBKlC9ts5qrj65/kWVlnWZqURuSQ2OtJ/XtKYCjY697O1bwM9 SM5BzbDJHDFk97WvnOlmWQtdTNfhn1moZMPqvoaUYPOWGNRUtfs=
    =ncTX
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien Roucaries@21:1/5 to All on Fri Aug 1 21:24:36 2025
    Le jeudi 31 juillet 2025, 22:43:35 heure d’été d’Europe centrale Bastien Roucaries a écrit :
    Hi

    I have just pushed a version here: https://salsa.debian.org/java-team/ca-certificates-java/-/tree/bullseye?ref_type=heads

    Can you review ?

    rouca

    Le jeudi 31 juillet 2025, 22:30:11 heure d’été d’Europe centrale Vladimir

    Petko a écrit :
    Hi,

    As far as I remember, 20230707 removes the circular dependency that
    caused upgrade issues[1][2][3]. It also requires openjdk to trigger ca-certificates-java:
    ----JB-jre-headless.postinst.in----
    # Now that java is fully registered and configured,
    # call update-ca-certificates-java
    dpkg-trigger update-ca-certificates-java
    ------
    Please check that this snippet is present in bullseye's JB-jre-headless.postinst.in of openjdk package.

    No it is not, so that it the path to fix this ?

    1. first upload a openjdk that trigger update-ca-certificates-java
    2. upload a backport of ca-certificates-java
    3. upload ca-certificates

    rouca

    Best Regards,

    Vladimir.

    [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/200375 0
    [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/199910 3
    [3] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/200406 1

    On Fri, Aug 1, 2025 at 1:14 AM Julien Plissonneau Duquène

    <sre4ever@free.fr> wrote:
    Hi,

    I can't help you much there as I didn't check what could break in your case (bullseye). The last time this was discussed on the list was

    https://lists.debian.org/debian-java/2023/02/msg00011.html

    According to the PT in bullseye it depends on default-jre-headless which depends on openjdk-11-jre-headless which depends on
    ca-certificates-java, but I don't see how updating it could cause
    issues.

    Maybe Emmanuel or doko could share more details about what could go wrong?

    Cheers,

    --
    Julien Plissonneau Duquène


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiNFHQACgkQADoaLapB CF9oCQ//Xq7M51Weg14y5ShV4+UzkFtRLWn9fpMb69P47caPJPfyj6BXD0Mb8AxR GYLWDuqslwbm1ayresxIVirX13e91LIqAt9oGQ9to4zJmvTKPLdcgIfGsdwARWx2 AuMrBnVebY5Mqa17LDVvMeYJ/Ho1JNGkjSMSmVASTnHHJuWfFE168sGeRdzSwVgY vKEZonbGMhIp3n7WUkdosipI06ul+cAewVvJfsYdXYjX1fYr7xsM1OqGhuNytMha qPYyWF581MiYmapQQKK9Bg3ZrC9u8nIrcfpgny6wO8Jnuw8gAMHK2girczgGilOe D3itaQsRMLUp3Hbd53pUM+VCV+NxQ2BcNYL0T5ytfEa8OA6KE4S06cVvtMhOjXsn kiEryPq+lmaFRQOHic3mnv5gHW43sXgPyCY7Z3mS4vGiwZlu+82WFwrBenorhSsO Z0MyVlhf8K+uH15bcqO44B8EkSp5dQ7Vouotcb7jyjxgwcmBhLtUieb9U0UA/HvH vzR35SH5SPWpubx89C3IdEiXpr7CinOGJwrlzsk1ymJlY9I3n3xA/T2nMIFEFD1d MRfXOQXRExBewOAXE3BVV1QmmjnpFWktdqwGbTcD1bq6OGd5DlgQLMtunC1lYNxj GyaZectGhC8bR8IjW2Bh9b52ID/SOq1QmlyEN/UwYYNhfj2bsaI=
    =oNRd
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)