Bug#1040925: bookworm-pu: package ca-certificates-java/20230103+x
Andreas Beckmann
anbe at debian.org
Fri Aug 18 20:52:36 BST 2023
On 18/08/2023 20.49, Paul Gevers wrote:
> Hi Jonathan,
>
> On 18-08-2023 18:48, Jonathan Wiltshire wrote:
>> I'm therefore inclined to make a stable update sooner than the point
>> release. How does this text sound?
>>
>> | ca-certificates-java, a package to update the cacerts JKS keystore used
>> | for many java runtimes, may fail to install alongside OpenJDK because
>> | of a circular dependency. This is a regression in Debian 11 and 12.
>
> The regression is that the problem seems to occur more frequently. I'm
> not convinced it's an actual regression as the circular dependency
> problem is known from *before* the bullseye release.
The actual regression is in openjdk-XX which removed some undocumented
undefined behavior. This was not neccessarily on purpose.
ca-certificates-java relied on the fact that an unconfigured
openjdk-jre-XX-headless could be used for its configuration, which is no
longer the case. ca-certificates-java now has to pre-configure java to a
usable state if ca-certificates-java gets configured before
openjdk-XX-jre-headless was ever configured. That may happen due to the
circular dependency.
The current fix may actually cause dpkg trigger cycles (due to the
circular dependency), but that's a rare event. IIRC in my piuparts tests
of this fix I encountered one new trigger cycle, while fixing about
50-250 installation failures due to the ca-certificates-java failure.
(exact numbers are hard to estimate since that failure may not propagate
transitively: if installing foo which depends on ca-certifictes-java
fails, installing bar which depends on foo (and therefore
ca-certificates-java, too) may succeed if apt swaps the configuration
order of ca-certificates-java and openjdk-XX-jre-headless.
In the long run I'd like to bring the changes to bookworm that break the
dependency cycle and postpone the ca-certificates-java setup to a
trigger that runs after openjdk-xx-jre-headless got configured.
(That won't work for bullseye, since there is too much infrastructure
missing in the ca-certificates stack, but in bookworm everything should
be prepared, it was just not enabled.)
backporting ca-certificates-java from sid to bookworm needs careful
auditing of the versions in package relationships and my last attempt on
that failed since stable-pu didn't have a sufficiently new openjdk, yet.
Andreas
More information about the pkg-java-maintainers
mailing list