Hi, I would really love to prototype the approach, but might need a little advice here: in order to use openjdk-20 onwards we need to run the trigger after openjdk-20 jre is installed (all files are present on file system, all property files renamed from .dpkg_new). The existing trigger "interest /usr/lib/jvm" causes the import to run before the package is configured and results in a failure to install [1]. I wonder if we can use some non-file trigger for that from the postinst script? But this will require updating all JDKs (?) Alternative is to go with two packages: one for Java 11 and onwards that does not use Java-based import, and the other - classic ca-certificates-java with the trigger updated to watch Java 8? Or am I getting too confused here?
[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998697 On Wed, Feb 22, 2023 at 10:59 AM Thorsten Glaser <t.gla...@tarent.de> wrote: > > On Wed, 22 Feb 2023, Vladimir Petko wrote: > > >in sync. A possible scenario is CA being revoked, which results in an > > That’s why I was suggesting to keep it down to manually vetted > relevant ones. > > But if that’s unpalatable (do talk to the security people!), > ship an empty JKS keystore by default. The JKS keystore will > have no nōn-Java users, and soon as the JRE is there it’ll > be regenerated. > > This all won’t make bookworm any more either, so no need to > be hasty. > > bye, > //mirabilos > -- > Infrastrukturexperte • tarent solutions GmbH > Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ > Telephon +49 228 54881-393 • Fax: +49 228 54881-235 > HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 > Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg > > **************************************************** > /⁀\ The UTF-8 Ribbon > ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: > ╳ HTML eMail! Also, https://www.tarent.de/newsletter > ╱ ╲ header encryption! > ****************************************************
