Ubuntu
openjdk-18 package

Circular dependency on ca-certificates-java can crash package configuration

Bug #1965987 reported by Patel
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openjdk-18 (Debian)
Fix Released
Unknown
openjdk-18 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hello

Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04

apt-cache policy ca-certificates-java
ca-certificates-java:
  Installed: 20190909
  Candidate: 20190909
  Version table:
 *** 20190909 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

what I expect to happen: the package to install reliably in all circonstances
what happens instead: in some circonstances the configure stage crashes.

Detail

as said in the subject, openjdk depends on ca-certificates-java, and ca-certificates-java depends on java. Usually installing ca-certificates-java installs automatically openjdk-18 and the config stage is in a good order: first openjdk, then ca-certificates-java. If one installs openjdk-18, same scenario so everything is good. Well, no. In fact when dealing with circular dependencies, the package order is not really defined.

To test the jitsi-videobridge2 package (jitsi-meet project), here are the instructions:
curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'

echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null

sudo apt update

Here the package order is different:

sudo apt install --dry-run jitsi-videobridge2:
(...)
Conf ca-certificates-java (20190909 Ubuntu:22.04/jammy [all])
Conf openjdk-18-jre-headless (18~36ea-1 Ubuntu:22.04/jammy [amd64])

to work around this problem, the ca-certificates-java package maintainers have included a horrendous kludge in the postinstall package:

    for jvm in java-7-openjdk-$arch java-7-openjdk \
               oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
(... cut for brevity all other java versions between 7 and 17...)
               java-17-openjdk-$arch java-17-openjdk \
               oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
            export JAVA_HOME=/usr/lib/jvm/$jvm
            PATH=$JAVA_HOME/bin:$PATH
            break
        fi
    done

so that when the installation order is reversed the configuration script still runs.

However this kludge go only up to Java 17. It is my understanding that these package are coming from upstream (Debian) and Debian 12 only include Java 17 for now.

So jitsi-videobridge2 install fine in Bookworm (it pulls Java 17 of course).
However, under Jammy it gives that:

head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
/var/lib/dpkg/info/ca-certificates-java.postinst: line 101: java: command not found
dpkg: error processing package ca-certificates-java (--configure):
 installed ca-certificates-java package post-installation script subprocess returned error exit status 127
dpkg: dependency problems prevent configuration of openjdk-18-jre-headless:amd64:
 openjdk-18-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however:
  Package ca-certificates-java is not configured yet.

dpkg: error processing package openjdk-18-jre-headless:amd64 (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 ca-certificates-java
 openjdk-18-jre-headless:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

java is not found, because
ls /usr/lib/jvm/

java-1.18.0-openjdk-amd64 java-18-openjdk-amd64

-> java-18-openjdk is available but can't be found.

All these tests have been done on a fresh Jammy container obtained thanks to St Graber and its LXD band.

So my conclusion: you have to either:
- drop java 18 until Debian adopts it and adapts its package
- convince Debian to add the test for Java 18 in the ca-certificates-java post install script kludge
- take the responsabilty for ca-certificates-java package yourself and fix it at the Ubuntu level.

There is of course a fourth option: explain to people complaining that the jitsi-videobridge2 don't install anymore - it installs fine under Focal - that it's the Jitsi-meet project's fault. And possibly other projects as well. The Jitsi-videobridge2 package could probably be modified to fix that, I'll grant it. I did not test it but I think that if it depended on default-jre instead of
Pre-Depends: java8-runtime-headless | java8-runtime | java11-runtime-headless | java11-runtime
it would install fine even with the incomplete kludge in the ca-certificates-java post-install script.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-18 (Ubuntu):
status: New → Confirmed
Revision history for this message
Martin Schröder (martin-oneiros) wrote :

Same problem exists on Debian (obviously); see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009905

Bug Watch Updater (bug-watch-updater)
Changed in openjdk-18 (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in openjdk-18 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.