Ubuntu
dogtag-pki package

please remove dogtag-pki from noble

Bug #2055830 reported by Vladimir Petko
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dogtag-pki (Ubuntu)
Fix Released
Undecided
Unassigned
tomcat9 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

dogtag-pki fails to build due to the missing and obsolete dependency (python3-six, distutils).
After fixing the missing dependencies, the package fails to unpack with the following error message:
-----
Unpacking pki-server (11.2.1-2ubuntu1) ...
dpkg: error processing archive /tmp/apt-dpkg-install-V2J5IB/123-pki-server_11.2.1-2ubuntu1_amd64.deb (--unpack):
 unable to open '/usr/lib/systemd/system/pki-tomcatd@.service.dpkg-new': No such file or directory
No apport report written because the error message indicates an issue on the local system
----
The package also attempts to install service file to /lib[3].

After working around those issues I was able to create a pki server which started an empty tomcat instance.

tomcat9 migration to 9.0.70-2 is blocked by dogtag-pki.
dogtag-pki can not be trivially upgraded to tomcat10 because dogtag-pki upstream implementation depends on tomcat9 [1][2].

tomcat9 removal bug[4] states that `dogtag-pki` was removed from bookworm[5]

reverse dependencies - no reverse dependenices found
$ reverse-depends -b src:dogtag-pki
No reverse dependencies found
$ reverse-depends src:dogtag-pki
$

The package contains a number of issues - it can not be built, installed and used properly. More importantly it blocks tomcat9 migration which leaves users with tomcat 9.0.70 has a number of known security issues[6]

Would it be possible to consider removing source and binaries of the package from noble?

[1] https://github.com/dogtagpki/pki/blob/master/base/tomcat/pom.xml
[2] https://github.com/dogtagpki/pki/blob/master/base/tomcat-9.0/pom.xml
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054480
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824
[5] https://tracker.debian.org/pkg/dogtag-pki
[6] https://tomcat.apache.org/security-9.html

Original description:
-----------
a -W /<<PKGBUILDDIR>>/base/common/python /<<PKGBUILDDIR>>/build/core/base/common/python/html
Running Sphinx v7.2.6
making output directory... done
building [mo]: all of 0 po files
writing output...
building [html]: all source files
updating environment: [new config] 2 added, 0 changed, 0 removed
reading sources... [ 50%] index
reading sources... [100%] pki

Warning, treated as error:
autodoc: failed to import module 'pki'; the following exception was raised:
No module named 'six'
make[4]: *** [base/common/python/CMakeFiles/dogtag_python_client_docs.dir/build.make:71: base/common/python/CMakeFiles/dogtag_python_client_docs] Error 2
make[4]: Leaving directory '/<<PKGBUILDDIR>>/build/core'
make[3]: *** [CMakeFiles/Makefile2:1361: base/common/python/CMakeFiles/dogtag_python_client_docs.dir/all] Error 2
make[3]: Leaving directory '/<<PKGBUILDDIR>>/build/core'
make[2]: *** [Makefile:156: all] Error 2
make[2]: Leaving directory '/<<PKGBUILDDIR>>/build/core'
make[1]: *** [debian/rules:66: debian/stamp/x86_64-linux-gnu-build-core] Error 2
----------
See[1]

https://launchpad.net/~vpa1977/+archive/ubuntu/october-21/+build/27797951/+files/buildlog_ubuntu-noble-amd64.dogtag-pki_11.2.1-2_BUILDING.txt.gz

See original description
Vladimir Petko (vpa1977)
tags: added: ftbfs
Vladimir Petko (vpa1977)
summary: - dogtag-pki fails to build from source in noble
+ please remove dogtag-pki from noble
description: updated
tags: added: update-excuse
description: updated
description: updated
description: updated
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hang on, the bits it needs from tomcat9 can be vendored inside dogtag-pki, and dependency for tomcat9-user dropped. But it would still need libtomcat9-java to be available, which AIUI should be fine as Debian is shipping it as well.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hmm, maybe the rabbit hole goes too deep which makes it unfeasible to vendor everything (and rather pointless), in which case this should get removed indeed.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

according to https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0
there's still plenty of life left in tomcat 9.x...

Revision history for this message
Steve Langasek (vorlon) wrote :
Download full text (4.2 KiB)

Removing packages from noble:
 dogtag-pki 11.2.1-2 in noble
  dogtag-pki 11.2.1-2 in noble amd64
  dogtag-pki 11.2.1-2 in noble arm64
  dogtag-pki 11.2.1-2 in noble armhf
  dogtag-pki 11.2.1-2 in noble i386
  dogtag-pki 11.2.1-2 in noble ppc64el
  dogtag-pki 11.2.1-2 in noble riscv64
  dogtag-pki 11.2.1-2 in noble s390x
  dogtag-pki-console-theme 11.2.1-2 in noble amd64
  dogtag-pki-console-theme 11.2.1-2 in noble arm64
  dogtag-pki-console-theme 11.2.1-2 in noble armhf
  dogtag-pki-console-theme 11.2.1-2 in noble i386
  dogtag-pki-console-theme 11.2.1-2 in noble ppc64el
  dogtag-pki-console-theme 11.2.1-2 in noble riscv64
  dogtag-pki-console-theme 11.2.1-2 in noble s390x
  dogtag-pki-server-theme 11.2.1-2 in noble amd64
  dogtag-pki-server-theme 11.2.1-2 in noble arm64
  dogtag-pki-server-theme 11.2.1-2 in noble armhf
  dogtag-pki-server-theme 11.2.1-2 in noble i386
  dogtag-pki-server-theme 11.2.1-2 in noble ppc64el
  dogtag-pki-server-theme 11.2.1-2 in noble riscv64
  dogtag-pki-server-theme 11.2.1-2 in noble s390x
  pki-base 11.2.1-2 in noble amd64
  pki-base 11.2.1-2 in noble arm64
  pki-base 11.2.1-2 in noble armhf
  pki-base 11.2.1-2 in noble i386
  pki-base 11.2.1-2 in noble ppc64el
  pki-base 11.2.1-2 in noble riscv64
  pki-base 11.2.1-2 in noble s390x
  pki-base-java 11.2.1-2 in noble amd64
  pki-base-java 11.2.1-2 in noble arm64
  pki-base-java 11.2.1-2 in noble armhf
  pki-base-java 11.2.1-2 in noble i386
  pki-base-java 11.2.1-2 in noble ppc64el
  pki-base-java 11.2.1-2 in noble riscv64
  pki-base-java 11.2.1-2 in noble s390x
  pki-ca 11.2.1-2 in noble amd64
  pki-ca 11.2.1-2 in noble arm64
  pki-ca 11.2.1-2 in noble armhf
  pki-ca 11.2.1-2 in noble i386
  pki-ca 11.2.1-2 in noble ppc64el
  pki-ca 11.2.1-2 in noble riscv64
  pki-ca 11.2.1-2 in noble s390x
  pki-console 11.2.1-2 in noble amd64
  pki-console 11.2.1-2 in noble arm64
  pki-console 11.2.1-2 in noble armhf
  pki-console 11.2.1-2 in noble i386
  pki-console 11.2.1-2 in noble ppc64el
  pki-console 11.2.1-2 in noble riscv64
  pki-console 11.2.1-2 in noble s390x
  pki-javadoc 11.2.1-2 in noble amd64
  pki-javadoc 11.2.1-2 in noble arm64
  pki-javadoc 11.2.1-2 in noble armhf
  pki-javadoc 11.2.1-2 in noble i386
  pki-javadoc 11.2.1-2 in noble ppc64el
  pki-javadoc 11.2.1-2 in noble riscv64
  pki-javadoc 11.2.1-2 in noble s390x
  pki-kra 11.2.1-2 in noble amd64
  pki-kra 11.2.1-2 in noble arm64
  pki-kra 11.2.1-2 in noble armhf
  pki-kra 11.2.1-2 in noble i386
  pki-kra 11.2.1-2 in noble ppc64el
  pki-kra 11.2.1-2 in noble riscv64
  pki-kra 11.2.1-2 in noble s390x
  pki-ocsp 11.2.1-2 in noble amd64
  pki-ocsp 11.2.1-2 in noble arm64
  pki-ocsp 11.2.1-2 in noble armhf
  pki-ocsp 11.2.1-2 in noble i386
  pki-ocsp 11.2.1-2 in noble ppc64el
  pki-ocsp 11.2.1-2 in noble riscv64
  pki-ocsp 11.2.1-2 in noble s390x
  pki-server 11.2.1-2 in noble amd64
  pki-server 11.2.1-2 in noble arm64
  pki-server 11.2.1-2 in noble armhf
  pki-server 11.2.1-2 in noble ppc64el
  pki-server 11.2.1-2 in noble riscv64
  pki-server 11.2.1-2 in noble s390x
  pki-tks 11.2.1-2 in noble amd64
  pki-tks 11.2.1-2 in noble arm64
...

Read more...

Changed in dogtag-pki (Ubuntu):
status: New → Fix Released
Changed in tomcat9 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.