Ubuntu
ca-certificates-java package

Unable to install libreoffice due to ca-certificates-java installation failure [original: Fails to configure in autopkgtest]

Focal (20.04)
Bug #2003750

Bug #2003750 reported by Rico Tzschichholz on 2023-01-23

This bug affects 8 people

	Status	Importance	Assigned to
ca-certificates-java (Ubuntu)	Fix Released	High	Unassigned
Xenial	New	Undecided	Unassigned
Bionic	New	Undecided	Unassigned
Focal	New	Undecided	Unassigned
Jammy	New	Undecided	Unassigned
Kinetic	New	Undecided	Unassigned

Bug Description

[Impact]

ca-certificates-java implementation historically relied on openjdk-jre-headless package being able to work without being configured (e.g. 20190909ubuntu1.1), which may result in installation failure see LP: #2019908.

ca-certificates-java 20230103 added hard dependency on openjdk package which caused a looping trigger.

LP: #2019908 provided a fix for immediate problem - missing java.security file, but did not address the underlying issue - attempt to use the unconfigured package.

The fix deployed to resolve this bug (LP: #2003750) removed dependency on openjdk package and ensured that certificate synchronisation by ca-certificates-java is performed only after openjdk jre is configured. This change will not need any future fixes in case of openjdk changes.

In order to avoid issues such as LP: #2019908 in the future openjdk security releases, the fix for LP: #2003750 should be deployed to the supported releases (kinetic, jammy, focal, bionic, xenial).

Xenial contains only openjdk-8 which is not currently affected by LP: #2019908, but has installation race condition (see attachment).

[Test Plan]

autopkgtests should pass.

- Test package install in lxc container and ensure that race condition is reproduced for each release - ca-certificates java are configured before openjdk

----------------------cut------------------------------------
test_ppa=.....
for release in xenial bionic focal jammy kinetic; do
    echo !!!!!!!!!!!!!!${release}!!!!!!!!!!!!!!!!!!!!
    lxc launch images:ubuntu/${release} lp2019908
    lxc exec lp2019908 -- apt install software-properties-common
    lxc exec lp2019908 -- add-apt-repository ${test_ppa}
    lxc exec lp2019908 -- apt-get update
    lxc exec lp2019908 -- apt-get -y install openjdk-17-jre-headless
    lxc stop lp2019908
    lxc delete lp2019908
    echo !!!!!!TEST DONE for ${release}!!!!!!!!!
done
----------------------cut------------------------------------

[Where problems could occur]

This version of ca-certificates-java relies on openjdk package explicitly calling this trigger in ca-certificates-java. All supported openjdk packages (8,11,17,20,21) are updated to have this behaviour. Unsupported 19 was also updated.

Unsupported packages (any other openjdk version) that are still present in the archive:
- openjdk-18 (jammy, kinetic),
- openjdk-16 (focal)
- openjdk-13 (focal)
- openjdk-9 (xenial)

We can update those packages in order to avoid issues.

[Original Report]
ca-certificates-java 20230103 fails to install in LibreOffice autopkgtests environment

...
Setting up libebook1.2-dev:arm64 (3.46.3-1) ...
dpkg: cycle found while processing triggers:
chain of packages whose triggers are or may be responsible:
ca-certificates-java -> ca-certificates-java
packages' pending triggers which are or may be unresolvable:
ca-certificates-java: /usr/lib/jvm
dpkg: error processing package ca-certificates-java (--configure):
triggers looping, abandoned
Setting up junit4 (4.13.2-3) ...
Setting up openjdk-17-jre:arm64 (17.0.6+10-0ubuntu1) ...
Setting up maven-repo-helper (1.11) ...
Setting up default-jre (2:1.17-74) ...
Setting up openjdk-17-jdk-headless:arm64 (17.0.6+10-0ubuntu1) ...
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jar to provide /usr/bin/jar (jar) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jarsigner to provide /usr/bin/jarsigner (jarsigner) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/javac to provide /usr/bin/javac (javac) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/javadoc to provide /usr/bin/javadoc (javadoc) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/javap to provide /usr/bin/javap (javap) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jcmd to provide /usr/bin/jcmd (jcmd) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jdb to provide /usr/bin/jdb (jdb) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jdeprscan to provide /usr/bin/jdeprscan (jdeprscan) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jdeps to provide /usr/bin/jdeps (jdeps) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jfr to provide /usr/bin/jfr (jfr) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jimage to provide /usr/bin/jimage (jimage) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jinfo to provide /usr/bin/jinfo (jinfo) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jlink to provide /usr/bin/jlink (jlink) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jmap to provide /usr/bin/jmap (jmap) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jmod to provide /usr/bin/jmod (jmod) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jps to provide /usr/bin/jps (jps) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jrunscript to provide /usr/bin/jrunscript (jrunscript) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jshell to provide /usr/bin/jshell (jshell) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jstack to provide /usr/bin/jstack (jstack) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jstat to provide /usr/bin/jstat (jstat) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jstatd to provide /usr/bin/jstatd (jstatd) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/serialver to provide /usr/bin/serialver (serialver) in auto mode
update-alternatives: using /usr/lib/jvm/java-17-openjdk-arm64/bin/jhsdb to provide /usr/bin/jhsdb (jhsdb) in auto mode
...

See attachment for full log of test case.

See original description

Tags:

Related branches

~vpa1977/ubuntu/+source/openjdk-17:ca-certificates-java-fix

Merged into ubuntu/+source/openjdk-17:ubuntu/devel at revision a583c8df64ed07763c6f457dd8cff6d7b87b5a45

Steve Langasek (community): Approve on 2023-03-02

git-ubuntu import: Pending requested 2023-03-01

~vpa1977/ubuntu/+source/ca-certificates-java:dpkg-trigger

Merged into ubuntu/+source/ca-certificates-java:ubuntu/devel at revision 1a1275024ad4cbf1cea8fd74dfc78dce54e62806

Steve Langasek (community): Approve on 2023-03-02

git-ubuntu import: Pending requested 2023-03-01

Revision history for this message

Rico Tzschichholz (ricotz) wrote on 2023-01-23:

odk-build-examples.log Edit (334.0 KiB, text/plain)

Changed in ca-certificates-java (Ubuntu):
importance:	Undecided → High

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-01-24 (last edit on 2023-02-17):

The issue is caused by a circular dependency, see https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998697

Revision history for this message

Rico Tzschichholz (ricotz) wrote on 2023-01-24:

@vpa1977: Please check the link in your comment above.

Simon Quigley (tsimonq2) on 2023-01-25

tags:

added: rls-ll-incoming

Rico Tzschichholz (ricotz) on 2023-01-27

summary:	- Fails to configure on autopkgtests arm64/armhf + Fails to configure in autopkgtests
description:	updated

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-02-17: Re: Fails to configure in autopkgtests

@ricotz: Thank you!!! Fixed.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-02-27:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-12:

This bug was fixed in the package ca-certificates-java - 20230103ubuntu1

---------------
ca-certificates-java (20230103ubuntu1) lunar; urgency=medium

  * Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061)
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
      stage.
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
      not found. Certificates are refreshed only in response to the trigger
      activated by OpenJDK packages.
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
      Java 8.
    - debian/control: remove JRE dependency.
    - debian/control: add Breaks condition.
    - debian/tests: add smoke tests.
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
      explicitly declare triggers as -await.

-- Vladimir Petko <email address hidden> Wed, 01 Mar 2023 13:31:58 +1300

Changed in ca-certificates-java (Ubuntu):
status:	Confirmed → Fix Released

Vladimir Petko (vpa1977) on 2023-05-24

summary:

- Fails to configure in autopkgtests
+ Unable to install libreoffice due to openjdk-jre-headless/ca-
+ certificates-java installation failure [original: Fails to configure in
+ autopkgtest]

Vladimir Petko (vpa1977) on 2023-05-24

description:

updated

Vladimir Petko (vpa1977) on 2023-05-24

description:

updated

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-24: Re: Unable to install libreoffice due to openjdk-jre-headless/ca-certificates-java installation failure [original: Fails to configure in autopkgtest]

install.txt Edit (9.5 KiB, text/plain)

Xenial installation race condtion

description:	updated
description:	updated

Vladimir Petko (vpa1977) on 2023-05-29

summary:

- Unable to install libreoffice due to openjdk-jre-headless/ca-
- certificates-java installation failure [original: Fails to configure in
- autopkgtest]
+ Unable to install libreoffice due to ca-certificates-java installation
+ failure [original: Fails to configure in autopkgtest]

Vladimir Petko (vpa1977) on 2023-05-30

description:

updated

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-30:

bionic.debdiff Edit (8.1 KiB, text/plain)

ca-certificates-java bionic patch

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-30:

focal.debdiff Edit (8.0 KiB, text/plain)

ca-certificates-java focal patch

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-30:

#10

jammy.debdiff Edit (8.2 KiB, text/plain)

ca-certificates-java jammy patch

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-30:

#11

kinetic.debdiff Edit (5.4 KiB, text/plain)

ca-certificates-java kinetic patch

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-05-30:

#12

xenial.debdiff Edit (10.8 KiB, text/plain)

ca-certificates-java xenial patch

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuca-certificates-java package

Unable to install libreoffice due to ca-certificates-java installation failure [original: Fails to configure in autopkgtest]

Bug Description

Related branches

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
ca-certificates-java package