Univention Bugzilla – Bug 45959
UCS 4.3 upgrade: univention-java is removed
Last modified: 2018-03-14 14:38:07 CET
In a Jenkins upgrade test univention-java is removed: Investigating (1) openjdk-7-jre-headless [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Broken openjdk-7-jre-headless:amd64 Depends on tzdata-java [ amd64 ] < 2016j-0+deb8u1 > ( java ) Considering tzdata-java:amd64 3 as a solution to openjdk-7-jre-headless:amd64 6 Added tzdata-java:amd64 to the remove list Fixing openjdk-7-jre-headless:amd64 via keep of tzdata-java:amd64 Investigating (1) tzdata-java [ amd64 ] < 2016j-0+deb8u1 > ( java ) Broken tzdata-java:amd64 Depends on tzdata [ amd64 ] < 2016j-0+deb8u1 -> 2017c-0+deb9u1 > ( localization ) (= 2016j-0+deb8u1) Considering tzdata:amd64 33 as a solution to tzdata-java:amd64 3 Removing tzdata-java:amd64 rather than change tzdata:amd64 Investigating (2) openjdk-7-jre-headless [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Broken openjdk-7-jre-headless:amd64 Depends on tzdata-java [ amd64 ] < 2016j-0+deb8u1 > ( java ) Considering tzdata-java:amd64 3 as a solution to openjdk-7-jre-headless:amd64 6 Added tzdata-java:amd64 to the remove list Fixing openjdk-7-jre-headless:amd64 via keep of tzdata-java:amd64 Investigating (2) tzdata-java [ amd64 ] < 2016j-0+deb8u1 > ( java ) Broken tzdata-java:amd64 Depends on tzdata [ amd64 ] < 2016j-0+deb8u1 -> 2017c-0+deb9u1 > ( localization ) (= 2016j-0+deb8u1) Considering tzdata:amd64 33 as a solution to tzdata-java:amd64 6 Removing tzdata-java:amd64 rather than change tzdata:amd64 Investigating (3) openjdk-7-jre-headless [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Broken openjdk-7-jre-headless:amd64 Depends on tzdata-java [ amd64 ] < 2016j-0+deb8u1 > ( java ) Considering tzdata-java:amd64 33 as a solution to openjdk-7-jre-headless:amd64 6 Removing openjdk-7-jre-headless:amd64 rather than change tzdata-java:amd64 Investigating (3) ca-certificates-java [ amd64 ] < 20140324 -> 20170531+nmu1 > ( java ) Broken ca-certificates-java:amd64 Depends on openjdk-7-jre-headless [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Considering openjdk-7-jre-headless:amd64 33 as a solution to ca-certificates-java:amd64 3 Broken ca-certificates-java:amd64 Depends on java7-runtime-headless [ amd64 ] < none > ( none ) Considering openjdk-7-jre-headless:amd64 33 as a solution to ca-certificates-java:amd64 3 Or group remove for ca-certificates-java:amd64 Investigating (3) openjdk-7-jre [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Broken openjdk-7-jre:amd64 Depends on openjdk-7-jre-headless [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) (= 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344) Considering openjdk-7-jre-headless:amd64 33 as a solution to openjdk-7-jre:amd64 3 Removing openjdk-7-jre:amd64 rather than change openjdk-7-jre-headless:amd64 Investigating (3) univention-java [ amd64 ] < 9.0.0-1A~4.2.0.201701292055 -> 10.0.0-1A~4.3.0.201712120313 > ( univention ) Broken univention-java:amd64 Depends on openjdk-7-jre [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Considering openjdk-7-jre:amd64 33 as a solution to univention-java:amd64 0 Removing univention-java:amd64 rather than change openjdk-7-jre:amd64 Investigating (3) icedtea-7-plugin [ amd64 ] < 1.5.3-1 > ( web ) Broken icedtea-7-plugin:amd64 Depends on openjdk-7-jre [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Considering openjdk-7-jre:amd64 33 as a solution to icedtea-7-plugin:amd64 0 Removing icedtea-7-plugin:amd64 rather than change openjdk-7-jre:amd64 Investigating (3) icedtea-netx [ amd64 ] < 1.5.3-1 -> 1.6.2-3.1 > ( java ) Broken icedtea-netx:amd64 Depends on openjdk-7-jre [ amd64 ] < 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 > ( java ) Considering openjdk-7-jre:amd64 33 as a solution to icedtea-netx:amd64 0 Broken icedtea-netx:amd64 Depends on openjdk-6-jre [ amd64 ] < none > ( none ) (>= 6b23~pre10~) Or group remove for icedtea-netx:amd64 Done
The dependency of univention-java has been changed to openjdk-8-jre and icedtea-plugin: Fix: https://git.knut.univention.de/univention/ucs/commit/8fb4e2491e333ee40813a9a1ec3544463f3f1fc7 Changelog: https://git.knut.univention.de/univention/ucs/commit/47e7f693a4462ffbef8bb9a260120b8379e20cc8
Looks good. What I tested: Upgraded with univention-java -> openjdk-8-jre and icedtea-plugin are being installed -> OK Java seems to be working -> OK Changelog -> OK -> Verified
It did not work for me in one case as there is multiple upgrade issue, one described in Bug #46320 comment 3: TL;DR: <https://lists.debian.org/debian-glibc/2014/08/msg00007.html> - Java has its own TZ datase, which is part of src:openjdk-X - it received quaterly updates - Debian maintains only src:tzdata - the data is compiled into the format required by OpenJDK - the compiler is only available with bin:OpenDJK <= 7 - OpenJDK-8 uses a new format - the compiler is no longer available in bin:openjdk-8 - Debian dropped the compilation from src:tzdata Another one is for the CA certificates: - Java has its own certificate store (based on libnss) - Debian integrates into its ca-certificate infrastructure - ca-certificates-java provides the hook /etc/ca-certificates/update.d/jks-keystore - for running it it requires a working JRE - but the JRE depends on ca-certificates-java, too - ergo there is a dependency loop - the loop propagates into the dpkg trigger mechanism: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864597> - Debian choose to not fix it correctly just before the Debian-Stretch release. - Instead ca-certificate-java was hacked: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864597> With UCS-4.3 we now have this situation: - openjdk-8-jre-headless Breaks: tzdata-java - openjdk-7-jre-headless Depends: tzdata-java - ca-certificates-java Depends openjdk-7-jre As openjdk-7-jre is installed and still available in UCS-4.3 (as it aggregates all previous Debian-Releases Wheezy, Jessie, Stretch), APT sees no reason to automatically remote it. The upgrade is blocked! The APT resolver seems to work on a score based on package relevance, so it is good to *not* reference specific packages: APT the assigns a lower score to them, making them easier to remove when blocking other required packages. Because of that "default-jre" should be used. 6f10524385 Bug #45959 java: Switch to default-jre db85258214 Bug #45959 java: Copyright 2018 67c9917794 Bug #45959 java: Switch to Architecture: all Package: univention-java Version: 10.0.0-3A~4.3.0.201802211147 Version: 10.0.0-4A~4.3.0.201802211150 Branch: ucs_4.3-0 I restored the old version of "ca-certificates-java" using OpenJDK-8 from <http://snapshot.debian.org/archive/debian/20170615T155207Z/pool/main/c/ca-certificates-java/> and added it to mirror/update_ucs43_mirror_from_debian.yml 28a36382 Bug #45959 mirror: Use old ca-certificates-java
Ok Upgrade works for me -> Verified
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".