Cassandra
  1. Cassandra
  2. CASSANDRA-1575

suggest avoiding broken openjdk6 on Debian as build-dep

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Fix Version/s: 0.6.6, 0.7 beta 3
    • Component/s: Packaging
    • Labels:
      None
    • Environment:

      Debian lenny

      Description

      I ran into this myself and then today someone was reporting having the same problem on IRC; there is a packaging bug in openjdk6 in lenny:

      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501487

      The effect is that when ant tries to download files over SSL, it fails complaining about:

      "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"

      It turns out this works fine with the Sun JVM. I'm attaching a patch which makes Cassandra build on both lenny and squeeze; however, I am not sure whether other platforms may be negatively affected. The patch just requires an openjdk sufficiently new that the lenny openjdk won't quality. If there are other platforms where we do want an older openjdk, this patch might break that.

      In addition, I removed the "java6-sdk" as a sufficient dependency because that resolved to openjdk-6-jdk on lenny.

      I think it's a good idea to consider changing this just to decrease the initial threshold of adoption for those trying to build from source.

      So: This does fix the build issue on lenny, and doesn't seem to break squeeze, but I cannot promise anything about e.g. ubuntu.

      For the record, I'm also attaching a small self-contained test case which, when run, tries to download one of the offending pom files. It can be used to easily test weather the SSL download with work with a particular JVM.

      1. trunk-1575.txt
        0.5 kB
        Peter Schuller
      2. Trunk1575Test.java
        0.6 kB
        Peter Schuller

        Activity

        Hide
        Peter Schuller added a comment -

        And I should stress that this will presumably only help normalized build environments that install build dependencies as required. It doesn't help a user trying to 'ant build', nor a user trying to 'debuild' and happens to have other JDK:s installed, but I'm not sure how to address that in a clean fashion.

        Maybe add a note under "requirements" in the README?

        (I realize this is catering to a very specific platform, but lenny is presumably pretty common.)

        Show
        Peter Schuller added a comment - And I should stress that this will presumably only help normalized build environments that install build dependencies as required. It doesn't help a user trying to 'ant build', nor a user trying to 'debuild' and happens to have other JDK:s installed, but I'm not sure how to address that in a clean fashion. Maybe add a note under "requirements" in the README? (I realize this is catering to a very specific platform, but lenny is presumably pretty common.)
        Hide
        Eric Evans added a comment -

        First off, thanks for the report, and the background research on it.

        To summarize this issue for others, the openjdk-6 package in Lenny is missing the cacerts keystore needed to establish "trust" with SSL enabled servers. I'm guessing this is because it was stripped from Sun's original code dump, because later versions of the package depend on ca-certificates-java which simply maintains a keystore made up of the Debian installed CAs.

        Where this creates a problem for Cassandra is in the retrieval of build dependencies with Ivy, where those deps are located on SSL-enabled remote servers. This only occurs on Lenny though, later versions are fine.

        As to the attached patch, I'm not convinced that the cure here isn't worse than the disease. Here' s why:

        • The problem is only with building a Debian source package, and only on Lenny. I believe this to be a small subset of all users.
        • The situation isn't impossible for those that want to build the source package on Lenny. They simply need to install sun-java6 first (or set it to default using update-alternatives if openjdk-6 is already installed).
        • The attached patch will result in an uninstallable package for anyone who doesn't have the non-free repository enabled. This is everyone who went through the default installation process.
        • Unattended installs of sun-java6 (think chef, puppet, et. al.) are difficult at best because the package prompts for user acceptance of the license.
        • If possible, we want to use the same packaging for all versions of Debian and derivatives, and there has been a lot of talk of removing the sun packages from archives.

        I think it'd be better to simply document this at http://wiki.apache.org/cassandra/DebianPackaging and leave things as they are. If you disagree, feel free to reopen the report.

        Show
        Eric Evans added a comment - First off, thanks for the report, and the background research on it. To summarize this issue for others, the openjdk-6 package in Lenny is missing the cacerts keystore needed to establish "trust" with SSL enabled servers. I'm guessing this is because it was stripped from Sun's original code dump, because later versions of the package depend on ca-certificates-java which simply maintains a keystore made up of the Debian installed CAs. Where this creates a problem for Cassandra is in the retrieval of build dependencies with Ivy, where those deps are located on SSL-enabled remote servers. This only occurs on Lenny though, later versions are fine. As to the attached patch, I'm not convinced that the cure here isn't worse than the disease. Here' s why: The problem is only with building a Debian source package, and only on Lenny. I believe this to be a small subset of all users. The situation isn't impossible for those that want to build the source package on Lenny. They simply need to install sun-java6 first (or set it to default using update-alternatives if openjdk-6 is already installed). The attached patch will result in an uninstallable package for anyone who doesn't have the non-free repository enabled. This is everyone who went through the default installation process. Unattended installs of sun-java6 (think chef, puppet, et. al.) are difficult at best because the package prompts for user acceptance of the license. If possible, we want to use the same packaging for all versions of Debian and derivatives, and there has been a lot of talk of removing the sun packages from archives. I think it'd be better to simply document this at http://wiki.apache.org/cassandra/DebianPackaging and leave things as they are. If you disagree, feel free to reopen the report.
        Hide
        Peter Schuller added a comment -

        Sounds reasonable.

        That said, maybe the set of people who would try 'ant build' on lenny is significantly larger than those building Debian packages with debuild. For those, a note in README might be helpful.

        But again I realize this is catering to a very specific problem. Maybe it's just not worth it.

        Show
        Peter Schuller added a comment - Sounds reasonable. That said, maybe the set of people who would try 'ant build' on lenny is significantly larger than those building Debian packages with debuild. For those, a note in README might be helpful. But again I realize this is catering to a very specific problem. Maybe it's just not worth it.

          People

          • Assignee:
            Eric Evans
            Reporter:
            Peter Schuller
            Reviewer:
            Eric Evans
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development