cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Evans (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CASSANDRA-1575) suggest avoiding broken openjdk6 on Debian as build-dep
Date Wed, 06 Oct 2010 21:13:31 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918691#action_12918691
] 

Eric Evans commented on CASSANDRA-1575:
---------------------------------------

First off, thanks for the report, and the background research on it.

To summarize this issue for others, the openjdk-6 package in Lenny is missing the cacerts
keystore needed to establish "trust" with SSL enabled servers.  I'm guessing this is because
it was stripped from Sun's original code dump, because later versions of the package depend
on ca-certificates-java which simply maintains a keystore made up of the Debian installed
CAs.

Where this creates a problem for Cassandra is in the retrieval of build dependencies with
Ivy, where those deps are located on SSL-enabled remote servers. This _only_ occurs on Lenny
though, later versions are fine.

As to the attached patch, I'm not convinced that the cure here isn't worse than the disease.
 Here' s why:

* The problem is only with building a Debian source package, and only on Lenny.  I believe
this to be a small subset of all users.
* The situation isn't impossible for those that want to build the source package on Lenny.
 They simply need to install sun-java6 first (or set it to default using update-alternatives
if openjdk-6 is already installed).
* The attached patch will result in an uninstallable package for anyone who doesn't have the
non-free repository enabled.  This is everyone who went through the default installation process.
* Unattended installs of sun-java6 (think chef, puppet, et. al.) are difficult at best because
the package prompts for user acceptance of the license.
* If possible, we want to use the same packaging for all versions of Debian and derivatives,
and there has been a lot of talk of removing the sun packages from archives. 

I think it'd be better to simply document this at http://wiki.apache.org/cassandra/DebianPackaging
and leave things as they are.  If you disagree, feel free to reopen the report.

> suggest avoiding broken openjdk6 on Debian as build-dep
> -------------------------------------------------------
>
>                 Key: CASSANDRA-1575
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-1575
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Packaging
>         Environment: Debian lenny
>            Reporter: Peter Schuller
>            Assignee: Eric Evans
>            Priority: Minor
>             Fix For: 0.6.6, 0.7.0
>
>         Attachments: trunk-1575.txt, Trunk1575Test.java
>
>
> I ran into this myself and then today someone was reporting having the same problem on
IRC; there is a packaging bug in openjdk6 in lenny:
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501487
> The effect is that when ant tries to download files over SSL, it fails complaining about:
>    "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must
be non-empty"
> It turns out this works fine with the Sun JVM. I'm attaching a patch which makes Cassandra
build on both lenny and squeeze; however, I am not sure whether other platforms may be negatively
affected. The patch just requires an openjdk sufficiently new that the lenny openjdk won't
quality. If there are other platforms where we do want an older openjdk, this patch might
break that.
> In addition, I removed the "java6-sdk" as a sufficient dependency because that resolved
to openjdk-6-jdk on lenny.
> I think it's a good idea to consider changing this just to decrease the initial threshold
of adoption for those trying to build from source.
> So: This does fix the build issue on lenny, and doesn't seem to break squeeze, but I
cannot promise anything about e.g. ubuntu.
> For the record, I'm also attaching a small self-contained test case which, when run,
tries to download one of the offending pom files. It can be used to easily test weather the
SSL download with work with a particular JVM.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message