On Sun, 2023-11-05 at 19:18 +0100, Markus Koschany wrote: > Am Sonntag, dem 05.11.2023 um 16:33 +0000 schrieb Adam D. Barratt: > > [...] > > Do you have an idea how simple rebuilding the bullseye package on > > buster would be? I'm happy to try that in general, but I've not > > really > > looked at the Java ecosystem in Debian much. > > Sorry, I missed those new or updated dependencies. That complicates > the matter a little. We also have to deal with clojure here, a LISP > dialect of the Java language with a different build system > (leiningen), but if all dependencies were in place a rebuild would be > pretty simple. As a last resort I could bundle all those dependencies > together with trapperkeeper-* the Java way TM but I hope we can avoid > that. > > The most ideal solution is a patch for the current version in Buster. > I have uploaded a new revision to people.debian.org with minimal > changes here: > > https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/ > > dget -x > https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.1.dsc > > > should work as expected. I'm attaching the debdiff as well. > > My solution is to replace the old SslContextFactory class with the > new inner SslContextFactory.Server class but I don't know if this > change has the desired effect because I couldn't test it.
Thanks for the patch. Unfortunately it didn't work as-is: Nov 5 18:39:14 handel/handel java[2393]: Exception in thread "main" java.lang.AssertionError: Assert failed: (keyword? kw) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.kitchensink.core$without_ns.invokeStatic(core.clj:613) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.kitchensink.core$without_ns.invoke(core.clj:613) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.trapperkeeper.core$main.invokeStatic(core.clj:175) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.trapperkeeper.core$main.doInvoke(core.clj:159) Nov 5 18:39:14 handel/handel java[2393]: at clojure.lang.RestFn.applyTo(RestFn.java:137) Nov 5 18:39:14 handel/handel java[2393]: at clojure.core$apply.invokeStatic(core.clj:665) Nov 5 18:39:14 handel/handel java[2393]: at clojure.core$apply.invoke(core.clj:660) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.puppetdb.cli.services$provide_services.invokeStatic(services.clj:570) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.puppetdb.cli.services$provide_services.invoke(services.clj:558) Nov 5 18:39:14 handel/handel java[2393]: at puppetlabs.puppetdb.cli.services$cli$fn__41585.invoke(services.clj:578) ... After a bit of searching, I happened across a discussion of a similar change in a different product that mentioned the SslContextFactory$Server syntax, so gave that a try. The resulting package is now installed on handel.d.o and seems to work - at least, it's been running for 45 minutes now (whereas the broken versions lasted less than 5 minutes) and at least one client has successfully made a "puppet agent" run in the meantime. I've attached a debdiff of the package we're now running, with the revised patch. Regards, Adam
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2019-09-13 10:00:50.000000000 +0100 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2023-11-05 19:28:22.000000000 +0000 @@ -1,3 +1,11 @@ +trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1+dsa1) buster; urgency=medium + + * Non-maintainer upload. + * Replace deprecated class SslContextFactory with SslContextFactory.Server. + Largely based on a patch by Markus Koschany. (Hopefully Closes:#1055348) + + -- Adam D. Barratt <a...@adam-barratt.org.uk> Sun, 05 Nov 2023 19:28:22 +0000 + trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium [ Manfred Stock ] diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2019-09-13 09:54:48.000000000 +0100 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2023-11-05 19:28:22.000000000 +0000 @@ -3,3 +3,4 @@ 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch 0005-maint-Disable-EndpointIdentification.patch +SslContextFactory.Server.patch diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch 1970-01-01 01:00:00.000000000 +0100 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch 2023-11-05 19:28:22.000000000 +0000 @@ -0,0 +1,66 @@ + +--- trapperkeeper-webserver-jetty9-clojure-1.7.0.orig/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj ++++ trapperkeeper-webserver-jetty9-clojure-1.7.0/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +@@ -8,7 +8,7 @@ + (org.eclipse.jetty.server.handler.gzip GzipHandler) + (org.eclipse.jetty.util.resource Resource) + (org.eclipse.jetty.util.thread QueuedThreadPool) +- (org.eclipse.jetty.util.ssl SslContextFactory) ++ (org.eclipse.jetty.util.ssl SslContextFactory$Server) + (javax.servlet.http HttpServletResponse) + (java.util.concurrent TimeoutException) + (org.eclipse.jetty.servlet ServletContextHandler ServletHolder DefaultServlet) +@@ -137,7 +137,7 @@ + :overrides-read-by-webserver schema/Bool + :overrides (schema/maybe {schema/Keyword schema/Any}) + :endpoints RegisteredEndpoints +- :ssl-context-factory (schema/maybe SslContextFactory)}) ++ :ssl-context-factory (schema/maybe SslContextFactory$Server)}) + + (def ServerContext + {:state (schema/atom ServerContextState) +@@ -181,14 +181,14 @@ + ;;; SSL Context Functions + + (schema/defn ^:always-validate +- ssl-context-factory :- SslContextFactory +- "Creates a new SslContextFactory instance from a map of SSL config options." ++ ssl-context-factory :- SslContextFactory$Server ++ "Creates a new SslContextFactory.Server instance from a map of SSL config options." + [{:keys [keystore-config client-auth ssl-crl-path cipher-suites protocols]} + :- config/WebserverSslContextFactory] + (if (some #(= "sslv3" %) (map str/lower-case protocols)) + (log/warn (i18n/trs "`ssl-protocols` contains SSLv3, a protocol with known vulnerabilities; we recommend removing it from the `ssl-protocols` list"))) + +- (let [context (doto (SslContextFactory.) ++ (let [context (doto (SslContextFactory$Server.) + (.setKeyStore (:keystore keystore-config)) + (.setKeyStorePassword (:key-password keystore-config)) + (.setTrustStore (:truststore keystore-config)) +@@ -218,7 +218,7 @@ + context)) + + (schema/defn ^:always-validate +- get-proxy-client-context-factory :- SslContextFactory ++ get-proxy-client-context-factory :- SslContextFactory$Server + [ssl-config :- ProxySslConfig] + (ssl-context-factory {:keystore-config + (config/pem-ssl-config->keystore-ssl-config +@@ -257,7 +257,7 @@ + [server :- Server + config :- (merge config/WebserverConnector + {schema/Keyword schema/Any}) +- ssl-ctxt-factory :- (schema/maybe SslContextFactory)] ++ ssl-ctxt-factory :- (schema/maybe SslContextFactory$Server)] + (let [request-size (:request-header-max-size config) + connector (doto (ServerConnector. + server +@@ -277,7 +277,7 @@ + ssl-connector :- ServerConnector + "Creates a ssl ServerConnector instance." + [server :- Server +- ssl-ctxt-factory :- SslContextFactory ++ ssl-ctxt-factory :- SslContextFactory$Server + config :- config/WebserverSslConnector] + (connector* server config ssl-ctxt-factory)) +