[ https://issues.apache.org/jira/browse/CASSANDRA-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918691#action_12918691 ]
Eric Evans commented on CASSANDRA-1575: --------------------------------------- First off, thanks for the report, and the background research on it. To summarize this issue for others, the openjdk-6 package in Lenny is missing the cacerts keystore needed to establish "trust" with SSL enabled servers. I'm guessing this is because it was stripped from Sun's original code dump, because later versions of the package depend on ca-certificates-java which simply maintains a keystore made up of the Debian installed CAs. Where this creates a problem for Cassandra is in the retrieval of build dependencies with Ivy, where those deps are located on SSL-enabled remote servers. This _only_ occurs on Lenny though, later versions are fine. As to the attached patch, I'm not convinced that the cure here isn't worse than the disease. Here' s why: * The problem is only with building a Debian source package, and only on Lenny. I believe this to be a small subset of all users. * The situation isn't impossible for those that want to build the source package on Lenny. They simply need to install sun-java6 first (or set it to default using update-alternatives if openjdk-6 is already installed). * The attached patch will result in an uninstallable package for anyone who doesn't have the non-free repository enabled. This is everyone who went through the default installation process. * Unattended installs of sun-java6 (think chef, puppet, et. al.) are difficult at best because the package prompts for user acceptance of the license. * If possible, we want to use the same packaging for all versions of Debian and derivatives, and there has been a lot of talk of removing the sun packages from archives. I think it'd be better to simply document this at http://wiki.apache.org/cassandra/DebianPackaging and leave things as they are. If you disagree, feel free to reopen the report. > suggest avoiding broken openjdk6 on Debian as build-dep > ------------------------------------------------------- > > Key: CASSANDRA-1575 > URL: https://issues.apache.org/jira/browse/CASSANDRA-1575 > Project: Cassandra > Issue Type: Bug > Components: Packaging > Environment: Debian lenny > Reporter: Peter Schuller > Assignee: Eric Evans > Priority: Minor > Fix For: 0.6.6, 0.7.0 > > Attachments: trunk-1575.txt, Trunk1575Test.java > > > I ran into this myself and then today someone was reporting having the same > problem on IRC; there is a packaging bug in openjdk6 in lenny: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501487 > The effect is that when ant tries to download files over SSL, it fails > complaining about: > "java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty" > It turns out this works fine with the Sun JVM. I'm attaching a patch which > makes Cassandra build on both lenny and squeeze; however, I am not sure > whether other platforms may be negatively affected. The patch just requires > an openjdk sufficiently new that the lenny openjdk won't quality. If there > are other platforms where we do want an older openjdk, this patch might break > that. > In addition, I removed the "java6-sdk" as a sufficient dependency because > that resolved to openjdk-6-jdk on lenny. > I think it's a good idea to consider changing this just to decrease the > initial threshold of adoption for those trying to build from source. > So: This does fix the build issue on lenny, and doesn't seem to break > squeeze, but I cannot promise anything about e.g. ubuntu. > For the record, I'm also attaching a small self-contained test case which, > when run, tries to download one of the offending pom files. It can be used to > easily test weather the SSL download with work with a particular JVM. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.