Le 30/09/2017 à 17:09, Thorsten Glaser a écrit : > IMHO consistency within Debian is *much* more important. > > I would be seriously fucked off if I could connect to a host > using something like wget but not a Java™ application, after > installing the custom CA into /etc/ssl/certs or similar, or > even with the defaults.
Similarly I would be seriously fucked off if the application I developed on another OS would behave differently once deployed on my Debian server with the same version of Java ;) Both use cases are valid I think, maybe we could have it both ways with something like this: 1. Let the openjdk package build and install its own cacerts file. 2. ca-certificates-java still generates a keystore from the Debian certificates but with a different name (cacerts-debian for example). 3. Patch openjdk to use cacerts-debian in priority if it exists, and default to cacerts otherwise. 4. Downgrade ca-certificates-java to a suggested or recommended dependency of openjdk-*-jre-headless This way ca-certificates-java becomes optional, and installing it forces the JRE to use the Debian certificates. This would also get rid of the circular dependency. Emmanuel Bourg