Le 12/10/2017 à 11:58, Emmanuel Bourg a écrit : > 2. ca-certificates-java still generates a keystore from the Debian > certificates but with a different name (cacerts-debian for example). > 3. Patch openjdk to use cacerts-debian in priority if it exists, and > default to cacerts otherwise.
Another thought: maybe we could use a symlink managed by the alternatives system instead of patching OpenJDK to look for cacerts-debian. This would be even better since some Java applications may open cacerts directly from its path, and since they are unlikely to know about cacerts-debian they would load the wrong keystore. Emmanuel Bourg