Bug#578578: sun-java6: crypto policy configuration files violate Debian policy
Hello, I've now testet: sudo dpkg-divert --rename /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/local_policy.jar sudo dpkg-divert --rename /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/US_export_policy.jar out of the README.Debian (6.20-dlj-4), but I tested this for Debian 5.0.4, so I had to use: dpkg-divert --rename /usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/security/local_policy.jar dpkg-divert --rename /usr/lib/jvm/java-6-sun-1.6.0.12/jre/lib/security/US_export_policy.jar After aptitude safe-upgrade the directory /usr/lib/jvm/java-6-sun-1.6.0.12 vanished and in /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/ the files from the debian package were used. My changed files "local_policy.jar" and "US_export_policy.jar" were deleted! So I assume this "workaround" doesn't work if the version of java (like here 1.6.0.12 to 1.6.0.20) changes. (It's very dangerous because you notice the change only after the java vm is restartet. This can happen long after the upgrade of java, so the java developers will be puzzled what's suddenly wrong!) Isn't it possible to put these two files in /etc/java-6-sun/security/ , like the file cacerts, and symlink? With this I'll be asked if I want to overwrite my changes or not, with cacerts this works very well! Apropos configuration files in /etc, the file /etc/java-6-sun/security/cacerts doesn't seem to look well in vi, so i suppose local_policy.jar and US_export_policy.jar could be also there. Upstream - cacerts, local_policy.jar and US_export_policy.jar ARE in the same dirctory (lib/security/)! -- greetings eMHa signature.asc Description: This is a digitally signed message part.
Bug#578578: sun-java6: crypto policy configuration files violate Debian policy
Torsten Werner wrote: > thanks for your bug report and the patch but is it is way more > important to get the current version of sun-java6 into testing. We > will fix the bug later. Thanks very much, that will be great. Sylvestre Ledru wrote: > I am not sure to understand how archives can be considered as configuration > files ?! I'm going by the definition in section 10.7.1 of the Debian Policy Manual. Those two files specify the policy for cryptographic strength and are intended to be replaceable by sysadmins who wish to alter this policy from the restrictive default, so they meet the definition. > By the way, could you explain what you set the severity to serious ? It > does not seem a big issue here to me. reportbug advised me to rate the bug as "serious" if "the problem is a violation of a 'must' or 'required' directive" of Debian policy. Section 10.7.2 of the policy manual says that any configuration files "must reside in /etc", so this problem violates that rule. Thanks for your consideration. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#578578: sun-java6: crypto policy configuration files violate Debian policy
Le mardi 20 avril 2010 à 22:50 +0100, moog a écrit : > Package: sun-java6 > Version: 6.20-dlj-1 > Severity: serious > Justification: Policy 10.7.2 > Tags: patch > > local_policy.jar and US_export_policy.jar are configuration files > according to Debian's definition, because as Sun's README explains, > sysadmins in eligible countries are intended to replace these files > with unlimited encryption strength versions if they wish. I am not sure to understand how archives can be considered as configuration files ?! By the way, could you explain what you set the severity to serious ? It does not seem a big issue here to me. Sylvestre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#578578: sun-java6: crypto policy configuration files violate Debian policy
severity 578578 important thanks Hi, thanks for your bug report and the patch but is it is way more important to get the current version of sun-java6 into testing. We will fix the bug later. Cheers, Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#578578: sun-java6: crypto policy configuration files violate Debian policy
Package: sun-java6
Version: 6.20-dlj-1
Severity: serious
Justification: Policy 10.7.2
Tags: patch
local_policy.jar and US_export_policy.jar are configuration files
according to Debian's definition, because as Sun's README explains,
sysadmins in eligible countries are intended to replace these files
with unlimited encryption strength versions if they wish.
These files should therefore be moved under /etc and symlinked to,
as has already been done with the other security files such as
java.security and java.policy.
Here is a suggested patch to debian/rules for achieving this:
-
diff -Nur sun-java6-6.20-dlj-1/debian/rules
sun-java6-6.20-dlj-1.patched/debian/rules
--- sun-java6-6.20-dlj-1/debian/rules 2010-04-20 16:16:16.0 +0100
+++ sun-java6-6.20-dlj-1.patched/debian/rules 2010-04-20 21:15:23.0
+0100
@@ -194,8 +194,6 @@
jre/lib/ext/dnsns.jar \
jre/lib/ext/localedata.jar \
jre/lib/jce.jar \
- jre/lib/security/US_export_policy.jar \
- jre/lib/security/local_policy.jar \
jre/lib/im/indicim.jar \
jre/lib/im/thaiim.jar \
jre/lib/charsets.jar \
@@ -531,7 +529,7 @@
$(d_jbin)/etc/$(jdiralias)/
: # TODO: why do we provide a custom font.properties.ja?
: # cp -p debian/font.properties.ja $(d_jbin)/etc/$(jdiralias)/.
- -mv $(d_jbin)/$(basedir)/jre/lib/security/{java.*,cacerts} \
+ -mv $(d_jbin)/$(basedir)/jre/lib/security/{java.*,cacerts,*_policy.jar}
\
$(d_jbin)/$(security)
: # create links for the conffiles
-
Thanks very much.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
