Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2017-01-20 Thread Andreas Beckmann 
Followup-For: Bug #825730
Control: found -1 20141019+deb8u2

Hi,

the fix that was backported to jessie is incomplete.
update-ca-certificates in jessie does not know about the --hooksdir
option, therefore the call that was added in the postinst is a no-op
that just prints the usage and initial update of /etc/ssl/certs is
still deferred to the hooks:

  Selecting previously unselected package ca-certificates.
  Preparing to unpack .../ca-certificates_20141019+deb8u2_all.deb ...
  Unpacking ca-certificates (20141019+deb8u2) ...
  Setting up ca-certificates (20141019+deb8u2) ...
  /usr/sbin/update-ca-certificates: [--verbose] [--fresh]
  Processing triggers for ca-certificates (20141019+deb8u2) ...
  Updating certificates in /etc/ssl/certs... 174 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.ddone.

Looks like you need to backport some more commits to get the --hooksdir
option for update-ca-certificates into jessie, too.

At least this one (but I didn't test whether this is sufficient):

  fd660d3 Allow customisation of the paths used by update-ca-certificates


Andreas

Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2016-11-18 Thread Michael Shuler 
Stable update requested! Thanks again for the report, Andreas.

https://bugs.debian.org/844746
"jessie-pu: package ca-certificates/20141019+deb8u2"

-- 
Kind regards,
Michael Shuler



signature.asc
Description: OpenPGP digital signature

Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2016-09-16 Thread Michael Shuler 
On 09/11/2016 03:48 AM, Andreas Beckmann wrote:
> The fix is quite easy: we just need to run update-ca-certificates
> *without* processing the hooks during postinst configure:
> 
> update-ca-certificates --hooksdir ""

Thanks Andreas! I'll test this out as soon as I can.

> This should be backported to stable, too.

I have a pending stable upload after the next unstable, so as long as
test install works and this fits for stable-updates policy, I don't see
a problem with that.

-- 
Kind regards,
Michael

Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2016-09-11 Thread Andreas Beckmann 
Followup-For: Bug #825730
Control: tag -1 patch

The fix is quite easy: we just need to run update-ca-certificates
*without* processing the hooks during postinst configure:

update-ca-certificates --hooksdir ""

This should be backported to stable, too.


Andreas
>From 1d989acd2c53a9242845a6fe84e2a97098e1b256 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann 
Date: Sun, 11 Sep 2016 10:26:10 +0200
Subject: [PATCH] initially populate /etc/ssh/certs during postinst configure

run update-ca-certificates without hooks
(which are deferred to the noawait trigger)
---
 debian/changelog | 6 ++
 debian/postinst  | 7 +--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ffd5c73..46e8ed3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,12 @@ ca-certificates (20160816) unstable; urgency=medium
 Update to Standards-Version: 3.9.8
 Update to Vcs-Browser/Vcs-Git: https URLs
 
+  [ Andreas Beckmann ]
+  * debian/postinst:
+Run update-certificates without hooks to initially populate
+/etc/ssl/certs.  (The hooks are deferred to the noawait trigger.)
+(Closes: #825730)
+
  -- Michael Shuler   Tue, 16 Aug 2016 21:50:14 -0500
 
 ca-certificates (20160104) unstable; urgency=medium
diff --git a/debian/postinst b/debian/postinst
index f7ef7f4..21586bb 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -138,13 +138,16 @@ EOF
 	-e 's/^[[:space:]]*1[[:space:]]*/!/' \
 	>> /etc/ca-certificates.conf
 	fi
+	# update /etc/ssl/certs without running the hooks
 	# fix bogus symlink to ca-certificates.crt on upgrades; see
 	# Debian #643667; drop after wheezy
 	if dpkg --compare-versions "$2" lt-nl 20111025; then
-	dpkg-trigger --no-await update-ca-certificates-fresh
+	update-ca-certificates --hooksdir "" --fresh
 	else
-	dpkg-trigger --no-await update-ca-certificates
+	update-ca-certificates --hooksdir ""
 	fi
+	# deferred update of /etc/ssl/certs including running the hooks
+	dpkg-trigger --no-await update-ca-certificates
 ;;
 
 triggered)
-- 
2.9.3

Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2016-08-16 Thread Michael Shuler 
The ca-certificates triggers were added to deal with
installation/upgrade problems in https://bugs.debian.org/537051

Do you have a suggested patch that also properly handles the issues
presented in #537051? I would suggest that downloader packages possibly
might pre-depend on ca-certificates, if that is required by the
download, as a possible fix. I'm not sure if the trigger runs to
completion first, as a pre-depend package.

-- 
Kind regards,
Michael

Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages

2016-05-29 Thread Andreas Beckmann 
Package: ca-certificates
Version: 20160104
Severity: important
User: debian...@lists.debian.org
Usertags: piuparts
Control: found -1 20141019+deb8u1
Control: affects -1 + google-android-build-tools-installer

Hi,

ca-certificates.postinst activates the update-ca-certificates trigger
with --noawait. This breaks downloader packages that are configured in
the same run as (an initial install of) ca-certificates because
/etc/ssl/certs is not set up at the time the downloader-pkg.postinst
runs even though it Depends: ca-certificates.

In a minimal (piuparts) sid:i386 chroot with main+contrib:
# apt-get install google-android-build-tools-installer
Reading package lists... Done
Building dependency tree... Done
The following additional packages will be installed:
  ca-certificates libffi6 libgmp10 libgnutls30 libhogweed4 libicu55 libidn11 
libnettle6 libp11-kit0 libpsl0 libssl1.0.2 libtasn1-6 make openssl unzip wget
Suggested packages:
  gnutls-bin make-doc zip
Recommended packages:
  publicsuffix
The following NEW packages will be installed:
  ca-certificates google-android-build-tools-installer libffi6 libgmp10 
libgnutls30 libhogweed4 libicu55 libidn11 libnettle6 libp11-kit0 libpsl0 
libssl1.0.2 libtasn1-6 make openssl unzip wget
0 upgraded, 17 newly installed, 0 to remove and 1 not upgraded.
Need to get 114 kB/13.4 MB of archives.
After this operation, 47.6 MB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian sid/main i386 libidn11 i386 1.32-3 [114 
kB]
Fetched 114 kB in 0s (0 B/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libssl1.0.2:i386.
(Reading database ... 7239 files and directories currently installed.)
Preparing to unpack .../libssl1.0.2_1.0.2h-1_i386.deb ...
Unpacking libssl1.0.2:i386 (1.0.2h-1) ...
Selecting previously unselected package libgmp10:i386.
Preparing to unpack .../libgmp10_2%3a6.1.0+dfsg-2_i386.deb ...
Unpacking libgmp10:i386 (2:6.1.0+dfsg-2) ...
Selecting previously unselected package libnettle6:i386.
Preparing to unpack .../libnettle6_3.2-1_i386.deb ...
Unpacking libnettle6:i386 (3.2-1) ...
Selecting previously unselected package libhogweed4:i386.
Preparing to unpack .../libhogweed4_3.2-1_i386.deb ...
Unpacking libhogweed4:i386 (3.2-1) ...
Selecting previously unselected package libidn11:i386.
Preparing to unpack .../libidn11_1.32-3_i386.deb ...
Unpacking libidn11:i386 (1.32-3) ...
Selecting previously unselected package libffi6:i386.
Preparing to unpack .../libffi6_3.2.1-4_i386.deb ...
Unpacking libffi6:i386 (3.2.1-4) ...
Selecting previously unselected package libp11-kit0:i386.
Preparing to unpack .../libp11-kit0_0.23.2-3_i386.deb ...
Unpacking libp11-kit0:i386 (0.23.2-3) ...
Selecting previously unselected package libtasn1-6:i386.
Preparing to unpack .../libtasn1-6_4.8-1_i386.deb ...
Unpacking libtasn1-6:i386 (4.8-1) ...
Selecting previously unselected package libgnutls30:i386.
Preparing to unpack .../libgnutls30_3.4.12-2_i386.deb ...
Unpacking libgnutls30:i386 (3.4.12-2) ...
Selecting previously unselected package libicu55:i386.
Preparing to unpack .../libicu55_55.1-7_i386.deb ...
Unpacking libicu55:i386 (55.1-7) ...
Selecting previously unselected package libpsl0:i386.
Preparing to unpack .../libpsl0_0.11.0-2_i386.deb ...
Unpacking libpsl0:i386 (0.11.0-2) ...
Selecting previously unselected package wget.
Preparing to unpack .../wget_1.17.1-2_i386.deb ...
Unpacking wget (1.17.1-2) ...
Selecting previously unselected package openssl.
Preparing to unpack .../openssl_1.0.2h-1_i386.deb ...
Unpacking openssl (1.0.2h-1) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../ca-certificates_20160104_all.deb ...
Unpacking ca-certificates (20160104) ...
Selecting previously unselected package make.
Preparing to unpack .../archives/make_4.1-9_i386.deb ...
Unpacking make (4.1-9) ...
Selecting previously unselected package unzip.
Preparing to unpack .../archives/unzip_6.0-20_i386.deb ...
Unpacking unzip (6.0-20) ...
Selecting previously unselected package google-android-build-tools-installer.
Preparing to unpack .../google-android-build-tools-installer_23.0.2.1_i386.deb 
...
Unpacking google-android-build-tools-installer (23.0.2.1) ...
Processing triggers for libc-bin (2.22-9) ...
Setting up libssl1.0.2:i386 (1.0.2h-1) ...
Setting up libgmp10:i386 (2:6.1.0+dfsg-2) ...
Setting up libnettle6:i386 (3.2-1) ...
Setting up libhogweed4:i386 (3.2-1) ...
Setting up libidn11:i386 (1.32-3) ...
Setting up libffi6:i386 (3.2.1-4) ...
Setting up libp11-kit0:i386 (0.23.2-3) ...
Setting up libtasn1-6:i386 (4.8-1) ...
Setting up libgnutls30:i386 (3.4.12-2) ...
Setting up libicu55:i386 (55.1-7) ...
Setting up libpsl0:i386 (0.11.0-2) ...
Setting up wget (1.17.1-2) ...
Setting up openssl (1.0.2h-1) ...
Setting up ca-certificates (20160104) ...
Setting up make (4.1-9) ...
Setting up unzip (6.0-20) ...
Setting up google-android-build-tools-installer (23.0.2.1) ...
make: Entering directory