According to @emaldonado there are issues with JSS 4.5 on Debian:
Attached is a patch that could address these problems, but it may require further work.
<img alt="jss_build_check_depraction_and_support_debian_paths.patch" src="/jss/issue/raw/198c48f51b02103d6a1ea29396babbf57eb13642b7cf9c2c7915b3de3de7aa8b-jss_build_check_depraction_and_support_debian_paths.patch" />
Found some errors in the patch and needs a fix so it works in both debian 9 and fedora. This is still a work in progress.
<img alt="jss_build_check_deprecation_and_support_debian_paths.patch" src="/jss/issue/raw/files/5f2842222f64b40365f04df19eb0ed66f2f89143d457868405c1b21044cabb7e-jss_build_check_deprecation_and_support_debian_paths.patch" />
To build in debian I used: export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 export USE_64=1 script -c 'make clean all' typescript.build Attached is the build log
<img alt="typescript.build" src="/jss/issue/raw/files/1383efaeb30dbe177393310930d2c428151eca052ca28258aab2457ec2835c82-typescript.build" />
and to run the jss tests execute script -c 'make test_jss' typescript.test
<img alt="typescript.test" src="/jss/issue/raw/files/b31595159f6fb44720ccbd52f6a8ce7f518214b10a9b1cce1e01bafad47514a5-typescript.test" />
One difference is that you'll see in patch is that the $classpath list for fedora we have both /usr/share/java/commons-codec.jar and /usr/share/java/apache-commons-codec.jar but in debian only the first one is listed as I wasn't able to install an apache2-common package. Perhaps the second has features that the first one lacks. This is worth investigating.
Thanks for the patch!
On Fedora, the apache-commons-codec.jar is actually a symlink to commons-codec.jar, so probably we can change the code to use commons-codec.jar such that the same path will work on both Fedora and Debian.
Metadata Update from @edewata: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Correction to previous comment: To build in debian I used: export BUILD4DEBIAN=1 export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 export USE_64=1 script -c 'make clean all' typescript.build and if you want to enable deprecations checks add export CHECK_DEPRECATION=1 and the do script -c 'make clean all' typescript.build.deprecation (make sure the netscape ldap packages are installed) The build should succeed but with many warnings. Attached is what I got. It's worth comparing against the corresponding one on fedora.
<img alt="typescript.build.deprecation" src="/jss/issue/raw/files/6b4249cd1b104c383e082e4f43f89bff9d9c58a68a0b2adea564bb2b4fe54fa6-typescript.build.deprecation" />
The patch only covers build_java.pl but we also need to address classpath in the test script.
<img alt="all.pl.patch" src="/jss/issue/raw/files/76205f007ce9fd8c9798a1817515ab6487519cc35cce24643f0faaa847c3a59f-all.pl.patch" /> Some crude way of doing that. The tests still fail.
<img alt="typescript.test" src="/jss/issue/raw/files/154ca1b5c6b5ef91c67631caadfa287122ea6499862ecab5e65e6ce54659cb96-typescript.test" />
2/33 pass 31/33 fail and all failures are look like this ============= Setup DBs /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -d64 -cp /usr/share/java/slf4j-api.jar:/usr/share/java/slf4j-jdk14.jar:/usr/share/java/commons-lang.jar:/home/emaldonado/sandbox/dist/xpclass.jar org.mozilla.jss.tests.SetupDBs /home/emaldonado/sandbox/tests_results/jss/debian.15 passwords Jul 12, 2018 3:05:20 PM org.mozilla.jss.CryptoManager loadNativeLibraries INFO: 32-bit jss library loaded Exception in thread "main" java.lang.UnsatisfiedLinkError: org.mozilla.jss.CryptoManager.initializeAllNative2(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZLjava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZLjava/lang/String;Ljava/lang/String;ZZZZZZZZZZZ)V at org.mozilla.jss.CryptoManager.initializeAllNative2(Native Method) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:437) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:403) at org.mozilla.jss.tests.SetupDBs.main(SetupDBs.java:31) JSSTEST_CASE 2 (Setup DBs): FAILED return value 1
The code has been modified to allow the test to use the libjss4.so built in the working area instead of the one installed on the system:
Thank you Endi. Here is a merge of my two previous patches.
<img alt="support4debian.patch" src="/jss/issue/raw/files/bc3aaa4da064935c5120c6c84dfa46e36366a26e7e4fd69a4484ecc13a333741-support4debian.patch" />
All tests are passing.
Plan then do a pull request once I have tested more.
According to @emaldonado there are issues with JSS 4.5 on Debian: deprecation warnings causing build break To clarify the deprecation warnings do not cause a build break as long as one uses java jdk 8 which is what fedora, debian 9, and most linux distros use. I saw that because I was initially using linuxmint 19 that has jdk 11. Fedora won't upgrade to open-jdk 11 for another two years so you won't have to worry about it for quite some time. It's still a good practice to give the package maintainers the option to compile with the -xlint:deprecation flag in order to properly analyze such issues. incorrect path to some libraries That's the main issue to be addressed.
deprecation warnings causing build break To clarify the deprecation warnings do not cause a build break as long as one uses java jdk 8 which is what fedora, debian 9, and most linux distros use. I saw that because I was initially using linuxmint 19 that has jdk 11. Fedora won't upgrade to open-jdk 11 for another two years so you won't have to worry about it for quite some time. It's still a good practice to give the package maintainers the option to compile with the -xlint:deprecation flag in order to properly analyze such issues.
incorrect path to some libraries That's the main issue to be addressed.
I have tested the patch on fedora and debian and it's ready for review. When I file the pull request I will likely need a bit of hand-holding as I am a novice on the GitHub workflow. Let's chat online.
Fedora won't upgrade to open-jdk 11 for another two years so you won't have to worry about it ... Sooner than I though, see https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview This is beyond the scope of this ticket so I filed https://pagure.io/jss/issue/15 for that.
@edewata reviewed and pushed: https://github.com/dogtagpki/jss/pull/18
Warning: this is a rather long post to dump everything I have learned so far.
The JSS build fails with 4 errors and 100 deprecation warnings: $ grep error: typescript.build ./org/mozilla/jss/netscape/security/x509/RevocationReasonAdapter.java:20: error: package java.xml.bind.annotation.adapters does not exist ./org/mozilla/jss/netscape/security/x509/RevocationReasonAdapter.java:29: error: cannot find symbol ./org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.java:27: error: package javax.xml.bind is not visible ./org/mozilla/jss/tests/SymKeyDeriving.java:43: error: package sun.security.pkcs11.wrapper is not visible
Basically two errors: 1) error: javax.xml.bind is not visible and 2) error: package sun.security.pkcs11.wrapper is not visible
This what I have learned about the second one.
The debian folks had the same problems I had building jss when debian went to openjdk 9 a while back - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875589 Jdk 9 and forward jdk uses modules, packages belong to modules and can be made not public. More info on modules can be found at https://www.oracle.com/corporate/features/understanding-java-9-modules.html
This site https://fedoraproject.org/wiki/Changes/Java9TechPreview though now obsolete as it was meant for f27 has some good info on the HowToTest section that can be adapted to 10 which is available for Rawhide. For 10:
🔗 How To Test
Install java-10-openjdk Run (as root) 'alternatives --config java' and select the 10 version Run 'java -version' to ensure that it is correct
I did that on my Rawhide system.
They have added a nice tool to check for dependencies called jdeps. When I had opendk 8 as the one: $ jdeps -jdkinternals /usr/lib64/jss/jss4.jar jss4.jar -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-14.b11.fc29.x86_64/jre/lib/ext/sunpkcs11.jar org.mozilla.jss.tests.SymKeyDeriving (jss4.jar) -> sun.security.pkcs11.wrapper.PKCS11Constants JDK internal API (sunpkcs11.jar)
Warning: JDK internal APIs are unsupported and private to JDK implementation that are subject to be removed or changed incompatibly and could break your application. Please modify your code to eliminate dependency on any JDK internal APIs. For the most recent update on JDK internal API replacements, please check: https://wiki.openjdk.java.net/display/JDK8/Java+Dependency+Analysis+Tool
Following the instructions made the TechPreviow the default:
$ sudo alternatives --config java [sudo] password for emaldonado:
There are 2 programs which provide 'java'.
1 java-openjdk.x86_64 (/usr/lib/jvm/java-10-openjdk-10.0.1.10-12.fc29.x86_64/bin/java) *+ 2 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-14.b11.fc29.x86_64/jre/bin/java)
Enter to keep the current selection[+], or type selection number: 1 [emaldonado@localhost jss]$ sudo alternatives --config javac
There are 2 programs which provide 'javac'.
*+ 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-14.b11.fc29.x86_64/bin/javac) 2 java-openjdk.x86_64 (/usr/lib/jvm/java-10-openjdk-10.0.1.10-12.fc29.x86_64/bin/javac)
Enter to keep the current selection[+], or type selection number: 2
After switching to the openjdk 10 reran the jdeps and got the same message.
Since the modules where introduced the sun.security.pkcs11.wrapper packageis wrapped by a module. The PKCS11Constants interface apparently were intended for the use on the SunPKCS11 JCE provider.
Looking at the code there is this comment * This is mainly the content of the 'pkcs11t.h' header file.
In that case nothing prevents the team from creating its own org.mozilla.jss.pkcs11.PKCS11Contants.java to export those constants to the rest of JSS - and possibly client code as well.
No tool to create a java interface from a header file so it would have to be done manually. Fortunately, the pkcs11 headers don't change frequently and we do have our pkcs11 working group representative that can alert the team when changes are approved and shipped.
My bad, that was meant for Ticket 15. Let me post it there.
I'm closing this as this is currently passing on master for Ubuntu, a Debian-like distribution: https://travis-ci.org/dogtagpki/jss/builds/439784990?utm_source=github_status&utm_medium=notification
master
Metadata Update from @cipherboy: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @cipherboy: - Issue assigned to edewata
Login to comment on this ticket.