[Bug 2141785] Re: [SRU] openjdk-25-jre-headless in jammy depends on openjdk-11

Wed Mar 25 15:30:11 UTC 2026

This bug was fixed in the package ca-certificates-java -
20190909ubuntu1.3

---------------
ca-certificates-java (20190909ubuntu1.3) jammy; urgency=medium

  * d/control: ca-certificates-java should not install default-jre-headless
    when openjdk-25-jre-headless is installed (LP: #2141785).
    This change is relevant only for Ubuntu 22.04 - ca-certificates-java
    no longer depend on Java runtime.
    - d/{postinst,jks-keystore.hook}: add openjdk-25 to the supported versions,
      add jvm configuration workaround.
    - d/t/can-install-jre: check that only one jre is installed.

 -- Vladimir Petko <vladimir.petko at canonical.com>  Mon, 16 Feb 2026
11:12:45 +1300

** Changed in: ca-certificates-java (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openjdk-25 in Ubuntu.
https://bugs.launchpad.net/bugs/2141785

Title:
  [SRU] openjdk-25-jre-headless in jammy depends on openjdk-11

Status in ca-certificates-java package in Ubuntu:
  Invalid
Status in openjdk-25 package in Ubuntu:
  Invalid
Status in ca-certificates-java source package in Jammy:
  Fix Released
Status in ca-certificates-java source package in Noble:
  Invalid
Status in ca-certificates-java source package in Questing:
  Invalid
Status in ca-certificates-java source package in Resolute:
  Invalid

Bug description:
  [ Impact ]

  In an otherwise clean machine (e.g. docker run ubuntu:jammy), `apt
  install openjdk-25-jre-headless` will also install openjdk-11-jre-
  headless. This is undesirable because openjdk-11 is end-of-life.

  The openjdk-17-jre-headless and openjdk-21-jre-headless packages do
  not exhibit this problem.

  The issue seems to be the dependency chain in which openjdk-25-jre-
  headless has Depends: ca-certificates-java, ca-certificates-java has
  Depends: default-jre-headless | java8-runtime-headless, and default-
  jre-headless has Depends: openjdk-11-jre-headless

  openjdk-17 and openjdk-21 both have provides: java8-runtime-headless, and satisfy ca-certificates-java in that way.
  Provides: java-runtime-headless (= 21), [... many javaN-runtime-headless ...], java8-runtime-headless

  So they can satisfy the `| java8-runtime-headless` branch of ca-
  certificates-java, and apt ends up installing only the requested
  openjdk version..

  But openjdk-25-jre-headless has only `Provides: java-runtime-headless
  (= 25)` and none of the other individual entries.

  These changes seem to be intentional on the debian side, see
  https://salsa.debian.org/openjdk-
  team/openjdk/-/commit/2fa0698ece274ae9e1539b5fa2289a59d332c6b3. And
  ca-certificates likewise dropped the depends entry in
  https://salsa.debian.org/java-team/ca-certificates-
  java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6

  But the security backport of openjdk-25-jre-headless is not consistent
  with the version of ca-certificates-java in jammy.

  The updated ca-certificates-java in jammy need to depend on java-
  runtime-headless (>=8) to be compatible with openjdk-25.

  ca-certificates-java in noble and up do not depend on Java runtime and
  are not affected.

  [ Test Plan ]

   * `can-install-jre` autopkgtest tests that only one jre package is installed.
   * The same test can be performed manually in Jammy chroot/vm:
     $ apt install openjdk-25-jdk
     ...
     $ apt list | grep openjdk-

     Check that only openjdk-25 packages are installed.

  [ Where problems could occur ]

   The package still depends on Java runtime and has a race condition
  with jre installation. In the past we have added workarounds, e.g.
  https://bugs.launchpad.net/ubuntu/+source/ca-certificates-
  java/+bug/2019908 to allow partially installed jre package execute
  certificate import.

  OpenJDK autopkgtests test Java installation so this mitigates the risk, but we will still have to do ca-certificates-java SRUs and users will occasionally get installation errors:
  https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-vpa1977-ca-certificates-java/jammy/armhf/c/ca-certificates-java/20260219_192736_7cf50@/log.gz

  The permanent solution will be backporting Noble package, but this
  will require an additional upload for openjdk-18 which was not updated
  for the new ca-certificates-java.

  [ Other Info ]

  n/a

  [ Original Description: ]