ca-certificates-java (20240118) unstable; urgency=medium

  [ Vladimir Petko ]
  * d/rules: Use java_compat_level variable provided by java-common to
    adjust -source/-target level to the minimum required by the default
    Java. Closes: #1057495.
  * Do not try to run foreign architecture java. Closes: #1043247.

  [ Matthias Klose ]
  * Build-depend on java-common.
  * debian/tests: Don't hardcode JREs and JDKs. Closes: #1057696.

 -- Matthias Klose <doko@debian.org>  Thu, 18 Jan 2024 10:40:28 +0100

ca-certificates-java (20230710) unstable; urgency=medium

  * Add apt-utils to the test dependencies.

 -- Matthias Klose <doko@debian.org>  Mon, 10 Jul 2023 09:59:59 +0200

ca-certificates-java (20230707) unstable; urgency=medium

  [ Vladimir Petko ]
  * Resolve circular JRE dependency:
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
      stage.
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
      not found. Certificates are refreshed only in response to the trigger
      activated by OpenJDK packages.
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
      Java 8.
    - debian/control: remove JRE dependency.
    - debian/control: add Breaks condition.
    - debian/tests: add smoke tests.
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
      explicitly declare triggers as -await.

  [ Matthias Klose ]
  * Adjust the breaks for Debian versions.

 -- Matthias Klose <doko@debian.org>  Fri, 07 Jul 2023 11:13:17 +0200

ca-certificates-java (20230620) unstable; urgency=medium

  [ Matthias Klose ]
  * Bump standards version.
  * Build-depend on default-jdk-headless instead of default-jdk.

  [ Vladimir Petko ]
  * d/ca-certificates-java.postinst: Work-around not yet configured jre.

 -- Matthias Klose <doko@debian.org>  Tue, 20 Jun 2023 06:09:44 +0200

ca-certificates-java (20230103) unstable; urgency=medium

  * Promote again the JRE recommendation to a dependency. Otherwise
    non-default OpenJDK versions are uninstallable.

 -- Matthias Klose <doko@debian.org>  Tue, 03 Jan 2023 09:10:44 +0100

ca-certificates-java (20220719) unstable; urgency=medium

  [ Andreas Beckmann ]
  * Team upload.
  * Switch to debhelper-compat (= 13).
  * Set Rules-Requires-Root: no.
  * UpdateCertificates.java: Ignore empty lines in stdin.  (Closes: #795244)
  * Avoid warning about missing /etc/ssl/certs/java/cacerts on initial
    install.
  * Do not be satisfied by java7-runtime-headless.
  * Remove support for upgrading from versions predating wheezy.
  * Clean up misplaced symlinks in the root directory left over by ancient
    versions.  (Closes: #688415)
  * Drop libnss3 manipulations, no longer needed since openjdk-6-jre-headless
    at least.
  * Add update-ca-certificates-java trigger and let jks-keystore record the
    pending certificate updates and postpone them to the processing of this
    trigger.  (Closes: #908858)
  * Add update-ca-certificates-java-fresh trigger, will be activated by
    update-ca-certificates -f.  (Closes: #922981)
  * Remove obsolete certificates when building a fresh cacerts file.
    (Closes: #767272)
  * Bump ca-certificates dependency to 20210120.
  * Skip Java certificates setup if no JRE is available.
  * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE
    becomes available.
  * Demote JRE dependency to Recommends to break dependency cycle.
    (Closes: #929685, #940297)
  * Foreign architecture JREs that place java in PATH are also usable.
    (Closes: #776860, #864331)

  [ Matthias Klose ]
  * Support Java 18-21. Closes: #994152.
  * Bump Standards-Version to 4.6.0.

 -- Matthias Klose <doko@debian.org>  Tue, 19 Jul 2022 16:02:33 +0200

ca-certificates-java (20190909) unstable; urgency=medium

  * Team upload.
  * Removed the ${nss:Depends} substvar
  * Removed the @NSS_LIB@ template parameter
  * Removed the now unused ${jre:Depends} substvar
  * Build with the DH sequencer
  * Standards-Version updated to 4.4.0

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 09 Sep 2019 11:56:28 +0200

ca-certificates-java (20190405) unstable; urgency=medium

  * Team upload.
  * Support Java 12-17 (Closes: #925431)

 -- Jochen Sprickerhof <jspricke@debian.org>  Fri, 05 Apr 2019 14:56:54 +0200

ca-certificates-java (20190214) unstable; urgency=medium

  * Team upload.
  * Declare compliance with Debian Policy 4.3.0.
  * ca-certificates-java: Depend on default-jre-headless to avoid a circular dependency on
    a specific OpenJDK package. (Closes: #864657, #910138)

 -- Markus Koschany <apo@debian.org>  Thu, 14 Feb 2019 22:21:15 +0100

ca-certificates-java (20180516) unstable; urgency=medium

  * Team upload.

  [ Tiago Stürmer Daitx ]
  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
    with the right configuration is already supplied by the openjdk packages.
  * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
    and update PATH if a known jvm was found.
  * debian/postinst.in: Detect PKCS12 cacert keystore generated by
    previous ca-certificates-java and convert them to JKS. (Closes: #898678)
    (LP: #1771363)

  [ Matthias Klose ]
  * debian/rules: Explicitly depend on openjdk-11-jre-headless, needed to
    configure.

  [ Emmanuel Bourg ]
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 16 May 2018 23:00:38 +0200

ca-certificates-java (20180413) unstable; urgency=medium

  * Team upload.
  * Always generate a JKS keystore instead of using the default format
    (Closes: #894979)
  * Look for Java 10 and Java 11 when detecting the JRE
  * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 Apr 2018 14:15:39 +0200

ca-certificates-java (20170930) unstable; urgency=medium

  * Team upload.
  * Revert the last two NMUs.
    - Depend again on openjdk-8 after the stretch release. (Closes: #863803)
    - Stop fiddling around with jvm-*.cfg files. ca-certificates-java
      has no business with providing an initial cacerts file. This is
      implemented in the openjdk packages. We are not 2008 anymore.
      (Closes: #912187)
  * Bump standards version.
  * Remove Torsten Werner as uploader.

 -- Matthias Klose <doko@debian.org>  Sat, 30 Sep 2017 02:02:28 +0200

ca-certificates-java (20170929) unstable; urgency=low

  [ Gianfranco Costamagna ]
  * Team upload.
  * Ack previous NMU, thanks

  [ Rico Tzschichholz ]
  * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276)
    - the armhf installation path is different from other architectures.

 -- Rico Tzschichholz <ricotz@ubuntu.com>  Wed, 27 Sep 2017 17:17:59 +0200

ca-certificates-java (20170531+nmu1) unstable; urgency=high

  * Non-maintainer upload.
  * Revert to depending on openjdk-7 instead of openjdk-8, since this triggers
    a failure to dist-upgrade, due to the triggers loop (See: #864597). The
    openjdk-7 package was dropped from stretch, but the java7-runtime-headless
    alternative dependency is satisfied by openjdk-8.

 -- Cyril Brulebois <kibi@debian.org>  Thu, 15 Jun 2017 17:33:00 +0200

ca-certificates-java (20170531) unstable; urgency=medium

  * Team upload.
  * Depend on openjdk-8 instead of openjdk-7 (Closes: #863803)
  * Moved the package to Git

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 31 May 2017 15:02:23 +0200

ca-certificates-java (20161107) unstable; urgency=medium

  * Team upload.
  * postinst: Use exit trap instead of if condition to not fail silently
    (e.g. in case the java binary is not found) (Closes: #822201)
  * Bump Standards-Version to 3.9.8 (no changes)

 -- Benjamin Drung <benjamin.drung@profitbricks.com>  Mon, 07 Nov 2016 13:45:23 +0100

ca-certificates-java (20160321) unstable; urgency=medium

  * Team upload.
  * Drop support for obsolete Java 6 (Closes: #776897, #816541)
  * Add support for Java 8 and 9 (Closes: #775775)
  * Bump Standards-Version to 3.9.7 (no changes)
  * Use secure HTTPS URI for Vcs-Browser

 -- Benjamin Drung <benjamin.drung@profitbricks.com>  Mon, 21 Mar 2016 14:34:49 +0100

ca-certificates-java (20140324) unstable; urgency=medium

  * Team upload.
  * Fixed a test failure caused by the removal of the CAcert.org root
    certificate from the ca-certificates package (Closes: #741755)
  * Limit the memory used by java to 64M when updating the certificates
    (Closes: #576453)
  * Mavenized the project
  * Code refactoring
  * d/control: Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 24 Mar 2014 09:42:08 +0100

ca-certificates-java (20130815) unstable; urgency=low

  * Acknowledge NMU done by Don Armstrong and Andreas Beckmann.
  * Fix tests to works with new cacert certificates names (Closes:
    #713138).
  * d/control: Use canonical value for Vcs-* fields.
  * d/control: Remove deprecated DMUA flag.
  * d/control: Bump Standards-Version to 3.9.4 (no changes needed).

 -- Damien Raude-Morvan <drazzib@debian.org>  Thu, 15 Aug 2013 13:52:46 +0200

ca-certificates-java (20121112+nmu2) unstable; urgency=medium

  * Non-maintainer upload.
  * postinst, jks-keystore.hook: Do not fail if nss.cfg does not (yet) exist,
    i.e. if openjdk-?-jre-headless is unpacked but not yet configured.
    (Closes: #694888)
  * Set urgency to medium for RC bugfix.

 -- Andreas Beckmann <anbe@debian.org>  Sun, 27 Jan 2013 14:19:41 +0100

ca-certificates-java (20121112+nmu1) unstable; urgency=low

  * Non-maintainer upload
  * Fix test for dpkg-query in postinst; there was an extraneous --version
    here. [Probably don't even need to bother to check for dpkg-query, but
    why not.] (Closes: #690204)
  * Library path for softokn3pkg and nsspkg is potentially wrong if there
    are multiple different paths; fix it.
  * Do not run the hook if ca-certificates-java has been removed but not
    purged.
  * Use the new trigger support provided by ca-certificates (>=20121114).

 -- Don Armstrong <don@debian.org>  Mon, 12 Nov 2012 15:45:50 -0800

ca-certificates-java (20120721) unstable; urgency=low

  * Fix jks-keystore and postinst to work on multi-arch system.
    Use dpkg-query -L package:arch. (Closes: #680618).
  * As libnss3-1d is a transitional package on both Debian and Ubuntu,
    upgrade Depends to use libnss3.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sat, 21 Jul 2012 01:06:32 +0200

ca-certificates-java (20120608) unstable; urgency=low

  [ James Page ]
  * Switch primary JRE dependency from openjdk-6 to openjdk-7 to support
    demotion of openjdk-6 to universe in Ubuntu:
    - d/control, rules: Generate primary JRE dependency at build time to
      allow differentiation between Ubuntu and Debian.
  * Added myself to uploaders.

  [ Damien Raude-Morvan ]
  * Update to unstable.
  * Set DMUA flag for James Page.

 -- James Page <james.page@ubuntu.com>  Fri, 08 Jun 2012 09:44:58 +0100

ca-certificates-java (20120603) unstable; urgency=low

  * Use javahelper as buildsystem:
    - d/control: Add Build-Depends on javahelper.
    - d/rules: Use jh_build to call javac.
  * Create a testsuite for this package:
    - Refactor UpdateCertificates code to send exceptions instead of
      System.exit(1).
    - New testsuite: UpdateCertificatesTest.
    - d/control: Build-Depends on junit4.
    - d/rules: Launch junit after build and handle "nocheck" option in
      DEB_BUILD_OPTIONS.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 03 Jun 2012 12:10:26 +0200

ca-certificates-java (20120524) unstable; urgency=low

  [ Marc Deslauriers ]
  * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around
    since it is no longer needed.
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration. (Closes: #665754, #665749).
  * debian/postinst: force migration to new alias names again. The
    migration was supposed to occur on upgrades to Oneiric, but failed
    because of an NSS error.
  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/postinst: also look for jvm in multiarch locations (LP: #962378)
  * debian/postinst: retrigger first_install to properly get cert store.

  [ James Page ]
  * d/rules: Ensure java is built with source/target == 1.6 for backwards
    compatibility with openjdk-6.

  [ Damien Raude-Morvan ]
  * Sync handling of nss.cfg between debian/jks-keystore.hook.in and
    debian/postinst.in.
  * Merge changes from Ubuntu (Thanks to James Page and Marc Deslauriers).
  * Improve handling of certificate with UTF-8 filenames:
    - UpdateCertificates: Force read System.in with UTF-8
    - debian/postinst: Set LC_CTYPE to C.UTF-8

 -- Damien Raude-Morvan <drazzib@debian.org>  Tue, 22 May 2012 23:41:41 +0200

ca-certificates-java (20120225) unstable; urgency=low

  [ Steve Langasek ]
  * debian/jks-keystore.hook: If we *don't* find libnss3 / libnss3-1d,
    don't remove files from the filesystem in do_cleanup(),
    since this has a nasty tendency of nuking system libraries.
    LP: #855171.
  * debian/preinst, debian/postinst: when upgrading from version
    20110912ubuntu1, disable the buggy hook script early to prevent it from
    being run before our new version is configured; and re-enable the script
    in the postinst.  LP: #855246.

  [ Matthias Klose ]
  * Mark as Multi-Arch: foreign.
  * Adjust the libnss3-1d versioned dependency.

  [ Damien Raude-Morvan ]
  * Add myself to Uploaders.
  * Use dh_gencontrol and dpkg-vendor to allow:
    - New substvar ${nss:Depends} for libnss3-1d versionning.
    - New @NSS_LIB@ parameter for debian/*.in files.
  * Bump Standards-Version to 3.9.3:
    - Add recommended build-arch / build-indep targets.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sat, 25 Feb 2012 15:06:32 +0100

ca-certificates-java (20111223) unstable; urgency=low

  * Support new multiarch JRE packages in postinst.

 -- Torsten Werner <twerner@debian.org>  Fri, 23 Dec 2011 13:46:15 +0100

ca-certificates-java (20110912) unstable; urgency=low

  * Support new multiarch JRE packages in jks-keystore. (Closes: #641306)
  * Support OpenJDK 7. (Closes: #641305)

 -- Torsten Werner <twerner@debian.org>  Mon, 12 Sep 2011 21:23:22 +0200

ca-certificates-java (20110816) unstable; urgency=low

  * Upgrade Recommends: libnss3-1d to a versioned Depends due to multiarch
    changes. (Closes: #635571)
  * Use the locale C.UTF-8 for the hook script to be more robust.

 -- Torsten Werner <twerner@debian.org>  Tue, 16 Aug 2011 11:00:33 +0200

ca-certificates-java (20110531) unstable; urgency=low

  * Prepare for multiarch libnss3 update.

 -- Matthias Klose <doko@ubuntu.com>  Tue, 31 May 2011 15:20:52 +0200

ca-certificates-java (20110426) unstable; urgency=low

  * Test for existing file in postinst before copying it. (Closes: #624152)
  * Add Vcs headers to debian/control.

 -- Torsten Werner <twerner@debian.org>  Tue, 26 Apr 2011 09:23:03 +0200

ca-certificates-java (20110425) unstable; urgency=low

  * Add Java code to update the keystore and support UTF-8 encoded filenames.
    (Closes: #607245, #623671)
  * Change Maintainer to Debian Java Maintainers and add myself to Uploaders.
  * Update Build-Depends.
  * Replace old inconsistent keystore aliases. (Closes: #623888)
  * Add support for openjdk-7 and remove support for old cacao VM.
  * Add a NEWS file explaining the update.
  * Update README.Debian.

 -- Torsten Werner <twerner@debian.org>  Mon, 25 Apr 2011 15:28:55 +0200

ca-certificates-java (20100412) unstable; urgency=low

  * Upload to unstable.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 12 Apr 2010 03:15:47 +0200

ca-certificates-java (20100406ubuntu1) lucid; urgency=low

  * Make the installation and import of certificates more robust,
    if the NSS based security provider is disabled or not built.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 11 Apr 2010 20:54:43 +0200

ca-certificates-java (20100406) unstable; urgency=low

  * Explicitely fail the installation, if /proc is not mounted.
    Currently required by the java tools, changed in OpenJDK7.
    Closes: #576453. LP: #556044.
  * Print name of JVM in case of errors.
  * Set priority to optional, set section to java. Closes: #566855.
  * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853.

 -- Matthias Klose <doko@debian.org>  Tue, 06 Apr 2010 21:41:39 +0200

ca-certificates-java (20091021) unstable; urgency=low

  * Clarify output for keytool errors (although it shouldnn't be
    necessary anymore). Closes: #540490.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 21 Oct 2009 22:00:53 +0200

ca-certificates-java (20090928) karmic; urgency=low

  * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with
    ca-certificates 20090814.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 28 Sep 2009 16:47:09 +0200

ca-certificates-java (20090629) unstable; urgency=low

  * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out
    SHA384withECDSA certificates since keytool won't support them.
    LP: #392104, closes: #534520.
  * Fix typo in hook. Closes: #534533.
  * Use java6-runtime-headless as alternative dependency. Closes: #512293.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 29 Jun 2009 11:27:59 +0200

ca-certificates-java (20081028) unstable; urgency=low

  * Ignore LANG and LC_ALL setting when running keytool. LP: #289934.

 -- Matthias Klose <doko@debian.org>  Tue, 28 Oct 2008 07:20:16 +0100

ca-certificates-java (20081027) unstable; urgency=medium

  * Merge from Ubuntu:
    - Don't try to import certificates, which are listed in
      /etc/ca-certificates.conf, but not available on the system.
      Just warn about those. LP: #289091.
    - Need to run keytool, when the jre is unpacked, but not yet configured.
      Create a temporary jvm.cfg for the time in that postinst and the
      jks-keystore.hook are run, and remove it afterwards. LP: #289199.

 -- Matthias Klose <doko@debian.org>  Mon, 27 Oct 2008 13:58:14 +0100

ca-certificates-java (20081024) unstable; urgency=low

  * Install /etc/default/cacerts with mode 600.

 -- Matthias Klose <doko@debian.org>  Fri, 24 Oct 2008 15:10:48 +0200

ca-certificates-java (20081022) unstable; urgency=low

  * debian/jks-keystore.hook:
    - Don't stop after first error during the update. LP: #244412.
      Closes: #489748.
    - Call keytool with -noprompt.
  * On initial install, add locally added certificates. LP: #244410.
    Closes: #489748.
  * Install /etc/default/cacerts to set options:
    - storepass, holding the password for the keystore.
    - updates, to enable/disable updates of the keystore.
  * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 22 Oct 2008 20:51:24 +0200

ca-certificates-java (20080712) unstable; urgency=low

  * Upload to main.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 12 Jul 2008 12:19:00 +0200

ca-certificates-java (20080711) unstable; urgency=low

  * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408.

 -- Matthias Klose <doko@ubuntu.com>  Fri, 11 Jul 2008 20:38:04 +0200

ca-certificates-java (20080514) unstable; urgency=low

  * Initial release.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 02 Jun 2008 14:52:46 +0000