[Wolfi Package Update]: ca-certificates - add java-cacerts-keystore package #78603
Description
Package name
ca-certificates
Current version in Wolfi
20251003-r2
Requested version
20251003-r3
Upstream project URL
https://gitlab.alpinelinux.org/alpine/ca-certificates
Problem
Most container workloads don't need the update-ca-certificates infrastructure at runtime - they use immutable, pre-built certificate stores. However, the java-cacerts subpackage depends on ca-certificates, which transitively pulls in libcrypto3 via c_rehash.
For pure Java workloads that don't otherwise need OpenSSL, this unnecessarily introduces OpenSSL vulnerabilities into the image's attack surface.
Steps to reproduce
Create an apko image with openjdk-*-default-jvm and note the inclusion of the libcrypto3 package.
Root cause (if known)
openjdk-* => java-cacerts => ca-certificates => so:libcrypto.so.3 => libcrypto3
Proposed solution
Add a new java-cacerts-keystore subpackage that:
- Provides only the static
/etc/ssl/certs/java/cacertskeystore, generated from - Has no runtime dependencies
This allows container images to choose between:
java-cacerts- full functionality with update hooks (existing behavior; updated to depend onjava-cacerts-keystore)java-cacerts-keystore- static keystore only, no OpenSSL dependency
Ideally, the openjdk-* package dependencies would be updated from java-cacerts to java-cacerts-keystore, so dropping the default libcrypto3 dependency across the Java ecosystem.
Testing performed
No response
Acceptance criteria
- The requested version is the latest stable upstream release (no pre-releases or RCs)
- The upstream project uses an OSI-approved license
- The change aligns with Wolfi’s packaging and security model
- The package can be reasonably maintained over time
- There are no known unresolved security or supply-chain concerns