Even though the base images intentionally don't ship with a JRE, we include the Java certificates store in the image, so that the JVM buildpacks can configure Java apps to use it instead of the one that ships in each JRE release. This allows the Java certs store to be updated via base image updates, similar to the non-Java ca-certificates package.
For older Ubuntu versions, the ca-certificates-java package explicitly depended on a JRE, meaning we had to install both a JRE and ca-certificates-java, then remove both in a way that left the certs store (which is generated via a post-install trigger) behind. This leaves the package in a "removed but not purged" state, which can be seen via the package status: config-files in installed-packages*.txt.
However, as of Ubuntu 24.04, the ca-certificates-java package no longer has an explicit dependency on a JRE, meaning we can remove the JRE without causing ca-certificates-java to be uninstalled transitively.
As such for Heroku-24, the apt-get remove ca-certificates-java step can be removed.
In addition, the upstream java certs store JKS vs PKCS12 format bug (that was the reason the JRE version was pinned to v8) has long since been fixed (in 2018), so for Heroku-24 we can safely switch back to using default-jre-headless (which for Ubuntu 24.04 maps to JRE v21).
Lastly, for Heroku-20/22 I've backported some of the no-op comment/command streamlining improvements (but otherwise the changes there are a no-op). For the apt-get command simplifications, see:
https://manpages.ubuntu.com/manpages/noble/man8/apt-get.8.html
Even though the base images intentionally don't ship with a JRE, we include the Java certificates store in the image, so that the JVM buildpacks can configure Java apps to use it instead of the one that ships in each JRE release. This allows the Java certs store to be updated via base image updates, similar to the non-Java
ca-certificatespackage.For older Ubuntu versions, the
ca-certificates-javapackage explicitly depended on a JRE, meaning we had to install both a JRE andca-certificates-java, then remove both in a way that left the certs store (which is generated via a post-install trigger) behind. This leaves the package in a "removed but not purged" state, which can be seen via thepackage status: config-filesininstalled-packages*.txt.However, as of Ubuntu 24.04, the
ca-certificates-javapackage no longer has an explicit dependency on a JRE, meaning we can remove the JRE without causingca-certificates-javato be uninstalled transitively.As such for Heroku-24, the
apt-get remove ca-certificates-javastep can be removed.In addition, the upstream java certs store JKS vs PKCS12 format bug (that was the reason the JRE version was pinned to v8) has long since been fixed (in 2018), so for Heroku-24 we can safely switch back to using default-jre-headless (which for Ubuntu 24.04 maps to JRE v21).
Lastly, for Heroku-20/22 I've backported some of the no-op comment/command streamlining improvements (but otherwise the changes there are a no-op). For the
apt-getcommand simplifications, see: https://manpages.ubuntu.com/manpages/noble/man8/apt-get.8.htmlGUS-W-15713117.