On 11/11/2012 12:15 PM, intrigeri wrote: > That may be me nitpicking, but "they are innocuous" does not really > address my desire to understand an undocumented change in > a security-sensitive area. I'm still curious and feeling like this > should be documented somehow, but I'll happily let others decide how > important this concern of mine is important for Debian. For full context on the change, this came in an upstream patch for mozilla/certdata.txt 1.83->1.84 - this is the upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 mozilla/certdata.txt 1.83 was in ca-certificates_20120623 Quick summary of the mozilla bug: there were two different flags being used within certdata.txt to indicate "no explicit trust": CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN. The change upstream was to get rid of the legacy TRUST_UNKNOWN flags and replace them with MUST_VERIFY_TRUST, since this is how new flags were being added. In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - CKT_NSS_MUST_VERIFY_TRUST is ignored in the same manner as CKT_NSS_TRUST_UNKNOWN when both flags were present in the file, and now only CKT_NSS_MUST_VERIFY_TRUST is in certdata.txt, and there are no more instances of CKT_NSS_TRUST_UNKNOWN in certdata.txt >1.84. Should I re-upload with a changelog entry of something like: diff --git a/debian/changelog b/debian/changelog index 861abed..3fe8329 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ ca-certificates (20121105) unstable; urgency=low * Update mozilla/certdata.txt to version 1.86 Closes: #683728 + Clean up of "no explicit trust" flag CKT_NSS_TRUST_UNKNOWN to + CKT_NSS_MUST_VERIFY_TRUST + - https://bugzilla.mozilla.org/show_bug.cgi?id=757189 Certificates added (+) (none removed): + "Actalis Authentication Root CA" + "Trustis FPS Root CA" Or should I patch out these changes from mozilla/certdata.txt and re-upload? -- Kind regards, Michael Shuler
Attachment:
signature.asc
Description: OpenPGP digital signature