Bug#692911: unblock: ca-certificates/20121105

To: 692911@bugs.debian.org
Subject: Bug#692911: unblock: ca-certificates/20121105
From: Michael Shuler <michael@pbandjelly.org>
Date: Sun, 11 Nov 2012 14:59:10 -0600
Message-id: <[🔎] 50A0119E.9050601@pbandjelly.org>
Reply-to: Michael Shuler <michael@pbandjelly.org>, 692911@bugs.debian.org
In-reply-to: <[🔎] 85625cknu7.fsf@boum.org>
References: <[🔎] 20121110175241.24081.40908.reportbug@mana.12.am> <[🔎] 85ip9dwc55.fsf@boum.org> <[🔎] 509EA4B6.6080506@pbandjelly.org> <[🔎] 85625cknu7.fsf@boum.org>

On 11/11/2012 12:15 PM, intrigeri wrote:
> That may be me nitpicking, but "they are innocuous" does not really
> address my desire to understand an undocumented change in
> a security-sensitive area. I'm still curious and feeling like this
> should be documented somehow, but I'll happily let others decide how
> important this concern of mine is important for Debian.

For full context on the change, this came in an upstream patch for
mozilla/certdata.txt 1.83->1.84 - this is the upstream bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=757189

mozilla/certdata.txt 1.83 was in ca-certificates_20120623

Quick summary of the mozilla bug: there were two different flags being
used within certdata.txt to indicate "no explicit trust":
CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN. The change upstream
was to get rid of the legacy TRUST_UNKNOWN flags and replace them with
MUST_VERIFY_TRUST, since this is how new flags were being added.

In parsing certdata.txt for the ca-certificates package, neither of
these flags are used when the CA trust database is created, so both
CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored.
This is why I indicated these lines are innocuous -
CKT_NSS_MUST_VERIFY_TRUST is ignored in the same manner as
CKT_NSS_TRUST_UNKNOWN when both flags were present in the file, and now
only CKT_NSS_MUST_VERIFY_TRUST is in certdata.txt, and there are no more
instances of CKT_NSS_TRUST_UNKNOWN in certdata.txt >1.84.

Should I re-upload with a changelog entry of something like:

diff --git a/debian/changelog b/debian/changelog
index 861abed..3fe8329 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 ca-certificates (20121105) unstable; urgency=low

   * Update mozilla/certdata.txt to version 1.86  Closes: #683728
+    Clean up of "no explicit trust" flag CKT_NSS_TRUST_UNKNOWN to
+    CKT_NSS_MUST_VERIFY_TRUST
+    - https://bugzilla.mozilla.org/show_bug.cgi?id=757189
     Certificates added (+) (none removed):
     + "Actalis Authentication Root CA"
     + "Trustis FPS Root CA"

Or should I patch out these changes from mozilla/certdata.txt and re-upload?

-- 
Kind regards,
Michael Shuler

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#692911: unblock: ca-certificates/20121105
  - From: intrigeri <intrigeri@debian.org>

References:
- Bug#692911: unblock: ca-certificates/20121105
  - From: Michael Shuler <michael@pbandjelly.org>
- Bug#692911: unblock: ca-certificates/20121105
  - From: intrigeri <intrigeri@debian.org>
- Bug#692911: unblock: ca-certificates/20121105
  - From: Michael Shuler <michael@pbandjelly.org>
- Bug#692911: unblock: ca-certificates/20121105
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Bug#690957: unblock: ia32-libs/1:0.3
Next by Date: Bug#692496: unblock: couriergraph/0.25-4.2
Previous by thread: Bug#692911: unblock: ca-certificates/20121105
Next by thread: Bug#692911: unblock: ca-certificates/20121105
Index(es):
- Date
- Thread