Bug#867461: should ca-certificates certdata.txt synchronize across all suites?

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Philipp Kern <pkern@debian.org>, Guido Günther <agx@sigxcpu.org>, Michael Shuler <michael@pbandjelly.org>, Paul Wise <pabs@debian.org>, ca-certificates@packages.debian.org, debian-lts@lists.debian.org, 858539@bugs.debian.org, 867461@bugs.debian.org
Subject: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 21 Jul 2017 23:03:22 +0200
Message-id: <[🔎] 20170721210322.ctlq3oajxz5w4df5@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 867461@bugs.debian.org
In-reply-to: <[🔎] 87o9sdrj7y.fsf@curie.anarc.at>
References: <[🔎] 87y3s1phqk.fsf@curie.anarc.at> <[🔎] 76bd0565-304c-cc60-c38c-af1a725b2143@debian.org> <[🔎] 20170707140251.igywdem62hjuuu4y@bogon.m.sigxcpu.org> <[🔎] 87bmoiyhpq.fsf@curie.anarc.at> <[🔎] f6049c87-eb0a-899e-38b4-8a23442623da@debian.org> <[🔎] 87o9sdrj7y.fsf@curie.anarc.at>

On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
> > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> >> just a tiny part of it: one text file, more or less.
> >
> > Yeah, and the consensus of the world external to Debian seems to be that
> > this might not be the smartest choice.
> 
> I'm not sure I understand what you are proposing as an alternative
> here. Should we stop shipping ca-certificates? Or make it a binary
> package of the NSS source package?

Most distros rebase to the latest NSS release across all supported suites.

We also did this once or twice in -security (for changes which were too
instrusive to backport) and upstream apparently usually supports this.

But it's quite some effort to test all the reverse deps (that's why backporting
isolated fixes is easier in such cases) to ensure no breakage creeps in, so
this would need a volunteer to deal with testing reverse deps.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Philipp Kern <pkern@debian.org>
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Guido Günther <agx@sigxcpu.org>
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Philipp Kern <pkern@debian.org>
- Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Bug#866389: transition: perl 5.26
Next by Date: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
Previous by thread: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
Next by thread: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
Index(es):
- Date
- Thread