Re: should ca-certificates certdata.txt synchronize across all suites?
On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
> > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> >> just a tiny part of it: one text file, more or less.
> > Yeah, and the consensus of the world external to Debian seems to be that
> > this might not be the smartest choice.
> I'm not sure I understand what you are proposing as an alternative
> here. Should we stop shipping ca-certificates? Or make it a binary
> package of the NSS source package?
Most distros rebase to the latest NSS release across all supported suites.
We also did this once or twice in -security (for changes which were too
instrusive to backport) and upstream apparently usually supports this.
But it's quite some effort to test all the reverse deps (that's why backporting
isolated fixes is easier in such cases) to ensure no breakage creeps in, so
this would need a volunteer to deal with testing reverse deps.