Re: should ca-certificates certdata.txt synchronize across all suites?
- To: Moritz Mühlenhoff <jmm@inutil.org>
- Cc: Antoine Beaupré <anarcat@orangeseeds.org>, Philipp Kern <pkern@debian.org>, Michael Shuler <michael@pbandjelly.org>, Paul Wise <pabs@debian.org>, ca-certificates@packages.debian.org, debian-lts@lists.debian.org, 858539@bugs.debian.org, 867461@bugs.debian.org
- Subject: Re: should ca-certificates certdata.txt synchronize across all suites?
- From: Guido Günther <agx@sigxcpu.org>
- Date: Fri, 21 Jul 2017 23:59:42 +0200
- Message-id: <[🔎] 20170721215942.om3utbpdoilpj5c3@bogon.m.sigxcpu.org>
- Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Moritz Mühlenhoff <jmm@inutil.org>, Antoine Beaupré <anarcat@orangeseeds.org>, Philipp Kern <pkern@debian.org>, Michael Shuler <michael@pbandjelly.org>, Paul Wise <pabs@debian.org>, ca-certificates@packages.debian.org, debian-lts@lists.debian.org, 858539@bugs.debian.org, 867461@bugs.debian.org
- In-reply-to: <[🔎] 20170721210322.ctlq3oajxz5w4df5@pisco.westfalen.local>
- References: <[🔎] 87y3s1phqk.fsf@curie.anarc.at> <[🔎] 76bd0565-304c-cc60-c38c-af1a725b2143@debian.org> <[🔎] 20170707140251.igywdem62hjuuu4y@bogon.m.sigxcpu.org> <[🔎] 87bmoiyhpq.fsf@curie.anarc.at> <[🔎] f6049c87-eb0a-899e-38b4-8a23442623da@debian.org> <[🔎] 87o9sdrj7y.fsf@curie.anarc.at> <[🔎] 20170721210322.ctlq3oajxz5w4df5@pisco.westfalen.local>
Hi,
On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> > On 2017-07-20 18:15:00, Philipp Kern wrote:
> > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> > >> just a tiny part of it: one text file, more or less.
> > >
> > > Yeah, and the consensus of the world external to Debian seems to be that
> > > this might not be the smartest choice.
> >
> > I'm not sure I understand what you are proposing as an alternative
> > here. Should we stop shipping ca-certificates? Or make it a binary
> > package of the NSS source package?
>
> Most distros rebase to the latest NSS release across all supported suites.
>
> We also did this once or twice in -security (for changes which were too
> instrusive to backport) and upstream apparently usually supports this.
>
> But it's quite some effort to test all the reverse deps (that's why backporting
> isolated fixes is easier in such cases) to ensure no breakage creeps in, so
> this would need a volunteer to deal with testing reverse deps.
Which could be mitigated via p-u since this at least allows others
(including machines that build all the rdeps and run the autopkg tests)
to see things before the hit everybody running stable.
Cheers,
-- Guido
Reply to: