[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: should ca-certificates certdata.txt synchronize across all suites?

On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> > On 2017-07-20 18:15:00, Philipp Kern wrote:
> > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> > >> just a tiny part of it: one text file, more or less.
> > >
> > > Yeah, and the consensus of the world external to Debian seems to be that
> > > this might not be the smartest choice.
> > 
> > I'm not sure I understand what you are proposing as an alternative
> > here. Should we stop shipping ca-certificates? Or make it a binary
> > package of the NSS source package?
> Most distros rebase to the latest NSS release across all supported suites.
> We also did this once or twice in -security (for changes which were too
> instrusive to backport) and upstream apparently usually supports this.
> But it's quite some effort to test all the reverse deps (that's why backporting
> isolated fixes is easier in such cases) to ensure no breakage creeps in, so
> this would need a volunteer to deal with testing reverse deps.

Which could be mitigated via p-u since this at least allows others
(including machines that build all the rdeps and run the autopkg tests)
to see things before the hit everybody running stable.
 -- Guido

Reply to: