Bug#962010: Bug#962008: RFS: ca-certificates/20200601 [RC] -- Common CA certificates
On Wed, Jun 03, 2020 at 08:40:02AM -0500, Michael Shuler wrote:
> Generally, expiry date has not been an issue remaining in the bundle until
> removal upstream, since the certification authorities have managed migration
> to new roots well and openssl>=1.1.1 handles this gracefully. This appears
> to have not been the case with AddTrust and older openssl<1.1.1 bug, as that
> fix was not backported, to the best of my understanding.
gnutls has the same problem (#961889).
But you do have a point that libraries are supposed to handle this
> Re: security uploads:
> I have received no reply from the security team, as of this message, so
> awaiting their OK/advice. Copy of email sent to team@security, since there
> is no secret info in here:
Please wait for an ACK from the security team before making uploads
to -security or asking others to do so.
While maintainers are allowed to update their packages quite freely
in unstable (with some exceptions like library transitions ot the
freeze before a release), uploads to *-security and stable distributions
need an ACK first.
> Kind regards,