Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates

To: Michael Shuler <michael@pbandjelly.org>
Cc: 962245@bugs.debian.org
Subject: Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 5 Jun 2020 18:35:25 +0300
Message-id: <[🔎] 20200605153525.GA22794@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 962245@bugs.debian.org
In-reply-to: <[🔎] c0ad8d68-a833-0922-bed3-4953f781c62b@pbandjelly.org>
References: <[🔎] 8abe03da-7703-ceab-811f-7a8fee4f40c1@pbandjelly.org> <[🔎] 20200605091500.GA1054@localhost> <[🔎] c0ad8d68-a833-0922-bed3-4953f781c62b@pbandjelly.org> <[🔎] 8abe03da-7703-ceab-811f-7a8fee4f40c1@pbandjelly.org>

On Fri, Jun 05, 2020 at 08:06:28AM -0500, Michael Shuler wrote:
> On 6/5/20 4:15 AM, Adrian Bunk wrote:
> > Compared to 20200601 and 20200601~deb10u1 this contains the following
> > additional files:
> > 
> > /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
> > /usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
> > /usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt
> > /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/doc/ca-certificates/NEWS.Debian.gz
> > 
> > The additional NEWS.Debian.gz is either correct or harmless,
> > the additional certificates are not.
> > 
> > This is due to the backport missing the "Remove email-only roots from
> > mozilla trust store" (#721976) change that is in 20200601.
> 
> Great catch, thanks, result of using currentver~debXuY as discussed with
> some people for better update recognition, while backporting as little as
> possible.

Except for keeping debian/NEWS you were actually backporting everything
that was possible, this was not a 20161130+nmu1+deb9u2 release that
cherry-picked only one or few changes.

Given the nature of ca-certificates it was IMHO the correct decision 
to backport as much as possible, it is just not "backporting as little 
as possible".

Since similar updates to stable releases might happen in the future,
I would recommend that you try to get build and runtime dependencies in 
unstable to a level that allows rebuilding the package in all supported 
Debian releases. For compatibility with buster this would include 
staying at dh compat <= 12.

"Backporting everything possible" changes are often safest when the only 
change in the ~deb10u1 source package is the entry in debian/changelog.

>...
> > Please update the stretch-pu request with that fixed and let me know
> > when the corrected debdiff is approved.
> 
> Will do, thank you for the feedback.

Thanks for your work on ca-certificates.

> Kind regards,
> Michael

cu
Adrian

Reply to:

Follow-Ups:
- Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
  - From: Michael Shuler <michael@pbandjelly.org>

References:
- Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
  - From: Michael Shuler <michael@pbandjelly.org>
- Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
  - From: Adrian Bunk <bunk@debian.org>
- Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
  - From: Michael Shuler <michael@pbandjelly.org>

Prev by Date: Bug#961899: RFS: wifi-qr/0.1-1 -- WiFi Share and Connect with QR
Next by Date: Bug#962294: RFS: btrfs-progs/5.6-1~bpo10+1 -- Checksumming Copy on Write Filesystem utilities
Previous by thread: Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
Next by thread: Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
Index(es):
- Date
- Thread