Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
On Fri, Jun 05, 2020 at 08:06:28AM -0500, Michael Shuler wrote:
> On 6/5/20 4:15 AM, Adrian Bunk wrote:
> > Compared to 20200601 and 20200601~deb10u1 this contains the following
> > additional files:
> > /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
> > /usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
> > /usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt
> > /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/doc/ca-certificates/NEWS.Debian.gz
> > The additional NEWS.Debian.gz is either correct or harmless,
> > the additional certificates are not.
> > This is due to the backport missing the "Remove email-only roots from
> > mozilla trust store" (#721976) change that is in 20200601.
> Great catch, thanks, result of using currentver~debXuY as discussed with
> some people for better update recognition, while backporting as little as
Except for keeping debian/NEWS you were actually backporting everything
that was possible, this was not a 20161130+nmu1+deb9u2 release that
cherry-picked only one or few changes.
Given the nature of ca-certificates it was IMHO the correct decision
to backport as much as possible, it is just not "backporting as little
Since similar updates to stable releases might happen in the future,
I would recommend that you try to get build and runtime dependencies in
unstable to a level that allows rebuilding the package in all supported
Debian releases. For compatibility with buster this would include
staying at dh compat <= 12.
"Backporting everything possible" changes are often safest when the only
change in the ~deb10u1 source package is the entry in debian/changelog.
> > Please update the stretch-pu request with that fixed and let me know
> > when the corrected debdiff is approved.
> Will do, thank you for the feedback.
Thanks for your work on ca-certificates.
> Kind regards,