[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates

On Fri, Jun 05, 2020 at 08:06:28AM -0500, Michael Shuler wrote:
> On 6/5/20 4:15 AM, Adrian Bunk wrote:
> > Compared to 20200601 and 20200601~deb10u1 this contains the following
> > additional files:
> > 
> > /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
> > /usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
> > /usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
> > /usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt
> > /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> > /usr/share/doc/ca-certificates/NEWS.Debian.gz
> > 
> > The additional NEWS.Debian.gz is either correct or harmless,
> > the additional certificates are not.
> > 
> > This is due to the backport missing the "Remove email-only roots from
> > mozilla trust store" (#721976) change that is in 20200601.
> Great catch, thanks, result of using currentver~debXuY as discussed with
> some people for better update recognition, while backporting as little as
> possible.

Except for keeping debian/NEWS you were actually backporting everything
that was possible, this was not a 20161130+nmu1+deb9u2 release that
cherry-picked only one or few changes.

Given the nature of ca-certificates it was IMHO the correct decision 
to backport as much as possible, it is just not "backporting as little 
as possible".

Since similar updates to stable releases might happen in the future,
I would recommend that you try to get build and runtime dependencies in 
unstable to a level that allows rebuilding the package in all supported 
Debian releases. For compatibility with buster this would include 
staying at dh compat <= 12.

"Backporting everything possible" changes are often safest when the only 
change in the ~deb10u1 source package is the entry in debian/changelog.

> > Please update the stretch-pu request with that fixed and let me know
> > when the corrected debdiff is approved.
> Will do, thank you for the feedback.

Thanks for your work on ca-certificates.

> Kind regards,
> Michael


Reply to: