Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates
On 6/5/20 10:35 AM, Adrian Bunk wrote:
Except for keeping debian/NEWS you were actually backporting everything
that was possible, this was not a 20161130+nmu1+deb9u2 release that
cherry-picked only one or few changes.
Given the nature of ca-certificates it was IMHO the correct decision
to backport as much as possible, it is just not "backporting as little
Since similar updates to stable releases might happen in the future,
I would recommend that you try to get build and runtime dependencies in
unstable to a level that allows rebuilding the package in all supported
Debian releases. For compatibility with buster this would include
staying at dh compat <= 12.
"Backporting everything possible" changes are often safest when the only
change in the ~deb10u1 source package is the entry in debian/changelog.
I uploaded an updated package for 20200601~deb9u1 to mentors and updated
#962155 for approval.
Backporting the latest changes to stable and oldstable was the essence
of a conversation on making that simpler with this package. These
uploads get us a lot closer. The branch diffs are not far off now.
Stretch has an openssl version without `openssl rehash`, but that is not
a large diff. Both stretch & buster will have python->python3 difference
from unstable on the next release, but that's also not a large diff. I
hadn't thought about leaving older compat and standards in unstable, I
generally try to keep lintian pleased.. not a bad idea, if no one minds
Thanks again - I'll update this RFS when #962155 comes back from the