On 6/5/20 10:35 AM, Adrian Bunk wrote:
Except for keeping debian/NEWS you were actually backporting everything that was possible, this was not a 20161130+nmu1+deb9u2 release that cherry-picked only one or few changes. Given the nature of ca-certificates it was IMHO the correct decision to backport as much as possible, it is just not "backporting as little as possible". Since similar updates to stable releases might happen in the future, I would recommend that you try to get build and runtime dependencies in unstable to a level that allows rebuilding the package in all supported Debian releases. For compatibility with buster this would include staying at dh compat <= 12. "Backporting everything possible" changes are often safest when the only change in the ~deb10u1 source package is the entry in debian/changelog.
I uploaded an updated package for 20200601~deb9u1 to mentors and updated #962155 for approval.
Backporting the latest changes to stable and oldstable was the essence of a conversation on making that simpler with this package. These uploads get us a lot closer. The branch diffs are not far off now.
Stretch has an openssl version without `openssl rehash`, but that is not a large diff. Both stretch & buster will have python->python3 difference from unstable on the next release, but that's also not a large diff. I hadn't thought about leaving older compat and standards in unstable, I generally try to keep lintian pleased.. not a bad idea, if no one minds much.
Thanks again - I'll update this RFS when #962155 comes back from the release team.
Michael