Bug#962669: Bug#962672: buster-pu: package ca-certificates/20200611~deb10u1
Control: tags 962669 moreinfo
On Thu, Jun 11, 2020 at 08:18:38PM +0100, Adam D. Barratt wrote:
> On Thu, 2020-06-11 at 13:48 -0500, Michael Shuler wrote:
> > On 6/11/20 1:33 PM, Adam D. Barratt wrote:
> > > Just to confirm - will the certificates be automatically re-added
> > > (assuming that users have either the automatically trust or prompt
> > > options enabled)?
> > (stretch-pu report cc'ed, since same applies)
> > Excellent question. I believe we're going to hit #743339 "Previously
> > removed certificates not added again". I had not found a reasonable
> > fix for that case in general, to preserve a user's selections. Maybe
> > a "good enough" fix will have to do for the specific ones added back.
> In that case, how does this seem as an SUA text?
> The ca-certificates update described in SUA 182-1 removed some
> certificates issued by Symantec (under various brand names).
> Unfortunately, this removal led to a number of reported regressions.
> The affected certificates have therefore been reintroduced.
> If you have already installed the package from SUA 182-1, and need to
> use the affected certificates, you may need to manually enable them by
> running "dpkg-reconfigure ca-certificates" as root.
This does not work in various embedded scenarios.
Would it work to force-enable them in /etc/ca-certificates.conf
from the preinst when upgrading from old-version matching 20200601* ?
Unrelated to that, please keep the Python 2 -> 3 build dependency
change out of this emergency update.