[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates version number reuse

On Sun, September 4, 2011 00:42, Philipp Kern wrote:
> On Sat, Sep 03, 2011 at 03:16:20PM +0200, Thijs Kinkhorst wrote:
>> > You'll need a new DSA mail, though, that's the only "drawback".
>> We could upload ca-certificates 20090814+nmu3squeeze1 to ftp-master in
>> order to get it into the point update. I'm not sure why we would want to
>> remove anything from the security archive or upload new things to the
>> security archive?
>
> You should get rid of any collisions that differ in hashes regardless if
> they are on ftp-master or not, IMO.

I don't think that uploading a newer version to security-master will cause
the older version to disappear. Older versions remain on
security.debian.org.

When does this collision you speak of occur? I'm trying to understand the
exact problem we're trying to address so we can be sure we take the most
appropriate action.

> Furthermore you need another update to drop Staat der Nederlanden
> anyway, no?

That root is not compromised and certificates are issued legitimately from
it by other intermediate issuers. Only the DigiNotar-specific intermediate
certificate is to be considered compromised, something that cannot be
expressed in ca-certificates.


Thijs
Reply to: