[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#692911: unblock: ca-certificates/20121105



On 11/14/2012 06:12 PM, intrigeri wrote:
> Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) :
>> In parsing certdata.txt for the ca-certificates package, neither of
>> these flags are used when the CA trust database is created, so both
>> CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are
>> ignored. This is why I indicated these lines are innocuous -
> 
> Thanks a lot for the detailed explanation!

No problem!

>> Should I re-upload with a changelog entry of something like:
> 
>>    * Update mozilla/certdata.txt to version 1.86  Closes: #683728
>> +    Clean up of "no explicit trust" flag CKT_NSS_TRUST_UNKNOWN to
>> +    CKT_NSS_MUST_VERIFY_TRUST
>> +    - https://bugzilla.mozilla.org/show_bug.cgi?id=757189
> 
> I think it would be even better to replace "clean up" with some
> version of "parsing certdata.txt for the ca-certificates package,
> neither of these flags are used when the CA trust database is created,
> so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are
> ignored": IMHO, "Clean up" still describes the change itself, rather
> than the reason why it is reasonable, which is, I think, as important.

Bummer. I was going to update this bug after 20121114 hit unstable.

I built ca-certificates_20121114 before getting this note, and it is
waiting for upload by my sponsors, as of writing. This upload is being
coordinated with an upload of ca-certificates-java with version breaks
and depends (see full debdiff).

Here is what I did include for this change in 20121114:

+  * Update mozilla/certdata.txt to version 1.86  Closes: #683728
+    - Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for
+      CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags:
+      https://bugzilla.mozilla.org/show_bug.cgi?id=757189
+    Certificates added (+) (none removed):
+    + "Actalis Authentication Root CA"
...

Full debdiff:
http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff

So, while I did include a note about the change for context for the
reader of the diff (upstream change X: reference), I not go into detail
about why this upstream change is not very meaningful to functionality
or packaging (upstream change X: reference - this particular change
doesn't really modify anything with ca-certificates because Y). That
additional info seems a bit overkill to me, but we can add that, if it
would be helpful.

Again, I was going to reply after upload, but since there's another
question on this, I thought I would take a moment to let you know what's
coming.

-- 
Kind regards,
Michael


Reply to: