Bug#692911: unblock: ca-certificates/20121105
On 11/14/2012 06:12 PM, intrigeri wrote:
> Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) :
>> In parsing certdata.txt for the ca-certificates package, neither of
>> these flags are used when the CA trust database is created, so both
>> CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are
>> ignored. This is why I indicated these lines are innocuous -
> Thanks a lot for the detailed explanation!
>> Should I re-upload with a changelog entry of something like:
>> * Update mozilla/certdata.txt to version 1.86 Closes: #683728
>> + Clean up of "no explicit trust" flag CKT_NSS_TRUST_UNKNOWN to
>> + CKT_NSS_MUST_VERIFY_TRUST
>> + - https://bugzilla.mozilla.org/show_bug.cgi?id=757189
> I think it would be even better to replace "clean up" with some
> version of "parsing certdata.txt for the ca-certificates package,
> neither of these flags are used when the CA trust database is created,
> so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are
> ignored": IMHO, "Clean up" still describes the change itself, rather
> than the reason why it is reasonable, which is, I think, as important.
Bummer. I was going to update this bug after 20121114 hit unstable.
I built ca-certificates_20121114 before getting this note, and it is
waiting for upload by my sponsors, as of writing. This upload is being
coordinated with an upload of ca-certificates-java with version breaks
and depends (see full debdiff).
Here is what I did include for this change in 20121114:
+ * Update mozilla/certdata.txt to version 1.86 Closes: #683728
+ - Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for
+ CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags:
+ Certificates added (+) (none removed):
+ + "Actalis Authentication Root CA"
So, while I did include a note about the change for context for the
reader of the diff (upstream change X: reference), I not go into detail
about why this upstream change is not very meaningful to functionality
or packaging (upstream change X: reference - this particular change
doesn't really modify anything with ca-certificates because Y). That
additional info seems a bit overkill to me, but we can add that, if it
would be helpful.
Again, I was going to reply after upload, but since there's another
question on this, I thought I would take a moment to let you know what's