On 11/15/2012 08:46 AM, Michael Shuler wrote:
> On 11/14/2012 06:12 PM, intrigeri wrote:
>> I think it would be even better to replace "clean up" with some
>> version of "parsing certdata.txt for the ca-certificates package,
>> neither of these flags are used when the CA trust database is created,
>> so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are
>> ignored": IMHO, "Clean up" still describes the change itself, rather
>> than the reason why it is reasonable, which is, I think, as important.
20121114 has not been uploaded to unstable, yet, so I had some time to
rebuild and include an additional note, today:
* Update mozilla/certdata.txt to version 1.86 Closes: #683728
- Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for
CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags:
https://bugzilla.mozilla.org/show_bug.cgi?id=757189
This upstream fix does not change the CA certificates installed in
ca-certificates as both flags are ignored. Only those CA certificates
with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed.
I hope that helps with some clarity for that upstream change. :)
Full testing debdiff:
http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff
--
Kind regards,
Michael Shuler
my penance: https://twitter.com/mshuler/status/269181404754096128
Attachment:
signature.asc
Description: OpenPGP digital signature