On 6/5/20 10:37 AM, Adam D. Barratt wrote:
On Thu, 2020-06-04 at 20:48 -0500, Michael Shuler wrote:Thanks again, uploaded to mentors: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates https://bugs.debian.org/962245
I re-uploaded to mentors the updated 20200601~deb9u1 package artifacts with the suggested changes committed.
I see there was some additional feedback on the RFS, which is why this hasn't been uploaded yet. It makes sense to combine the release via stretch-updates and buster- updates, so we can release a single SUA and users don't have to stagger updates. On that basis, I'll hold off on that until we have more idea what's happening with the stretch update.
Yes, Adrian was super helpful with this style of backporting latest. With that advice, here is the current package debdiff from latest version, which gets us where we want:
----$ debdiff ca-certificates_20200601_all.deb ca-certificates_20200601~deb9u1_all.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: openssl (>= [-1.1.1),-] {+1.0.0),+} debconf (>= 0.5) | debconf-2.0
Installed-Size: [-381-] {+380+}
Version: [-20200601-] {+20200601~deb9u1+}
----
Updated changelog adds the removal of email-only roots from stretch:
----
ca-certificates (20200601~deb9u1) stretch; urgency=medium
* Rebuild for stretch.
* Merge changes from 20200601
- d/control
* This release updates the Mozilla CA bundle to 2.40, blacklists
distrusted Symantec roots, and blacklists expired "AddTrust External
Root". Closes: #956411, #955038, #911289, #961907
* Fix permissions on /usr/local/share/ca-certificates when using
symlinks.
Closes: #916833
* Remove email-only roots from mozilla trust store. Closes: #721976
----
Attached is the updated debdiff.gz from oldstable->this_backport and
those stats:
----diffstat for ca-certificates-20161130+nmu1+deb9u1 ca-certificates-20200601~deb9u1
.gitignore | 12 debian/NEWS | 393 --- debian/ca-certificates.postinst | 8 debian/changelog | 231 + debian/copyright | 14 mozilla/blacklist.txt | 54mozilla/certdata.txt | 4927 ++++++++++++++++++++--------------------
mozilla/certdata2pem.py | 2 mozilla/nssckbi.h | 6 9 files changed, 2734 insertions(+), 2913 deletions(-) ---- Kind regards, Michael Shuler
Attachment:
ca-certificates_20200601~deb9u1.debdiff.gz
Description: application/gzip