Bug#962672: buster-pu: package ca-certificates/20200611~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team,
#911289 resulted in a regression, and the explicitly blacklisted roots
have been reverted. One in particular, "GeoTrust Global CA", has caused
serious issues noted in #962596. The other reverted roots also remain in
the Mozilla CA bundle[0], so #911289 will require additional research
and be re-opened when uploaded.
buster-proposed-updates and buster-updates both got the previous upload.
I would like to upload ca-certificates_20200611~deb10u1 with the
following changes:
----
ca-certificates (20200611~deb10u1) buster; urgency=medium
* Rebuild for buster.
* This stable release Closes: #962596, #942915
-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 09:07:27
-0500
ca-certificates (20200611) unstable; urgency=medium
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596
The following root certificates were added back (+):
+ "GeoTrust Global CA"
+ "GeoTrust Primary Certification Authority"
+ "GeoTrust Primary Certification Authority - G2"
+ "GeoTrust Primary Certification Authority - G3"
+ "GeoTrust Universal CA"
+ "thawte Primary Root CA"
+ "thawte Primary Root CA - G2"
+ "thawte Primary Root CA - G3"
+ "VeriSign Class 3 Public Primary Certification Authority - G4"
+ "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "VeriSign Universal Root Certification Authority"
[ Gianfranco Costamagna ]
* debian/{rules,control}:
Merge Ubuntu patch from Matthias Klose to use Python3 during build.
Closes: #942915
-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 08:38:00
-0500
----
Source debdiff attached.
ca-certificates_20200611~deb10u1 uploaded to mentors[1], RFS will be
submitted pending pu approval. Source can be fetched from mentors or the
`debian-buster` git branch, commit 442fd47f4831483b72329e0df1f6260e4a91ab36.
Binary debdiff files list matches unstable upload for 20200611 currently
on mentors - RFS: #962669.
[0]
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
[1] https://mentors.debian.net/package/ca-certificates
Kind regards,
Michael
diffstat for ca-certificates-20200601~deb10u1 ca-certificates-20200611~deb10u1
debian/changelog | 34 +++++++++++++++++++++++++++-------
debian/control | 2 +-
mozilla/Makefile | 2 +-
mozilla/blacklist.txt | 23 -----------------------
mozilla/certdata2pem.py | 2 +-
5 files changed, 30 insertions(+), 33 deletions(-)
diff -Nru ca-certificates-20200601~deb10u1/debian/changelog ca-certificates-20200611~deb10u1/debian/changelog
--- ca-certificates-20200601~deb10u1/debian/changelog 2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/debian/changelog 2020-06-11 09:07:27.000000000 -0500
@@ -1,13 +1,33 @@
-ca-certificates (20200601~deb10u1) buster; urgency=medium
+ca-certificates (20200611~deb10u1) buster; urgency=medium
* Rebuild for buster.
- * Merge changes from 20200601
- - d/control; set d/gbp.conf branch to debian-buster
- * This release updates the Mozilla CA bundle to 2.40, blacklists
- distrusted Symantec roots, and blacklists expired "AddTrust External
- Root". Closes: #956411, #955038, #911289, #961907
+ * This stable release Closes: #962596, #942915
- -- Michael Shuler <michael@pbandjelly.org> Wed, 03 Jun 2020 13:09:34 -0500
+ -- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 09:07:27 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+ * mozilla/blacklist:
+ Revert Symantec CA blacklist (#911289). Closes: #962596
+ The following root certificates were added back (+):
+ + "GeoTrust Global CA"
+ + "GeoTrust Primary Certification Authority"
+ + "GeoTrust Primary Certification Authority - G2"
+ + "GeoTrust Primary Certification Authority - G3"
+ + "GeoTrust Universal CA"
+ + "thawte Primary Root CA"
+ + "thawte Primary Root CA - G2"
+ + "thawte Primary Root CA - G3"
+ + "VeriSign Class 3 Public Primary Certification Authority - G4"
+ + "VeriSign Class 3 Public Primary Certification Authority - G5"
+ + "VeriSign Universal Root Certification Authority"
+
+ [ Gianfranco Costamagna ]
+ * debian/{rules,control}:
+ Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+ Closes: #942915
+
+ -- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 08:38:00 -0500
ca-certificates (20200601) unstable; urgency=medium
diff -Nru ca-certificates-20200601~deb10u1/debian/control ca-certificates-20200611~deb10u1/debian/control
--- ca-certificates-20200601~deb10u1/debian/control 2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/debian/control 2020-06-11 09:07:27.000000000 -0500
@@ -5,7 +5,7 @@
Uploaders: Raphael Geissert <geissert@debian.org>,
Thijs Kinkhorst <thijs@debian.org>
Build-Depends: debhelper-compat (= 12), po-debconf
-Build-Depends-Indep: python, openssl
+Build-Depends-Indep: python3, openssl
Standards-Version: 4.3.0.1
Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
diff -Nru ca-certificates-20200601~deb10u1/mozilla/blacklist.txt ca-certificates-20200611~deb10u1/mozilla/blacklist.txt
--- ca-certificates-20200601~deb10u1/mozilla/blacklist.txt 2020-06-03 12:48:57.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/blacklist.txt 2020-06-11 09:07:27.000000000 -0500
@@ -11,29 +11,6 @@
"TURKTRUST Mis-issued Intermediate CA 1"
"TURKTRUST Mis-issued Intermediate CA 2"
-# Distrusted Symantec Root CAs:
-"GeoTrust Global CA"
-"GeoTrust Primary Certification Authority"
-"GeoTrust Primary Certification Authority - G2"
-"GeoTrust Primary Certification Authority - G3"
-"GeoTrust Universal CA"
-"Thawte Premium Server CA"
-"thawte Primary Root CA"
-"thawte Primary Root CA - G2"
-"thawte Primary Root CA - G3"
-"Symantec Class 1 Public Primary Certification Authority - G4"
-"Symantec Class 1 Public Primary Certification Authority - G6"
-"Symantec Class 2 Public Primary Certification Authority - G4"
-"Symantec Class 2 Public Primary Certification Authority - G6"
-"Symantec Class 3 Public Primary Certification Authority - G4"
-"Symantec Class 3 Public Primary Certification Authority - G6"
-"VeriSign Class 1 Public Primary Certification Authority - G3"
-"VeriSign Class 2 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G4"
-"VeriSign Class 3 Public Primary Certification Authority - G5"
-"VeriSign Universal Root Certification Authority"
-
# Blacklist expired certificate (Not After : May 30 10:48:38 2020 GMT)
# See: https://bugs.debian.org/961907
"AddTrust External Root"
diff -Nru ca-certificates-20200601~deb10u1/mozilla/certdata2pem.py ca-certificates-20200611~deb10u1/mozilla/certdata2pem.py
--- ca-certificates-20200601~deb10u1/mozilla/certdata2pem.py 2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/certdata2pem.py 2020-06-11 09:07:27.000000000 -0500
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
diff -Nru ca-certificates-20200601~deb10u1/mozilla/Makefile ca-certificates-20200611~deb10u1/mozilla/Makefile
--- ca-certificates-20200601~deb10u1/mozilla/Makefile 2020-06-03 12:59:51.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/Makefile 2020-06-11 09:07:27.000000000 -0500
@@ -3,7 +3,7 @@
#
all:
- python certdata2pem.py
+ python3 certdata2pem.py
clean:
-rm -f *.crt
Reply to: