[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#962674: marked as done (stretch-pu: package ca-certificates/20200611~deb9u1)

Your message dated Sun, 12 Jul 2020 21:03:18 +0100
with message-id <5eaacb4fd34a2ded56a622378f915711143f88f8.camel@adam-barratt.org.uk>
and subject line Re: Bug#962674: stretch-pu: package ca-certificates/20200611~deb9u1
has caused the Debian Bug report #962674,
regarding stretch-pu: package ca-certificates/20200611~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
962674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962674
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,
#911289 resulted in a regression, and the explicitly blacklisted roots have been reverted. One in particular, "GeoTrust Global CA", has caused serious issues noted in #962596. The other reverted roots also remain in the Mozilla CA bundle[0], so #911289 will require additional research and be re-opened when uploaded. 

stretch-proposed-updates and stretch-updates both got the previous upload.
I would like to upload ca-certificates_20200611~deb9u1 with the following changes: 

----
ca-certificates (20200611~deb9u1) stretch; urgency=medium

   * Rebuild for stretch.
   * This oldstable release Closes: #962596, #942915
-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 09:11:56 -0500 

ca-certificates (20200611) unstable; urgency=medium

   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596
     The following root certificates were added back (+):
     + "GeoTrust Global CA"
     + "GeoTrust Primary Certification Authority"
     + "GeoTrust Primary Certification Authority - G2"
     + "GeoTrust Primary Certification Authority - G3"
     + "GeoTrust Universal CA"
     + "thawte Primary Root CA"
     + "thawte Primary Root CA - G2"
     + "thawte Primary Root CA - G3"
     + "VeriSign Class 3 Public Primary Certification Authority - G4"
     + "VeriSign Class 3 Public Primary Certification Authority - G5"
     + "VeriSign Universal Root Certification Authority"

   [ Gianfranco Costamagna ]
   * debian/{rules,control}:
     Merge Ubuntu patch from Matthias Klose to use Python3 during build.
     Closes: #942915
-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 08:38:00 -0500 
----

Source debdiff attached.
ca-certificates_20200611~deb9u1 uploaded to mentors[1], RFS will be submitted pending pu approval. Source can be fetched from mentors or the `debian-stretch` git branch, commit c151326dda72f703f7001f655e331b548eb1e411.
Binary debdiff files list matches unstable upload for 20200611 currently on mentors - RFS: #962669.
[0] https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport 
[1] https://mentors.debian.net/package/ca-certificates

Kind regards,
Michael


diffstat for ca-certificates-20200601~deb9u1 ca-certificates-20200611~deb9u1

 debian/changelog        |   37 +++++++++++++++++++++++++++----------
 debian/control          |    8 ++++----
 mozilla/Makefile        |    2 +-
 mozilla/blacklist.txt   |   23 -----------------------
 mozilla/certdata2pem.py |    2 +-
 5 files changed, 33 insertions(+), 39 deletions(-)

diff -Nru ca-certificates-20200601~deb9u1/debian/changelog ca-certificates-20200611~deb9u1/debian/changelog
--- ca-certificates-20200601~deb9u1/debian/changelog	2020-06-05 11:52:50.000000000 -0500
+++ ca-certificates-20200611~deb9u1/debian/changelog	2020-06-11 09:11:56.000000000 -0500
@@ -1,16 +1,33 @@
-ca-certificates (20200601~deb9u1) stretch; urgency=medium
+ca-certificates (20200611~deb9u1) stretch; urgency=medium
 
   * Rebuild for stretch.
-  * Merge changes from 20200601
-    - d/control
-  * This release updates the Mozilla CA bundle to 2.40, blacklists
-    distrusted Symantec roots, and blacklists expired "AddTrust External
-    Root". Closes: #956411, #955038, #911289, #961907
-  * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
-    Closes: #916833
-  * Remove email-only roots from mozilla trust store. Closes: #721976
+  * This oldstable release Closes: #962596, #942915
 
- -- Michael Shuler <michael@pbandjelly.org>  Fri, 05 Jun 2020 11:52:50 -0500
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 11 Jun 2020 09:11:56 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+  * mozilla/blacklist:
+    Revert Symantec CA blacklist (#911289). Closes: #962596
+    The following root certificates were added back (+):
+    + "GeoTrust Global CA"
+    + "GeoTrust Primary Certification Authority"
+    + "GeoTrust Primary Certification Authority - G2"
+    + "GeoTrust Primary Certification Authority - G3"
+    + "GeoTrust Universal CA"
+    + "thawte Primary Root CA"
+    + "thawte Primary Root CA - G2"
+    + "thawte Primary Root CA - G3"
+    + "VeriSign Class 3 Public Primary Certification Authority - G4"
+    + "VeriSign Class 3 Public Primary Certification Authority - G5"
+    + "VeriSign Universal Root Certification Authority"
+
+  [ Gianfranco Costamagna ]
+  * debian/{rules,control}:
+    Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+    Closes: #942915
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 11 Jun 2020 08:38:00 -0500
 
 ca-certificates (20200601) unstable; urgency=medium
 
diff -Nru ca-certificates-20200601~deb9u1/debian/control ca-certificates-20200611~deb9u1/debian/control
--- ca-certificates-20200601~deb9u1/debian/control	2020-06-05 10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/debian/control	2020-06-11 09:11:56.000000000 -0500
@@ -3,12 +3,12 @@
 Priority: optional
 Maintainer: Michael Shuler <michael@pbandjelly.org>
 Uploaders: Raphael Geissert <geissert@debian.org>,
-           Thijs Kinkhorst <thijs@debian.org>,
+           Thijs Kinkhorst <thijs@debian.org>
 Build-Depends: debhelper (>= 10), po-debconf
-Build-Depends-Indep: python, openssl
+Build-Depends-Indep: python3, openssl
 Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
+Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 
 Package: ca-certificates
 Architecture: all
diff -Nru ca-certificates-20200601~deb9u1/mozilla/blacklist.txt ca-certificates-20200611~deb9u1/mozilla/blacklist.txt
--- ca-certificates-20200601~deb9u1/mozilla/blacklist.txt	2020-06-03 12:48:57.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/blacklist.txt	2020-06-11 09:09:18.000000000 -0500
@@ -11,29 +11,6 @@
 "TURKTRUST Mis-issued Intermediate CA 1"
 "TURKTRUST Mis-issued Intermediate CA 2"
 
-# Distrusted Symantec Root CAs:
-"GeoTrust Global CA"
-"GeoTrust Primary Certification Authority"
-"GeoTrust Primary Certification Authority - G2"
-"GeoTrust Primary Certification Authority - G3"
-"GeoTrust Universal CA"
-"Thawte Premium Server CA"
-"thawte Primary Root CA"
-"thawte Primary Root CA - G2"
-"thawte Primary Root CA - G3"
-"Symantec Class 1 Public Primary Certification Authority - G4"
-"Symantec Class 1 Public Primary Certification Authority - G6"
-"Symantec Class 2 Public Primary Certification Authority - G4"
-"Symantec Class 2 Public Primary Certification Authority - G6"
-"Symantec Class 3 Public Primary Certification Authority - G4"
-"Symantec Class 3 Public Primary Certification Authority - G6"
-"VeriSign Class 1 Public Primary Certification Authority - G3"
-"VeriSign Class 2 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G4"
-"VeriSign Class 3 Public Primary Certification Authority - G5"
-"VeriSign Universal Root Certification Authority"
-
 # Blacklist expired certificate (Not After : May 30 10:48:38 2020 GMT)
 # See: https://bugs.debian.org/961907
 "AddTrust External Root"
diff -Nru ca-certificates-20200601~deb9u1/mozilla/certdata2pem.py ca-certificates-20200611~deb9u1/mozilla/certdata2pem.py
--- ca-certificates-20200601~deb9u1/mozilla/certdata2pem.py	2020-06-05 10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/certdata2pem.py	2020-06-11 09:09:18.000000000 -0500
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # vim:set et sw=4:
 #
 # certdata2pem.py - splits certdata.txt into multiple files
diff -Nru ca-certificates-20200601~deb9u1/mozilla/Makefile ca-certificates-20200611~deb9u1/mozilla/Makefile
--- ca-certificates-20200601~deb9u1/mozilla/Makefile	2020-06-05 10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/Makefile	2020-06-11 09:09:18.000000000 -0500
@@ -3,7 +3,7 @@
 #
 
 all:
-	python certdata2pem.py
+	python3 certdata2pem.py
 
 clean:
 	-rm -f *.crt

--- End Message ---
--- Begin Message --- 
On Sun, 2020-06-14 at 10:46 +0100, Adam D. Barratt wrote:
> Hi Michael,
> 
> On Fri, 2020-06-12 at 08:21 -0500, Michael Shuler wrote:
> > On 6/12/20 7:36 AM, Adrian Bunk wrote:
[...]
> > > > > Unrelated to that, please keep the Python 2 -> 3 build
> > > > > dependency
> > > > > change out of this emergency update.
> > > > 
> > > > ACK.
> > 
> > Will do, thank you both.
> 
> How are things looking with the new update?

Unfortunately we've just closed the update window for the final stretch
point release from the SRM perspective.

Regards,

Adam

--- End Message ---
Reply to: