Bug#962672: marked as done (buster-pu: package ca-certificates/20200611~deb10u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #962672,
regarding buster-pu: package ca-certificates/20200611~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
962672: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962672
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package ca-certificates/20200611~deb10u1
• From: Michael Shuler <michael@pbandjelly.org>
• Date: Thu, 11 Jun 2020 13:25:13 -0500
• Message-id: <81252130-60bc-e87d-3581-0b45cdc65bf2@pbandjelly.org>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

#911289 resulted in a regression, and the explicitly blacklisted roots have been reverted. One in particular, "GeoTrust Global CA", has caused serious issues noted in #962596. The other reverted roots also remain in the Mozilla CA bundle[0], so #911289 will require additional research and be re-opened when uploaded.

buster-proposed-updates and buster-updates both got the previous upload.

I would like to upload ca-certificates_20200611~deb10u1 with the following changes:

----
ca-certificates (20200611~deb10u1) buster; urgency=medium

  * Rebuild for buster.
  * This stable release Closes: #962596, #942915

-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 09:07:27 -0500

ca-certificates (20200611) unstable; urgency=medium

  * mozilla/blacklist:
    Revert Symantec CA blacklist (#911289). Closes: #962596
    The following root certificates were added back (+):
    + "GeoTrust Global CA"
    + "GeoTrust Primary Certification Authority"
    + "GeoTrust Primary Certification Authority - G2"
    + "GeoTrust Primary Certification Authority - G3"
    + "GeoTrust Universal CA"
    + "thawte Primary Root CA"
    + "thawte Primary Root CA - G2"
    + "thawte Primary Root CA - G3"
    + "VeriSign Class 3 Public Primary Certification Authority - G4"
    + "VeriSign Class 3 Public Primary Certification Authority - G5"
    + "VeriSign Universal Root Certification Authority"

  [ Gianfranco Costamagna ]
  * debian/{rules,control}:
    Merge Ubuntu patch from Matthias Klose to use Python3 during build.
    Closes: #942915

-- Michael Shuler <michael@pbandjelly.org> Thu, 11 Jun 2020 08:38:00 -0500

----

Source debdiff attached.

ca-certificates_20200611~deb10u1 uploaded to mentors[1], RFS will be submitted pending pu approval. Source can be fetched from mentors or the `debian-buster` git branch, commit 442fd47f4831483b72329e0df1f6260e4a91ab36.

Binary debdiff files list matches unstable upload for 20200611 currently on mentors - RFS: #962669.

[0] https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

[1] https://mentors.debian.net/package/ca-certificates

Kind regards,
Michael

diffstat for ca-certificates-20200601~deb10u1 ca-certificates-20200611~deb10u1

 debian/changelog        |   34 +++++++++++++++++++++++++++-------
 debian/control          |    2 +-
 mozilla/Makefile        |    2 +-
 mozilla/blacklist.txt   |   23 -----------------------
 mozilla/certdata2pem.py |    2 +-
 5 files changed, 30 insertions(+), 33 deletions(-)

diff -Nru ca-certificates-20200601~deb10u1/debian/changelog ca-certificates-20200611~deb10u1/debian/changelog
--- ca-certificates-20200601~deb10u1/debian/changelog	2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/debian/changelog	2020-06-11 09:07:27.000000000 -0500
@@ -1,13 +1,33 @@
-ca-certificates (20200601~deb10u1) buster; urgency=medium
+ca-certificates (20200611~deb10u1) buster; urgency=medium
 
   * Rebuild for buster.
-  * Merge changes from 20200601
-    - d/control; set d/gbp.conf branch to debian-buster
-  * This release updates the Mozilla CA bundle to 2.40, blacklists
-    distrusted Symantec roots, and blacklists expired "AddTrust External
-    Root". Closes: #956411, #955038, #911289, #961907
+  * This stable release Closes: #962596, #942915
 
- -- Michael Shuler <michael@pbandjelly.org>  Wed, 03 Jun 2020 13:09:34 -0500
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 11 Jun 2020 09:07:27 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+  * mozilla/blacklist:
+    Revert Symantec CA blacklist (#911289). Closes: #962596
+    The following root certificates were added back (+):
+    + "GeoTrust Global CA"
+    + "GeoTrust Primary Certification Authority"
+    + "GeoTrust Primary Certification Authority - G2"
+    + "GeoTrust Primary Certification Authority - G3"
+    + "GeoTrust Universal CA"
+    + "thawte Primary Root CA"
+    + "thawte Primary Root CA - G2"
+    + "thawte Primary Root CA - G3"
+    + "VeriSign Class 3 Public Primary Certification Authority - G4"
+    + "VeriSign Class 3 Public Primary Certification Authority - G5"
+    + "VeriSign Universal Root Certification Authority"
+
+  [ Gianfranco Costamagna ]
+  * debian/{rules,control}:
+    Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+    Closes: #942915
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 11 Jun 2020 08:38:00 -0500
 
 ca-certificates (20200601) unstable; urgency=medium
 
diff -Nru ca-certificates-20200601~deb10u1/debian/control ca-certificates-20200611~deb10u1/debian/control
--- ca-certificates-20200601~deb10u1/debian/control	2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/debian/control	2020-06-11 09:07:27.000000000 -0500
@@ -5,7 +5,7 @@
 Uploaders: Raphael Geissert <geissert@debian.org>,
            Thijs Kinkhorst <thijs@debian.org>
 Build-Depends: debhelper-compat (= 12), po-debconf
-Build-Depends-Indep: python, openssl
+Build-Depends-Indep: python3, openssl
 Standards-Version: 4.3.0.1
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
diff -Nru ca-certificates-20200601~deb10u1/mozilla/blacklist.txt ca-certificates-20200611~deb10u1/mozilla/blacklist.txt
--- ca-certificates-20200601~deb10u1/mozilla/blacklist.txt	2020-06-03 12:48:57.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/blacklist.txt	2020-06-11 09:07:27.000000000 -0500
@@ -11,29 +11,6 @@
 "TURKTRUST Mis-issued Intermediate CA 1"
 "TURKTRUST Mis-issued Intermediate CA 2"
 
-# Distrusted Symantec Root CAs:
-"GeoTrust Global CA"
-"GeoTrust Primary Certification Authority"
-"GeoTrust Primary Certification Authority - G2"
-"GeoTrust Primary Certification Authority - G3"
-"GeoTrust Universal CA"
-"Thawte Premium Server CA"
-"thawte Primary Root CA"
-"thawte Primary Root CA - G2"
-"thawte Primary Root CA - G3"
-"Symantec Class 1 Public Primary Certification Authority - G4"
-"Symantec Class 1 Public Primary Certification Authority - G6"
-"Symantec Class 2 Public Primary Certification Authority - G4"
-"Symantec Class 2 Public Primary Certification Authority - G6"
-"Symantec Class 3 Public Primary Certification Authority - G4"
-"Symantec Class 3 Public Primary Certification Authority - G6"
-"VeriSign Class 1 Public Primary Certification Authority - G3"
-"VeriSign Class 2 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G4"
-"VeriSign Class 3 Public Primary Certification Authority - G5"
-"VeriSign Universal Root Certification Authority"
-
 # Blacklist expired certificate (Not After : May 30 10:48:38 2020 GMT)
 # See: https://bugs.debian.org/961907
 "AddTrust External Root"
diff -Nru ca-certificates-20200601~deb10u1/mozilla/certdata2pem.py ca-certificates-20200611~deb10u1/mozilla/certdata2pem.py
--- ca-certificates-20200601~deb10u1/mozilla/certdata2pem.py	2020-06-03 13:09:34.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/certdata2pem.py	2020-06-11 09:07:27.000000000 -0500
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # vim:set et sw=4:
 #
 # certdata2pem.py - splits certdata.txt into multiple files
diff -Nru ca-certificates-20200601~deb10u1/mozilla/Makefile ca-certificates-20200611~deb10u1/mozilla/Makefile
--- ca-certificates-20200601~deb10u1/mozilla/Makefile	2020-06-03 12:59:51.000000000 -0500
+++ ca-certificates-20200611~deb10u1/mozilla/Makefile	2020-06-11 09:07:27.000000000 -0500
@@ -3,7 +3,7 @@
 #
 
 all:
-	python certdata2pem.py
+	python3 certdata2pem.py
 
 clean:
 	-rm -f *.crt

--- End Message ---

--- Begin Message ---

• To: 955277-done@bugs.debian.org, 962152-done@bugs.debian.org, 962672-done@bugs.debian.org, 970745-done@bugs.debian.org, 972149-done@bugs.debian.org, 973342-done@bugs.debian.org, 973706-done@bugs.debian.org, 975932-done@bugs.debian.org, 976094-done@bugs.debian.org, 976392-done@bugs.debian.org, 976423-done@bugs.debian.org, 976432-done@bugs.debian.org, 977172-done@bugs.debian.org, 977511-done@bugs.debian.org, 977520-done@bugs.debian.org, 977735-done@bugs.debian.org, 977782-done@bugs.debian.org, 977895-done@bugs.debian.org, 977978-done@bugs.debian.org, 978091-done@bugs.debian.org, 978157-done@bugs.debian.org, 979072-done@bugs.debian.org, 979074-done@bugs.debian.org, 979724-done@bugs.debian.org, 979749-done@bugs.debian.org, 980133-done@bugs.debian.org, 980201-done@bugs.debian.org, 980259-done@bugs.debian.org, 980268-done@bugs.debian.org, 980453-done@bugs.debian.org, 980458-done@bugs.debian.org, 980491-done@bugs.debian.org, 980762-done@bugs.debian.org, 980799-done@bugs.debian.org, 980802-done@bugs.debian.org, 980835-done@bugs.debian.org, 980857-done@bugs.debian.org, 980919-done@bugs.debian.org, 980938-done@bugs.debian.org, 980962-done@bugs.debian.org, 981002-done@bugs.debian.org, 981035-done@bugs.debian.org, 981047-done@bugs.debian.org, 981059-done@bugs.debian.org, 981096-done@bugs.debian.org, 981239-done@bugs.debian.org, 981271-done@bugs.debian.org, 981292-done@bugs.debian.org, 981339-done@bugs.debian.org, 981345-done@bugs.debian.org
• Subject: Closing p-u bugs for updates in 10.8
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Feb 2021 10:39:26 +0000
• Message-id: <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---