Thanks for your answer, Julien. El 23/02/26 a las 17:40, Julien Cristau escribió: > > > On 12/17/25 13:04, Santiago Ruano Rincón wrote: > > Hello, > > > > El 03/06/25 a las 14:18, William David Edwards escribió: > > > Package: ca-certificates > > > Version: 20240203 > > > > > > Version 20240203 contains new CAs, most notably Sectigo Public Server > > > Authentication Root. Sectigo seems to have recently started issuing > > > certificates with this new root certificate. Please consider migrating > > > 20240203 to stable, as its absence will most definitely cause userland > > > issues. > > AFAICS, the actual affected version here was 20230311 from bookworm, > > since bookworm was the stable version when this bug was filed, on > > 2025-06-03. > > > > This was fixed with 20230311+deb12u1: > > https://tracker.debian.org/news/1648789/accepted-ca-certificates-20230311deb12u1-source-into-proposed-updates/, > > and actually could be (force)merged with #1095913. > > > > I don't want to step on the maintainer's toes, so unless Julien agrees > > on that, I am not planning to change the status of this bug. > I think there's 2 issues at play here: > - the specific case of that Sectigo root, which as you said was resolved > - what to do about new CA certificates in stable more generally.
You're right! > Historically root CAs were around for decades, so updating the trust store > once every couple of years was more than sufficient. In recent years CA > lifetimes have reduced significantly, so this has become an issue. I would > like to start updating the package more regularly, but have been struggling > to find the spare time to even keep up in unstable so far... Would you like to have some help on that? Regarding what to do about changes in CA certificates in maintained Debian releases, I wonder what is the best approach (version backports from testing versus picking new CA certificates and changes from testing). I know that there have been regressions because of new versions, e.g. #962596, but I am not sure that cherry-picking changes is less risky. Do you have any thoughts on that? All the best, -- Santiago
signature.asc
Description: PGP signature
