Hi everyone, In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for wheezy, I noticed the issue was also pending in jessie. Furthermore, the idea originally raised by pabs[1] was to also update the packages for the latest changes in certdata.txt in wheezy, including the ISRG Root for Let's Encrypt (LE).
While it should be fairly trivial to do this update, I wonder if the same logic should apply to jessie itself. Right now, jessie and stretch are synchronized, but that's only because there's an update pending in unstable to synchronize with the upstream 2.11 NSS database. This raises the question of how synchronized we want this file to be? It seems a little arbitrary to me to synchronize the file from jessie to wheezy only for this one certificate authority (LE). How about the other authorities? It doesn't seem like we should be calling the shots on this: if we follow the Mozilla policies here, either we update all supported suites at once, or we accept that some suites will have outdated material. I have therefore opened this specific discussion with the release team in #867461 (in CC as well). Hopefully this will bring a consistent policy. For what it's worth, my opinion is that we should attempt to synchronize certdata.txt (and blacklist.txt, for that matter) across all suites (but not other changes to the packaging). This would remove another decision point in our infrastructure and ensure harmonious X509 processing across suites. [1]: https://lists.debian.org/[email protected] Thanks for any feedback. For now I'll hold on another week or so for the wheezy update, since it seems unreasonable to push that update out before jessie is updated and that question is resolved. A. -- We won't have a society if we destroy the environment. - Margaret Mead
