On Fri, Jun 05, 2020 at 08:06:28AM -0500, Michael Shuler wrote: > On 6/5/20 4:15 AM, Adrian Bunk wrote: > > Compared to 20200601 and 20200601~deb10u1 this contains the following > > additional files: > > > > /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt > > /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt > > /usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt > > /usr/share/ca-certificates/mozilla/Certum_Root_CA.crt > > /usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt > > /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt > > /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt > > /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt > > /usr/share/doc/ca-certificates/NEWS.Debian.gz > > > > The additional NEWS.Debian.gz is either correct or harmless, > > the additional certificates are not. > > > > This is due to the backport missing the "Remove email-only roots from > > mozilla trust store" (#721976) change that is in 20200601. > > Great catch, thanks, result of using currentver~debXuY as discussed with > some people for better update recognition, while backporting as little as > possible.
Except for keeping debian/NEWS you were actually backporting everything that was possible, this was not a 20161130+nmu1+deb9u2 release that cherry-picked only one or few changes. Given the nature of ca-certificates it was IMHO the correct decision to backport as much as possible, it is just not "backporting as little as possible". Since similar updates to stable releases might happen in the future, I would recommend that you try to get build and runtime dependencies in unstable to a level that allows rebuilding the package in all supported Debian releases. For compatibility with buster this would include staying at dh compat <= 12. "Backporting everything possible" changes are often safest when the only change in the ~deb10u1 source package is the entry in debian/changelog. >... > > Please update the stretch-pu request with that fixed and let me know > > when the corrected debdiff is approved. > > Will do, thank you for the feedback. Thanks for your work on ca-certificates. > Kind regards, > Michael cu Adrian