Bug#962672: buster-pu: package ca-certificates/20200611~deb10u1
On 6/12/20 7:36 AM, Adrian Bunk wrote: On Fri, Jun 12, 2020 at 08:40:29AM +0100, Adam D. Barratt wrote: On Fri, 2020-06-12 at 00:50 +0300, Adrian Bunk wrote: Control: tags 962669 moreinfo On Thu, Jun 11, 2020 at 08:18:38PM +0100, Adam D. Barratt wrote: On Thu, 2020-06-11 at 13:48 -0500, Michael Shuler wrote: On 6/11/20 1:33 PM, Adam D. Barratt wrote: Just to confirm - will the certificates be automatically re- added (assuming that users have either the automatically trust or prompt options enabled)? (stretch-pu report cc'ed, since same applies) Excellent question. I believe we're going to hit #743339 "Previously removed certificates not added again". I had not found a reasonable fix for that case in general, to preserve a user's selections. Maybe a "good enough" fix will have to do for the specific ones added back. OK. In that case, how does this seem as an SUA text? [...] use the affected certificates, you may need to manually enable them by running "dpkg-reconfigure ca-certificates" as root. This does not work in various embedded scenarios. Wouldn't embedded setups be more likely to have a hard-coded configuration? The official way to hardcode CA configuration would be through debconf or /etc/ca-certificates.conf, which runs into #743339. If you are really security-focussed you might pin the actual certificate instead of trusing a CA. For the average embedded device the only thing that matters about ca-certificates is something like "https works". Would it work to force-enable them in /etc/ca-certificates.conf from the preinst when upgrading from old-version matching 20200601* ? This could actually be done in the postinst before the debconf configuration, something like sed -i "s|^\!mozilla/GeoTrust_Global_CA.crt|mozilla/GeoTrust_Global_CA.crt|" /etc/ca-certificates.conf for all affected certificates when $2 matches 20200601* This is what I was working on last night, there is an old dpkg --compare-versions example in postinst, and that is similar to the action I had in mind. I intend to sed all in the list we blacklisted, since they remain in the bundle, so we're not here next week with another of the date or intermediate exceptions in NSS. If there is objection to this, please let me know. I'll leave the technical answer to Michael. Practically, it's then not great for users who had intentionally removed the certificates - or simply decided not to trust them in the first place - prior to the upgrade. I'm not sure how we could distinguish the cases automatically. The default is to trust all new certificates, so this is what the vast majority of users are using. #743339 is primarily about this kind of remove+readd in the package being the only way how any installed certificate could end up being deactivated in the default situation. This is permanent damage that can lead to nasty problems months or years later. There are likely some users somewhere who have manually activated or deactivated these specific certificates, but this is nothing we can handle correctly in both directions now. This is exactly the kind of behavior I think we'd like to preserve, so we don't stomp on a previous intentional trust setting and blindly enable, but I think this specific list of blacklisted certs being re-enabled, if specifically 20200601* is installed should work. The default "yes" trust and re-enable of these may be the "good enough" fix, while #743339 is still an issue. That should hit way over 80% use case, if we consider an 80/20 split. For what it's worth, with additional testing after this, I believe I may have found one of the "save but disable' causes of #743339, after staring at ca-certificates.conf creation, upgrades, etc in postinst and the debconf ca-certificates.config contents. It won't fix existing trust ^!'s, but would help on future root removals - later on that bug.. Unrelated to that, please keep the Python 2 -> 3 build dependency change out of this emergency update. ACK. Will do, thank you both. Kind regards, Michael
Bug#962672: buster-pu: package ca-certificates/20200611~deb10u1
On 6/11/20 1:33 PM, Adam D. Barratt wrote: Just to confirm - will the certificates be automatically re-added (assuming that users have either the automatically trust or prompt options enabled)? (stretch-pu report cc'ed, since same applies) Excellent question. I believe we're going to hit #743339 "Previously removed certificates not added again". I had not found a reasonable fix for that case in general, to preserve a user's selections. Maybe a "good enough" fix will have to do for the specific ones added back. Thanks for the question, patch ideas welcomed. Michael
Bug#962674: stretch-pu: package ca-certificates/20200611~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi release team, #911289 resulted in a regression, and the explicitly blacklisted roots have been reverted. One in particular, "GeoTrust Global CA", has caused serious issues noted in #962596. The other reverted roots also remain in the Mozilla CA bundle[0], so #911289 will require additional research and be re-opened when uploaded. stretch-proposed-updates and stretch-updates both got the previous upload. I would like to upload ca-certificates_20200611~deb9u1 with the following changes: ca-certificates (20200611~deb9u1) stretch; urgency=medium * Rebuild for stretch. * This oldstable release Closes: #962596, #942915 -- Michael Shuler Thu, 11 Jun 2020 09:11:56 -0500 ca-certificates (20200611) unstable; urgency=medium * mozilla/blacklist: Revert Symantec CA blacklist (#911289). Closes: #962596 The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" [ Gianfranco Costamagna ] * debian/{rules,control}: Merge Ubuntu patch from Matthias Klose to use Python3 during build. Closes: #942915 -- Michael Shuler Thu, 11 Jun 2020 08:38:00 -0500 Source debdiff attached. ca-certificates_20200611~deb9u1 uploaded to mentors[1], RFS will be submitted pending pu approval. Source can be fetched from mentors or the `debian-stretch` git branch, commit c151326dda72f703f7001f655e331b548eb1e411. Binary debdiff files list matches unstable upload for 20200611 currently on mentors - RFS: #962669. [0] https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport [1] https://mentors.debian.net/package/ca-certificates Kind regards, Michael diffstat for ca-certificates-20200601~deb9u1 ca-certificates-20200611~deb9u1 debian/changelog| 37 +++-- debian/control |8 mozilla/Makefile|2 +- mozilla/blacklist.txt | 23 --- mozilla/certdata2pem.py |2 +- 5 files changed, 33 insertions(+), 39 deletions(-) diff -Nru ca-certificates-20200601~deb9u1/debian/changelog ca-certificates-20200611~deb9u1/debian/changelog --- ca-certificates-20200601~deb9u1/debian/changelog2020-06-05 11:52:50.0 -0500 +++ ca-certificates-20200611~deb9u1/debian/changelog2020-06-11 09:11:56.0 -0500 @@ -1,16 +1,33 @@ -ca-certificates (20200601~deb9u1) stretch; urgency=medium +ca-certificates (20200611~deb9u1) stretch; urgency=medium * Rebuild for stretch. - * Merge changes from 20200601 -- d/control - * This release updates the Mozilla CA bundle to 2.40, blacklists -distrusted Symantec roots, and blacklists expired "AddTrust External -Root". Closes: #956411, #955038, #911289, #961907 - * Fix permissions on /usr/local/share/ca-certificates when using symlinks. -Closes: #916833 - * Remove email-only roots from mozilla trust store. Closes: #721976 + * This oldstable release Closes: #962596, #942915 - -- Michael Shuler Fri, 05 Jun 2020 11:52:50 -0500 + -- Michael Shuler Thu, 11 Jun 2020 09:11:56 -0500 + +ca-certificates (20200611) unstable; urgency=medium + + * mozilla/blacklist: +Revert Symantec CA blacklist (#911289). Closes: #962596 +The following root certificates were added back (+): ++ "GeoTrust Global CA" ++ "GeoTrust Primary Certification Authority" ++ "GeoTrust Primary Certification Authority - G2" ++ "GeoTrust Primary Certification Authority - G3" ++ "GeoTrust Universal CA" ++ "thawte Primary Root CA" ++ "thawte Primary Root CA - G2" ++ "thawte Primary Root CA - G3" ++ "VeriSign Class 3 Public Primary Certification Authority - G4" ++ "VeriSign Class 3 Public Primary Certification Authority - G5" + + "VeriSign Universal Root Certification Authority" + + [ Gianfranco Costamagna ] + * debian/{rules,control}: +Merge Ubuntu patch from Matthias Klose to use Python3 during build. +Closes: #942915 + + -- Michael Shuler Thu, 11 Jun 2020 08:38:00 -0500 ca-certificates (20200601) unstable; urgency=medium diff -Nru ca-certificates-20200601~deb9u1/debian/control ca-certificates-20200611~deb9u
Bug#962672: buster-pu: package ca-certificates/20200611~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi release team, #911289 resulted in a regression, and the explicitly blacklisted roots have been reverted. One in particular, "GeoTrust Global CA", has caused serious issues noted in #962596. The other reverted roots also remain in the Mozilla CA bundle[0], so #911289 will require additional research and be re-opened when uploaded. buster-proposed-updates and buster-updates both got the previous upload. I would like to upload ca-certificates_20200611~deb10u1 with the following changes: ca-certificates (20200611~deb10u1) buster; urgency=medium * Rebuild for buster. * This stable release Closes: #962596, #942915 -- Michael Shuler Thu, 11 Jun 2020 09:07:27 -0500 ca-certificates (20200611) unstable; urgency=medium * mozilla/blacklist: Revert Symantec CA blacklist (#911289). Closes: #962596 The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" [ Gianfranco Costamagna ] * debian/{rules,control}: Merge Ubuntu patch from Matthias Klose to use Python3 during build. Closes: #942915 -- Michael Shuler Thu, 11 Jun 2020 08:38:00 -0500 Source debdiff attached. ca-certificates_20200611~deb10u1 uploaded to mentors[1], RFS will be submitted pending pu approval. Source can be fetched from mentors or the `debian-buster` git branch, commit 442fd47f4831483b72329e0df1f6260e4a91ab36. Binary debdiff files list matches unstable upload for 20200611 currently on mentors - RFS: #962669. [0] https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport [1] https://mentors.debian.net/package/ca-certificates Kind regards, Michael diffstat for ca-certificates-20200601~deb10u1 ca-certificates-20200611~deb10u1 debian/changelog| 34 +++--- debian/control |2 +- mozilla/Makefile|2 +- mozilla/blacklist.txt | 23 --- mozilla/certdata2pem.py |2 +- 5 files changed, 30 insertions(+), 33 deletions(-) diff -Nru ca-certificates-20200601~deb10u1/debian/changelog ca-certificates-20200611~deb10u1/debian/changelog --- ca-certificates-20200601~deb10u1/debian/changelog 2020-06-03 13:09:34.0 -0500 +++ ca-certificates-20200611~deb10u1/debian/changelog 2020-06-11 09:07:27.0 -0500 @@ -1,13 +1,33 @@ -ca-certificates (20200601~deb10u1) buster; urgency=medium +ca-certificates (20200611~deb10u1) buster; urgency=medium * Rebuild for buster. - * Merge changes from 20200601 -- d/control; set d/gbp.conf branch to debian-buster - * This release updates the Mozilla CA bundle to 2.40, blacklists -distrusted Symantec roots, and blacklists expired "AddTrust External -Root". Closes: #956411, #955038, #911289, #961907 + * This stable release Closes: #962596, #942915 - -- Michael Shuler Wed, 03 Jun 2020 13:09:34 -0500 + -- Michael Shuler Thu, 11 Jun 2020 09:07:27 -0500 + +ca-certificates (20200611) unstable; urgency=medium + + * mozilla/blacklist: +Revert Symantec CA blacklist (#911289). Closes: #962596 +The following root certificates were added back (+): ++ "GeoTrust Global CA" ++ "GeoTrust Primary Certification Authority" ++ "GeoTrust Primary Certification Authority - G2" ++ "GeoTrust Primary Certification Authority - G3" ++ "GeoTrust Universal CA" ++ "thawte Primary Root CA" ++ "thawte Primary Root CA - G2" ++ "thawte Primary Root CA - G3" ++ "VeriSign Class 3 Public Primary Certification Authority - G4" ++ "VeriSign Class 3 Public Primary Certification Authority - G5" + + "VeriSign Universal Root Certification Authority" + + [ Gianfranco Costamagna ] + * debian/{rules,control}: +Merge Ubuntu patch from Matthias Klose to use Python3 during build. +Closes: #942915 + + -- Michael Shuler Thu, 11 Jun 2020 08:38:00 -0500 ca-certificates (20200601) unstable; urgency=medium diff -Nru ca-certificates-20200601~deb10u1/debian/control ca-certificates-20200611~deb10u1/debian/control --- ca-certificates-20200601~deb10u1/debian/control 2020-06-03 13:09:34.0 -0500 +++ ca-certificates-20200611~deb10u1/debian/control 2
Bug#962155: stretch-pu: package ca-certificates/20200601~deb9u1
On 6/5/20 10:37 AM, Adam D. Barratt wrote: On Thu, 2020-06-04 at 20:48 -0500, Michael Shuler wrote: Thanks again, uploaded to mentors: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates https://bugs.debian.org/962245 I re-uploaded to mentors the updated 20200601~deb9u1 package artifacts with the suggested changes committed. I see there was some additional feedback on the RFS, which is why this hasn't been uploaded yet. It makes sense to combine the release via stretch-updates and buster- updates, so we can release a single SUA and users don't have to stagger updates. On that basis, I'll hold off on that until we have more idea what's happening with the stretch update. Yes, Adrian was super helpful with this style of backporting latest. With that advice, here is the current package debdiff from latest version, which gets us where we want: $ debdiff ca-certificates_20200601_all.deb ca-certificates_20200601~deb9u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: openssl (>= [-1.1.1),-] {+1.0.0),+} debconf (>= 0.5) | debconf-2.0 Installed-Size: [-381-] {+380+} Version: [-20200601-] {+20200601~deb9u1+} Updated changelog adds the removal of email-only roots from stretch: ca-certificates (20200601~deb9u1) stretch; urgency=medium * Rebuild for stretch. * Merge changes from 20200601 - d/control * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 * Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 * Remove email-only roots from mozilla trust store. Closes: #721976 Attached is the updated debdiff.gz from oldstable->this_backport and those stats: diffstat for ca-certificates-20161130+nmu1+deb9u1 ca-certificates-20200601~deb9u1 .gitignore | 12 debian/NEWS | 393 --- debian/ca-certificates.postinst |8 debian/changelog| 231 + debian/copyright| 14 mozilla/blacklist.txt | 54 mozilla/certdata.txt| 4927 mozilla/certdata2pem.py |2 mozilla/nssckbi.h |6 9 files changed, 2734 insertions(+), 2913 deletions(-) ---- Kind regards, Michael Shuler ca-certificates_20200601~deb9u1.debdiff.gz Description: application/gzip
Bug#962155: stretch-pu: package ca-certificates/20200601~deb9u1
Thanks again, uploaded to mentors: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates https://bugs.debian.org/962245 -- Kind regards, Michael
Bug#962152: buster-pu: package ca-certificates/20200601~deb10u1
Thank you. Uploaded to mentors: RFS: ca-certificates/20200601~deb10u1 [RC] -- Common CA certificates https://bugs.debian.org/962244 -- Kind regards, Michael
Bug#962155: stretch-pu: package ca-certificates/20200601~deb9u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu * Note: Please, upload this to stretch-updates as well to fix ongoing issues with failing web services from the expired AddTrust certificate. See #961907 for details. I would like to upload ca-certificates_20200601~deb9u1 with the following fixes: ca-certificates (20200601~deb9u1) stretch; urgency=medium * Rebuild for stretch. * Merge changes from 20200601 - d/control * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 * Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 diffstat for ca-certificates-20161130+nmu1+deb9u1 ca-certificates-20200601~deb9u1 .gitignore | 12 debian/ca-certificates.postinst |8 debian/changelog| 228 + debian/copyright| 14 mozilla/blacklist.txt | 54 mozilla/certdata.txt| 4927 mozilla/nssckbi.h |6 7 files changed, 2731 insertions(+), 2518 deletions(-) Full debdiff.gz attached, due to the size of certdata changes. -- Kind regards, Michael Shuler ca-certificates_20200601~deb9u1.debdiff.gz Description: application/gzip
Bug#962152: buster-pu: package ca-certificates/20200601~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu * Note: Please, upload this to buster-updates as well to fix ongoing issues with failing web services from the expired AddTrust certificate. See #961907 for details. I would like to upload ca-certificates_20200601~deb10u1 with the following fixes: ca-certificates (20200601~deb10u1) buster; urgency=medium * Rebuild for buster. * Merge changes from 20200601 - d/control; set d/gbp.conf branch to debian-buster * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 diffstat for ca-certificates-20190110 ca-certificates-20200601~deb10u1 debian/changelog | 59 debian/copyright | 12 debian/gbp.conf |2 mozilla/blacklist.txt | 26 mozilla/certdata.txt | 3908 -- mozilla/nssckbi.h |4 6 files changed, 2318 insertions(+), 1693 deletions(-) Full debdiff.gz attached, due to the size of certdata changes. -- Kind regards, Michael ca-certificates_20200601~deb10u1.debdiff.gz Description: application/gzip
Bug#901288: stretch-pu: package ca-certificates/20161130+nmu1
On 07/05/2018 03:37 PM, Adam D. Barratt wrote: On Sun, 2018-06-10 at 21:22 -0500, Michael Shuler wrote: I would like to upload ca-certificates_20161130+nmu1+deb9u1 with the following fixes: - update Mozilla CA bundle in Stretch to 2.22 (#858064) - fix postinst failure on read-only /usr/local (#843722) - remove Christian Perrier from uploaders per his request (#894070) The Uploaders change is basically a no-op in stable, but please go ahead, bearing in mind that the window for 9.5 closes this weekend. Thanks for the update. I emailed my the active Uploaders to see if they can push this up in the short timeframe. For clarification, were you asking that the Uploaders change be omitted, or was this just an FYI? Much appreciated. -- Kind regards, Michael
Bug#901352: unblock: ca-certificates/20180409
On 06/13/2018 02:35 AM, Cyril Brulebois wrote: It seems the block-udeb isn't the only blocker though: Migration status: BLOCKED: Rejected/introduces a regression Updating ca-certificates introduces new bugs: #895482 and I see no severity downgrade in that bug report? It was upgraded back to serious again, yesterday, after some testing feedback. Also, I should have mentioned this in my dda@ mail I suppose: 63 days old (needed 5 days) If a given package has spent that much time out of testing, it probably can wait a few days while we're going through the late stages of the d-i release process. It should only be a matter of days or hours now. ;) I'll get back to your package later if we spot any issues that would need to be addressed before we release; or it's going to be unblocked automatically when I unfreeze udebs. Thanks for the note, I appreciate it. -- Michael
Bug#901352: unblock: ca-certificates/20180409
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock ca-certificates-udeb is blocked. Please unblock the package ca-certificates to transition to testing. We just downgraded the severity of a bug, since openssl was updated to fix an issue with the processing of CA certificates[0], in order to allow ca-certificates to transition to testing. The bug is intended to be closed after testing transition, just to be sure all is well, since the fix was really in openssl. It appears that ca-certificates is now blocked due to udebs being frozen[1], as noted a couple days ago on d-d-announce (thank you for this note!). Kind regards, Michael Shuler [0] https://bugs.debian.org/895482 [1] https://qa.debian.org/excuses.php?package=ca-certificates
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 06/08/2018 03:37 PM, Adam D. Barratt wrote: Ping? We're a week away from the final chance to get an update into jessie-as-oldstable before it becomes jessie-lts. Thanks for the ping. I updated the debian-jessie branch of ca-certificates with mozilla bundle 2.22, and it's ready to be uploaded. Thijs, might you have a chance to upload 20141019+deb8u4 to jessie-updates? If not, perhaps we can wrangle someone else to help. commit: ce1498e496b749f71fd96d60942d2c2aa7fdf0ca $ git diff --stat debian/20141019+deb8u3 debian-jessie debian/changelog |74 + debian/control | 1 - mozilla/certdata.txt | 28220 +-- mozilla/nssckbi.h|39 +- 4 files changed, 10787 insertions(+), 17547 deletions(-) Thanks all! -- Kind regards, Michael
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 07/06/2017 11:13 PM, Paul Wise wrote: > On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote: > >> For what it's worth, my opinion is that we should attempt to synchronize >> certdata.txt (and blacklist.txt, for that matter) across all suites (but >> not other changes to the packaging). This would remove another decision >> point in our infrastructure and ensure harmonious X509 processing across >> suites. > > I would like to see that happen too. I spent a few sessions over the past few days getting the mozilla bundle 2.14 committed to all the suite branches wheezy and newer. I have some more verification to work on and I'll get some packages rolled up and tested for all the suites. I appreciate the notes here! -- Kind regards, Michael
Bug#852040: jessie-pu: package ca-certificates/20141019+deb8u3
On 04/28/2017 11:39 AM, Adam D. Barratt wrote: > On Fri, 2017-04-28 at 00:58 +0200, Andreas Beckmann wrote: >> >> Attached is the combined debdiff of the commits backported by Michael >> and me. I verified in piuparts that "running update-certificates without >> hooks initially" now actually works as intended. > > That looks okay, thanks. > > Please feel free to upload, bearing in mind that the window for 8.8 > closes over the weekend. Thank you so much. I'm sorry I've been ridiculously busy, and "I'll get to it this weekend" repeatedly hasn't materialized for me. -- Kind regards, Michael
Bug#852040: Bug#825730: jessie-pu: package ca-certificates/20141019+deb8u3
Thanks for the follow up. I'll get this fixed and resubmit a new debdiff for stable update. -- Kind regards, Michael
Bug#852040: jessie-pu: package ca-certificates/20141019+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I would like to upload ca-certificates_20141019+deb8u3 to stable, in order to backport the fix from #783615 [0]. This bug was reopened and set to Serious severity. The debdiff is attached. [0] https://bugs.debian.org/783615 -- Kind regards, Michael diffstat for ca-certificates-20141019+deb8u2 ca-certificates-20141019+deb8u3 debian/changelog|7 +++ sbin/update-ca-certificates |2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff -Nru ca-certificates-20141019+deb8u2/debian/changelog ca-certificates-20141019+deb8u3/debian/changelog --- ca-certificates-20141019+deb8u2/debian/changelog2016-11-18 09:24:20.0 -0600 +++ ca-certificates-20141019+deb8u3/debian/changelog2017-01-20 16:00:09.0 -0600 @@ -1,3 +1,10 @@ +ca-certificates (20141019+deb8u3) stable; urgency=medium + + * sbin/update-ca-certificates: +Update local certificates directory when calling --fresh. Closes: #783615 + + -- Michael Shuler <mich...@pbandjelly.org> Wed, 18 Jan 2017 15:54:56 -0600 + ca-certificates (20141019+deb8u2) stable; urgency=medium [ Michael Shuler ] diff -Nru ca-certificates-20141019+deb8u2/sbin/update-ca-certificates ca-certificates-20141019+deb8u3/sbin/update-ca-certificates --- ca-certificates-20141019+deb8u2/sbin/update-ca-certificates 2016-11-18 09:24:15.0 -0600 +++ ca-certificates-20141019+deb8u3/sbin/update-ca-certificates 2017-01-20 16:00:09.0 -0600 @@ -89,7 +89,7 @@ find . -type l -print | while read symlink do case $(readlink $symlink) in - $CERTSDIR*) rm -f $symlink;; + $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;; esac done find . -type l -print | while read symlink
Bug#807274: wheezy-pu: package ca-certificates/20130119+deb7u2
Backlog of $REAL_LIFE work has kept me super busy. I ran into upgrade issues (sorry, don't have the existing bts#), and it looks like Ubuntu did a similar addition using a 'mozilla-1024/' directory, which may solve the immediate upgrade problem with previously removed certificates. I have not tested this out, yet, but will try to do so soon. -- Kind regards, Michael
Bug#807274: wheezy-pu: package ca-certificates/20130119+deb7u2
On 02/20/2016 06:53 AM, Adam D. Barratt wrote: > For reference, neither the above nor the message opening the bug made it > to debian-release, presumably for size reasons. Thanks for the follow up. > Looking at the diff: > > diff -Nru ca-certificates-20130119+deb7u1/debian/config > ca-certificates-20130119+deb7u2/debian/config > --- ca-certificates-20130119+deb7u1/debian/config 2014-09-24 > 12:57:57.0 -0500 > +++ ca-certificates-20130119+deb7u2/debian/config 1969-12-31 > 18:00:00.0 -0600 > > I'm assuming that wasn't intentional? This is the unintentional result of building from a clean git checkout. I'll have to pull the old generated debian/config from the existing source package. This file has since been added to the clean target. This Wheezy package is going to suffer from the same regression as in Jessie, currently. Please, leave this bug report in "moreinfo", if that's OK, or just close this and I'll open a new report. I will need to create an updated diff that includes the removed 1024-bit CA certificates, once I'm sure that's working correctly in Jessie. -- Kind regards, Michael
Re: Updating ca-certificates through stable-updates
On 12/05/2015 04:25 PM, Philipp Kern wrote: >> Could I perhaps convince you to file this (kind of) request as a pu bug? >> They are much easier for us to track than mails to the mailing list. >> I appreciate that you might have been sending this mail to avoid the >> pu-bug. Unfortunately, we often end up forgetting the mail on our TODO >> list if it is not listed in the bug tracker. > > There's that and it helps to look at the debdiff to see what the actual > changes are. Cert updates are likely to be much easier on us than > packaging/script updates. I'll go ahead and get the packages built and open up a pu bug with the debdiffs. Thanks! -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Re: Updating ca-certificates through stable-updates
On 11/25/2015 03:18 PM, Andrew Ayer wrote: > Hi Stable Release Managers, > > We're currently discussing in #806239 how to keep the > ca-certificates package more up-to-date in (old)stable. Since > ca-certificates is a data package that needs timely updating (when CAs > are removed due to lapsed audits, they should be distrusted > immediately), it satisfies the criteria for stable-updates posted here: > > https://www.debian.org/News/2011/20110215 > > I just wanted to confirm that the SRMs would be OK pushing out new > ca-certificates packages through stable-updates. Hi release team, I just requested an upload of ca-certificates (20151204) to unstable, and I would like to follow that up with stable-pu and oldstable-pu updates to include the current Mozilla CA bundle changes for jessie and wheezy. I appears that I did a wheezy-pu update last year on #743156, but wanted to clarify if these upcoming uploads will be acceptable. -- Thank you! Michael
Bug#743156: wheezy-pu: package ca-certificates/20130119+deb7u1
On 09/20/2014 11:53 AM, Adam D. Barratt wrote: On Mon, 2014-08-25 at 21:36 -0500, Michael Shuler wrote: On 08/24/2014 02:12 PM, Adam D. Barratt wrote: Does the upgrade issue you mentioned in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743259#22 also apply to this upload? No, Wheezy does not have the same upgrade problem that Squeeze did. In that case, please go ahead with the upload; thanks. Thank you for the confirmation. I have made a request to my sponsors to upload ca-certificates/20130119+deb7u1. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5422ead3.20...@pbandjelly.org
Bug#743156: wheezy-pu: package ca-certificates/20130119+deb7u1
On 08/24/2014 02:12 PM, Adam D. Barratt wrote: On 2014-03-31 1:25, Michael Shuler wrote: I would like to upload ca-certificates to stable to include one important patch to fix duplicate CKA_LABEL certificates, and bring the Mozilla CA bundle up to date. The stable debdiff is attached. Does the upgrade issue you mentioned in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743259#22 also apply to this upload? No, Wheezy does not have the same upgrade problem that Squeeze did. Thanks, Michael Shuler -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53fbf29f.60...@pbandjelly.org
Bug#743259: squeeze-pu: package ca-certificates/20090814+squeeze1
On 07/19/2014 06:45 AM, Adam D. Barratt wrote: On Thu, 2014-07-10 at 19:30 +0100, Adam D. Barratt wrote: On Mon, 2014-03-31 at 22:10 -0500, Michael Shuler wrote: I would like to upload ca-certificates to oldstable to bring the Mozilla CA bundle up to date, include one important patch to fix duplicate CKA_LABEL certificates, and one minor additional fix in order to parse the new certdata.txt file correctly. I also updated Maintainer/Uploaders. The oldstable debdiff is attached. Please go ahead, bearing in mind that the window for getting the package in to the upcoming (and final) point release for squeeze closes over the coming weekend. Unfortunately no upload happened and as today was the final point release for squeeze I'm going to close this bug now. You may wish to discuss an update in squeeze-lts with the LTS team. Yep, the short window did not work out for me to get the upload completed, after finding an upgrade issue with the proposed patch, so a squeeze upload will take some additional work. Thanks for the consideration and pointer to -lts! -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53ca8a47.3000...@pbandjelly.org
Bug#724592: pu: package ifmetric/0.3-2
I would enjoy the possibility of getting ifmetric_0.3-2+deb7u1 uploaded for the 7.2 release and the window is getting smaller. I confirmed my sponsor's availability for the next few days, but lack the Release Team's OK. If there is any additional info I can provide, please let me know. -- Kind regards, Michael Shuler /gentle nudge signature.asc Description: OpenPGP digital signature
Bug#724592: pu: package ifmetric/0.3-2
On 10/02/2013 02:25 PM, Adam D. Barratt wrote: On Wed, 2013-10-02 at 10:31 -0500, Michael Shuler wrote: I would enjoy the possibility of getting ifmetric_0.3-2+deb7u1 uploaded for the 7.2 release and the window is getting smaller. I confirmed my sponsor's availability for the next few days, but lack the Release Team's OK. If there is any additional info I can provide, please let me know. I think going with 4096 should be fine; if it turns out not to be enough later on, then we can deal with that then. Thanks for the quick update, Adam. My sponsor uploaded ifmetric_0.3-2+deb7u1 a short time ago. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/524ce40a.5070...@pbandjelly.org
Bug#724592: pu: package ifmetric/0.3-2
On 09/25/2013 11:09 AM, Cyril Brulebois wrote: --- ifmetric-0.3.orig/src/nlrequest.c +++ ifmetric-0.3/src/nlrequest.c @@ -44,7 +44,7 @@ for (;;) { int bytes; -char replybuf[2048]; +char replybuf[4096]; struct nlmsghdr *p = (struct nlmsghdr *) replybuf; if ((bytes = recv(s, replybuf, sizeof(replybuf), 0)) 0) { Is it certain 4096 is enough, or will we hit this again in the future? tl;dr - yes, and perhaps some day. :) Changes to the netlink API certainly could happen in future kernel versions, increasing the reply size, which may affect Jessie/Sid, but I believe that 4096 should be sufficient for Wheezy, as well as testing/unstable, until such time that it is not. While I have not gone through bisecting the kernel itself to determine specific netlink reply sizes since the last upload of ifmetric (17 Jan 2006), I did find some interesting details and a relevant example in netlink(7). I believe that one of feature additions in the VERSIONS section of netlink(7) bumped a typical reply beyond 2048 around the Squeeze kernel version (which is when I started maintaining my own patched ifmetric package for several large production clusters), for example: NETLINK_INET_DIAG, NETLINK_CONNECTOR and NETLINK_NETFILTER appeared in Linux 2.6.14. NETLINK_GENERIC and NETLINK_ISCSI appeared in Linux 2.6.15. The last EXAMPLE in netlink(7) is spot on and is perhaps where the initial patch submitter found the relevant 4096 value (which is the current suggestion in the man-pages git repository [0]). This example was added to netlink(7) in commit 8482c7 (Mar 7 2006): And the last example is about reading netlink message. int len; char buf[4096]; struct iovec iov = { buf, sizeof(buf) }; struct sockaddr_nl sa; struct msghdr msg; struct nlmsghdr *nh; msg = { sa, sizeof(sa), iov, 1, NULL, 0, 0 }; len = recvmsg(fd, msg, 0); for (nh = (struct nlmsghdr *) buf; NLMSG_OK (nh, len); nh = NLMSG_NEXT (nh, len)) { /* The end of multipart message. */ if (nh-nlmsg_type == NLMSG_DONE) return; if (nh-nlmsg_type == NLMSG_ERROR) /* Do some error handling. */ ... /* Continue with parsing payload. */ ... } The above example leads me to believe this buffer size should be sufficient for the foreseeable future, and certainly for Wheezy kernels. Anyway, the stable diff looks sane enough (especially given the diff between 0.3-2 and 0.3-3 ;)). I appreciate your time looking into this update! [0] http://git.kernel.org/pub/scm/docs/man-pages/man-pages -- Kind regards, Michael Shuler signature.asc Description: OpenPGP digital signature
Bug#724592: pu: package ifmetric/0.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I would like to upload ifmetric_0.3-2+deb7u1 to stable in order to fix #514197 and get this software functional for stable users again. The fix is a one line patch to increase the reply buffer size. Attached is the proposed stable debdiff. - -- Kind regards, Michael Shuler - -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (300, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCAAGBQJSQuhrAAoJEKJ4t4H+SyvaZCoQAIK6giVJA60e/13TD1jiRYDY Uk3odZ1K4QEHTOg/TDhBb0sHP1W1rP2ZDU39T7YF4F1UDEOs5FnHGMjE4fBBkZQ5 6NCplgjMV3J8PjlcPH5+qjOKd7BLyYQjujWKUlpK0RslfnXGbh0pV/tkcfSCQnyv 78O96fa+y1UqhA3gvqsFj8tWsKM+FRjV4NDFsqQW5BdD1rKSjR3aszxyaXFK4eF7 m4YeLw0+qELjcTXmW+4vveg2Ftujt3XKGvgq/dkM1L5vXIA3gcvaPeC2XiqFs5VL Uarnp69t/eBwJdOTeCDgTtZ62gkfiSyAmr8Bz2sDsMuNQkvp6Oc2z7Srr3+YctuP 27fQ+Ybh5MVE5+yXYSKwemUG3A510flTqiHqK0MviKaQ0Vn6NMbHnzhmmDp8uULH 9FW2BMzoZ+NzQmo8HQ4erTFZ0/+aysCFnmypapJCVAoXuBhcgXakwA9pDdQU15Vp BO+rdXsmF0Venp1LoA+sLXkAI97LmWvxqc8Ry3d6Bo3pvZIPqV31cvZGOq4G89KQ eihr1J4RaC3vIlDpPsbs5kUoQ3+OgIgViENBHwkyza6ituy+Fw//kHDjfgUYgTJz epIAv7osn8R5mpGBBf316ONO4sNsUKuMR5MufqM03cffrv4mpg8O104uzQC4CopZ eT7Js5g4qWNOQzb8qbjq =QF1H -END PGP SIGNATURE- diff -u ifmetric-0.3/debian/changelog ifmetric-0.3/debian/changelog --- ifmetric-0.3/debian/changelog +++ ifmetric-0.3/debian/changelog @@ -1,3 +1,10 @@ +ifmetric (0.3-2+deb7u1) stable; urgency=low + + * Add patch to fix NETLINK: Packet too small or truncated! error. +Thanks to Benedek László for the patch. Closes: #514197, LP: #896584 + + -- Michael Shuler mich...@pbandjelly.org Mon, 23 Sep 2013 09:04:32 -0500 + ifmetric (0.3-2) unstable; urgency=low * debian/control: bump standards-version (no changes). only in patch2: unchanged: --- ifmetric-0.3.orig/src/nlrequest.c +++ ifmetric-0.3/src/nlrequest.c @@ -44,7 +44,7 @@ for (;;) { int bytes; -char replybuf[2048]; +char replybuf[4096]; struct nlmsghdr *p = (struct nlmsghdr *) replybuf; if ((bytes = recv(s, replybuf, sizeof(replybuf), 0)) 0) {
ca-certificates_20130119, ca-certificates-java_20121112+nmu1 - unblock together
Dear release team, When allowing ca-certificates[-java] to migrate to wheezy, please, allow them together so they are installable: Package: ca-certificates Version: 20130119 Breaks: ca-certificates-java ( 20121112+nmu1) - Package: ca-certificates-java Version: 20121112+nmu1 Depends: ca-certificates (= 20121114) ca-certificates_20130119 was uploaded to unstable on 01/20 and, barring any issues, will be available to migrate on 01/31. -java has been in unstable 53 days, so an unblock at this moment would cause a few days of install problems that I would like to avoid. Thank you! -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Re: Bug#698538: ca-certificates_20130119, ca-certificates-java_20121112+nmu1 - unblock together
On 01/21/2013 11:58 AM, Andreas Beckmann wrote: When allowing ca-certificates[-java] to migrate to wheezy, please, allow them together so they are installable: If dependencies are set up correctly, britney won't migrate only half of the packages if that leads to an uninstallable state. Thanks! I asked the same on #debian-release and.. And what about #694888? c-c-java will introduce a new RC bug into wheezy that has been open for 52 days and was reassigned to c-c-java 30 days ago - after I found the time to analyze it in more detail. (It will also solve one, so its +-0 in total.) Just verified that it's still reproducible in a minimal sid pbuilder: apt-get install openjdk-7-source ..yeah, I just noticed this bug report after jcristau suggested looking at 'grep-excuses ca-certificates-java'.. I also reproduced this bug with 'apt-get install openjdk-7-jre-headless'. (openjdk-6-jre-headless installs ok; the sed still fails, but it looks like openjdk-6-jre-headless doesn't claim the config file, so the install continues.) I don't have the extra time at the moment to fix c-c-java. I was looking at debian/jks-keystore.hook.in to see if I could find the one-liner low hanging fruit, but on a quick look, there may be a few different ways to fix this and I'm not sure what is best answer. I can try to come back to it in a week or so, but if someone else would look, please do! -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50fd890d@pbandjelly.org
Bug#692911: Bug#537051: ca-certificates: Unneeded and confusing usage of interest-noawait
On 01/19/2013 10:41 AM, Guillem Jover wrote: As discussed in 537051 the NMU introduced an unneeded and confusing usage of interest-noawait, and the accompanying Pre-Depends on dpkg. The attached patch removes these. Thanks for the patch. I'll get this tested out as soon as I can and get an upload prepared. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50fadb80.1040...@pbandjelly.org
Bug#698538: unblock: ca-certificates-java/20121112+nmu1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 (requesting unblock, although I am not the maintainer) Please unblock package ca-certificates-java ca-certificates-java/20121112+nmu1 provides serious/important fixes that correct squeeze - wheezy upgrades using the triggers provided by ca-certificates (=20121114), as well as a fix test for dpkg-query in postinst and correcting library path for softokn3pkg and nsspkg. Thank you! - -- Kind regards, Michael Shuler -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQ+2rtAAoJEKJ4t4H+SyvaM1cQAJA90U4nGkVvGM2NgFuc/gMB pf+0BphYhvllJt8CgSrPIqnHv+aBHbPitydZ20JzUOBV6ZtY70w5ZVmmn2nfg0cp t8qkfjnSCEYi3pmC+tThxT5Y+/iSEz24bXLKtS6rXkZsiikYDKDZHzYTfZowRW9z joKIWWJuBBfNPoqsfbavhJKBAAd4N4S3nfIhuphum0O16k8ceev2VDAVRF/cHixh EMaYMfehwlQnnlkIDx2eC/mhkUuwY2nfyJdGhYLcKL9waxHSBeTKi/uJZMsd4RxM RKlLF4UY5GE3BoxaL0eRha+LFYIM8llMsC8apo8qXUIepYWzLVG+4dSS4ntJQYCB Kly+hmW8/gF0LoylMvIrGENMU0N2WDyArHMCIMXlV7JyCKVB2nzcvv59hHvQust9 ESrSkSjKHsM2ItD0jkhtYr3TdbmY/74W3Q98s/B1Gy92TUzyYrGttrYUfpZyvFv6 NRhaWh27mJE6HA/GQkGsIYaoPpgE9pwBYg5mrsmqR2Ftr7LpNxY9+wIMXtlgQsKI Ta3+R7xjy7ay8xx8G3wLdn2cn5U5H/hacRuZG+TH3hQcZyIQK4ccTJavg0w1Xmrr jKfyJyyxKTuDWK1RH0AV+rTfOX/3Xt2J3+2Kl1MnoqQoAXJbEHKmqlGNuo5U9mOo M1ZFi1iDzjOMPdxCNHg5 =cMgH -END PGP SIGNATURE- diff -Nru ca-certificates-java-20120721/debian/ca-certificates-java.triggers ca-certificates-java-20121112+nmu1/debian/ca-certificates-java.triggers --- ca-certificates-java-20120721/debian/ca-certificates-java.triggers 1969-12-31 18:00:00.0 -0600 +++ ca-certificates-java-20121112+nmu1/debian/ca-certificates-java.triggers 2012-11-12 20:03:54.0 -0600 @@ -0,0 +1 @@ +activate update-ca-certificates diff -Nru ca-certificates-java-20120721/debian/changelog ca-certificates-java-20121112+nmu1/debian/changelog --- ca-certificates-java-20120721/debian/changelog 2012-07-21 07:05:01.0 -0500 +++ ca-certificates-java-20121112+nmu1/debian/changelog 2012-11-28 17:59:50.0 -0600 @@ -1,3 +1,17 @@ +ca-certificates-java (20121112+nmu1) unstable; urgency=low + + * Non-maintainer upload + * Fix test for dpkg-query in postinst; there was an extraneous --version +here. [Probably don't even need to bother to check for dpkg-query, but +why not.] (Closes: #690204) + * Library path for softokn3pkg and nsspkg is potentially wrong if there +are multiple different paths; fix it. + * Do not run the hook if ca-certificates-java has been removed but not +purged. + * Use the new trigger support provided by ca-certificates (=20121114). + + -- Don Armstrong d...@debian.org Mon, 12 Nov 2012 15:45:50 -0800 + ca-certificates-java (20120721) unstable; urgency=low * Fix jks-keystore and postinst to work on multi-arch system. diff -Nru ca-certificates-java-20120721/debian/control ca-certificates-java-20121112+nmu1/debian/control --- ca-certificates-java-20120721/debian/control 2012-06-08 17:05:19.0 -0500 +++ ca-certificates-java-20121112+nmu1/debian/control 2012-11-28 17:43:50.0 -0600 @@ -15,7 +15,7 @@ Package: ca-certificates-java Architecture: all Multi-Arch: foreign -Depends: ca-certificates (= 20090814), +Depends: ca-certificates (= 20121114), ${jre:Depends} | java6-runtime-headless, ${misc:Depends}, ${nss:Depends} diff -Nru ca-certificates-java-20120721/debian/jks-keystore.hook.in ca-certificates-java-20121112+nmu1/debian/jks-keystore.hook.in --- ca-certificates-java-20120721/debian/jks-keystore.hook.in 2012-07-21 06:30:21.0 -0500 +++ ca-certificates-java-20121112+nmu1/debian/jks-keystore.hook.in 2012-11-12 18:50:31.0 -0600 @@ -25,7 +25,7 @@ } echo -if [ $cacerts_updates != yes ] || [ $CACERT_UPDATES = disabled ]; then +if [ $cacerts_updates != yes ] || [ $CACERT_UPDATES = disabled ] || [ ! -e $JAR ]; then echo updates of cacerts keystore disabled. exit 0 fi @@ -53,12 +53,12 @@ fi if dpkg-query --version /dev/null; then -nsspkg=$(dpkg-query -L $(nsslib_name) | sed -n 's,\(.*\)/libnss3\.so$,\1,p') +nsspkg=$(dpkg-query -L $(nsslib_name) | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) nssjdk=$(sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' /etc/${jvm%-$arch}/security/nss.cfg) if [ -n $nsspkg ] [ -n $nssjdk ] [ $nsspkg != $nssjdk ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi -softokn3pkg=$(dpkg-query -L $(nsslib_name) | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p') +softokn3pkg=$(dpkg-query -L $(nsslib_name) | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1) if [ -n $softokn3pkg ] [ -n $nssjdk ] [ $softokn3pkg != $nssjdk ]; then ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so fi diff -Nru ca-certificates-java-20120721/debian/postinst.in ca-certificates-java-20121112+nmu1/debian/postinst.in --- ca-certificates-java-20120721/debian
Bug#692911: unblock: ca-certificates/20121105
On 11/15/2012 08:46 AM, Michael Shuler wrote: On 11/14/2012 06:12 PM, intrigeri wrote: I think it would be even better to replace clean up with some version of parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored: IMHO, Clean up still describes the change itself, rather than the reason why it is reasonable, which is, I think, as important. 20121114 has not been uploaded to unstable, yet, so I had some time to rebuild and include an additional note, today: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 - Replace legacy no explicit trust flag of CKT_NSS_TRUST_UNKNOWN for CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 This upstream fix does not change the CA certificates installed in ca-certificates as both flags are ignored. Only those CA certificates with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed. I hope that helps with some clarity for that upstream change. :) Full testing debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff -- Kind regards, Michael Shuler my penance: https://twitter.com/mshuler/status/269181404754096128 signature.asc Description: OpenPGP digital signature
Bug#692911: unblock: ca-certificates/20121105
On 11/14/2012 06:12 PM, intrigeri wrote: Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) : In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - Thanks a lot for the detailed explanation! No problem! Should I re-upload with a changelog entry of something like: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +Clean up of no explicit trust flag CKT_NSS_TRUST_UNKNOWN to +CKT_NSS_MUST_VERIFY_TRUST +- https://bugzilla.mozilla.org/show_bug.cgi?id=757189 I think it would be even better to replace clean up with some version of parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored: IMHO, Clean up still describes the change itself, rather than the reason why it is reasonable, which is, I think, as important. Bummer. I was going to update this bug after 20121114 hit unstable. I built ca-certificates_20121114 before getting this note, and it is waiting for upload by my sponsors, as of writing. This upload is being coordinated with an upload of ca-certificates-java with version breaks and depends (see full debdiff). Here is what I did include for this change in 20121114: + * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +- Replace legacy no explicit trust flag of CKT_NSS_TRUST_UNKNOWN for + CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: + https://bugzilla.mozilla.org/show_bug.cgi?id=757189 +Certificates added (+) (none removed): ++ Actalis Authentication Root CA ... Full debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff So, while I did include a note about the change for context for the reader of the diff (upstream change X: reference), I not go into detail about why this upstream change is not very meaningful to functionality or packaging (upstream change X: reference - this particular change doesn't really modify anything with ca-certificates because Y). That additional info seems a bit overkill to me, but we can add that, if it would be helpful. Again, I was going to reply after upload, but since there's another question on this, I thought I would take a moment to let you know what's coming. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50a50040.9060...@pbandjelly.org
Bug#692911: unblock: ca-certificates/20121105
On 11/11/2012 12:15 PM, intrigeri wrote: That may be me nitpicking, but they are innocuous does not really address my desire to understand an undocumented change in a security-sensitive area. I'm still curious and feeling like this should be documented somehow, but I'll happily let others decide how important this concern of mine is important for Debian. For full context on the change, this came in an upstream patch for mozilla/certdata.txt 1.83-1.84 - this is the upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 mozilla/certdata.txt 1.83 was in ca-certificates_20120623 Quick summary of the mozilla bug: there were two different flags being used within certdata.txt to indicate no explicit trust: CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN. The change upstream was to get rid of the legacy TRUST_UNKNOWN flags and replace them with MUST_VERIFY_TRUST, since this is how new flags were being added. In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - CKT_NSS_MUST_VERIFY_TRUST is ignored in the same manner as CKT_NSS_TRUST_UNKNOWN when both flags were present in the file, and now only CKT_NSS_MUST_VERIFY_TRUST is in certdata.txt, and there are no more instances of CKT_NSS_TRUST_UNKNOWN in certdata.txt 1.84. Should I re-upload with a changelog entry of something like: diff --git a/debian/changelog b/debian/changelog index 861abed..3fe8329 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ ca-certificates (20121105) unstable; urgency=low * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +Clean up of no explicit trust flag CKT_NSS_TRUST_UNKNOWN to +CKT_NSS_MUST_VERIFY_TRUST +- https://bugzilla.mozilla.org/show_bug.cgi?id=757189 Certificates added (+) (none removed): + Actalis Authentication Root CA + Trustis FPS Root CA Or should I patch out these changes from mozilla/certdata.txt and re-upload? -- Kind regards, Michael Shuler signature.asc Description: OpenPGP digital signature
Bug#692911: unblock: ca-certificates/20121105
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package ca-certificates ca-certificates/20121105 has been uploaded to unstable and includes two important fixes for Wheezy: ca-certificates (20121105) unstable; urgency=low * Update mozilla/certdata.txt to version 1.86 Closes: #683728 Certificates added (+) (none removed): + Actalis Authentication Root CA + Trustis FPS Root CA + StartCom Certification Authority (renewal/rehash) + StartCom Certification Authority G2 + Buypass Class 2 Root CA + Buypass Class 3 Root CA + TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + T-TeleSec GlobalRoot Class 3 + EE Certification Centre Root CA * Correct piuparts package remove/purge behavior Closes: #682125 - Remove deletes of /etc/ssl{,/certs} from debian/postrm A debdiff against the package in testing is attached. Although #683728 was requested by Eddy Nigg at StartCom, I think it is important to include the latest available mozilla CA bundle for Wheezy. unblock ca-certificates/20121105 - -- Kind regards, Michael Shuler - -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQnpRkAAoJEKJ4t4H+SyvaODsP/298BhE9G8y4wtxpPzBVZOkY JcOXfbnQjDMTna4pySeiHjUVuDhdBiUZ3LebnyZlVHzBZL7CvTFEcYXaptgPV+ZA PgPp3yiGk6RaNLKJ1+VRO+H3IfhtQ/zgajm6TvvnccQofzbr5tnLTDzbHjSj3chW jT6hxjxnQmb/7IkncNZzzEU0YwqCpYlyQhWG0+m0gEGPfErT0/ZCxwsnUHDa/hNn vY9L1a0m8JC93zpMWWlWXgfs1yBcuKhEqVHCCjKUEAaQa7SM2d6DemVUI8WvsbYu hUnpKWZbXzU/YegCYBhKdGveBg81+0mwhf47Bh8uKreWK4sl/XGLoLSQ/IIretQ+ Ef6CKejhq2lVZIrUyEYU+4p1ZxboyPjGqfL1uR75vkFLjchKtVPOMDx4y5+3lD/X B4YmTuRW7D0f84vyEyWHF8AtcgCFO6W5/iB2ZQ09FBZcP/aSsoIc2nlSu/hKLbmt kUDodIAy1AqW2xTAXOSuIxn6Adg6HfULsbpCZMxwmN9i/oeScWvWCpAXIMAFoUYG 3yoNjA2Ffd9dw6kyTPiHO92WxgiKb5RiDtLm6LND/WHwLgzHBZNpID6MaHgel/ia XNuvfLmcNgzo48xa4VQRsD0kgy9HvUIy6O8QFkzl6T9dlKHZxpf+D7zxVh2i6UYr bhzwenLdp8iJe5mpI6YF =4EpY -END PGP SIGNATURE- ca-certificates_20120623-20121105.debdiff.gz Description: GNU Zip compressed data
Bug#692911: unblock: ca-certificates/20121105
On 11/10/2012 12:23 PM, intrigeri wrote: Michael Shuler wrote (10 Nov 2012 17:52:41 GMT) : unblock ca-certificates/20121105 There are multiple instances of: -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST I guess that was imported from the new Mozilla certdata, but the way debian/changelog is phrased leads me believe the only changes is adding CA certificates, which apparently is not the case. Darn. I intended to add a comment that those lines are in the debdiff from the new certdata.txt and that they are innocuous. Otherwise, looks good to me. Thank you for the look. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature