Hello On 21/07/15 17:54, Michael Shuler wrote: > On 07/21/2015 09:05 AM, Cédric Dufour - Idiap Research Institute wrote: >> Would you plan to push an updated/"backported" ca-certificates in >> wheezy-updates ? >> Would security updates - e.g. removal of a compromised CA - make it to it ? > > I'm thinking that an upload of the jessie version, ca-certificates_20141019, > may be appropriate for wheezy-updates, or just a rebuild with the Mozilla CA > bundle from that version, excluding the additional changes. I'm not sure, > yet. There is a bit of hand waving at the removal of 1024-bit CAs by Mozilla > in the latest CA bundle currently in Stretch, and I don't want to be that > disruptive in wheezy-updates (or jessie-updates, for that matter..)
I'm afraid I can't be of much help as to this decision and I would not presume to dictate Debian policy on this matter. My 1-penny for the (old)stable branch: - missing "trustworthy" root CAs ought to be added (that the reason I reported this "bug"), especially if backed by the optional so-called "volatile" repo (which sysadmins may choose to use or not) - actually compromised or untrustworthy root CAs ought to be removed (iow. those that corresponds to CVE advisories); shouldn't such updates actually come from security.debian.org ? - in-between should be left "as is" But I am aware that cherry-picking those changes is a tedious job (and a great responsibility). Doesn't/shouldn't Debian Security Team have a say in this ? Best regards, Cédric > > You can dig around git and look through debian/changelog in the stable > release branches, as well as master (sid/testing), for the CAs that Mozilla > has added/removed. > > http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git > Jessie changelog: > http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/tree/debian/changelog?h=debian-jessie > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
