Bug#741561: marked as done (No longer ship cacert certificates)

Debian Bug Tracking System Sun, 30 Mar 2014 14:39:50 -0700

Your message dated Sun, 30 Mar 2014 16:35:33 -0500
with message-id <[email protected]>
and subject line Re: Bug#741561: Include CAcert Root Certificates
has caused the Debian Bug report #741561,
regarding No longer ship cacert certificates
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
741561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741561
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: ca-certificates
Version: 20140223
Severity: critical

With the new ca-certificates package, cacert certificate gets removed.
That left several tools that depends on this certificate broken as they
cannot anymore connect to services that use cacert.

More over, it opens security holes to such systems as it is not possible
anymore to be sure that a certificate is valid.

Please do not remove such important certificates as it will break
several systems.

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (800, 'unstable'), (600, 'oldstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.2 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to 
de_DE)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.52
ii  openssl                1.0.1f-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

- -- debconf information:
* ca-certificates/trust_new_crts: ask
* ca-certificates/enable_crts: cacert.org/cacert.org_class3.crt, 
cacert.org/cacert.org_root.crt, mozilla/AddTrust_External_Root.crt, 
mozilla/AddTrust_Low-Value_Services_Root.crt, 
mozilla/AddTrust_Public_Services_Root.crt, 
mozilla/AddTrust_Qualified_Certificates_Root.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, 
mozilla/Camerfirma_Global_Chambersign_Root.crt, 
mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Certum_Root_CA.crt, 
mozilla/Comodo_AAA_Services_root.crt, mozilla/Comodo_Secure_Services_root.crt, 
mozilla/Comodo_Trusted_Services_root.crt, mozilla/DST_ACES_CA_X6.crt, 
mozilla/DST_Root_CA_X3.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, 
mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust.net_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/Equifax_Secure_CA.crt, mozilla/Equifax_Secure_Global_eBusiness_CA.crt, 
mozilla/Equifax_Secure_eBusiness_CA_1.crt, 
mozilla/Firmaprofesional_Root_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, 
mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Global_CA_2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Universal_CA.crt, mozilla/GeoTrust_Universal_CA_2.crt, 
mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, 
mozilla/NetLock_Business_=Class_B=_Root.crt, 
mozilla/NetLock_Express_=Class_C=_Root.crt, 
mozilla/NetLock_Notary_=Class_A=_Root.crt, 
mozilla/NetLock_Qualified_=Class_QA=_Root.crt, 
mozilla/Network_Solutions_Certificate_Authority.crt, 
mozilla/QuoVadis_Root_CA.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/RSA_Root_Certificate_1.crt, 
mozilla/RSA_Security_2048_v3.crt, mozilla/SecureTrust_CA.crt, 
mozilla/Secure_Global_CA.crt, mozilla/Security_Communication_Root_CA.crt, 
mozilla/Sonera_Class_1_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, 
mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/Starfield_Class_2_CA.crt, 
mozilla/StartCom_Certification_Authority.crt, 
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Platinum_CA_-_G2.crt, 
mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/Swisscom_Root_CA_1.crt, 
mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, 
mozilla/Taiwan_GRCA.crt, mozilla/Thawte_Premium_Server_CA.crt, 
mozilla/Thawte_Server_CA.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, 
mozilla/UTN_USERFirst_Email_Root_CA.crt, 
mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, 
mozilla/ValiCert_Class_2_VA.crt, mozilla/Visa_eCommerce_Root.crt, 
mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, 
mozilla/Wells_Fargo_Root_CA.crt, mozilla/XRamp_Global_CA_Root.crt, 
mozilla/thawte_Primary_Root_CA.crt, spi-inc.org/spi-cacert-2008.crt,
  ca-certificates/new_crts:
  ca-certificates/title:

- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTIiApAAoJEKZ8CrGAGfas4lYMAMBuZsS8sNydjwSlk+6uUG+p
0Fh2O1YM/9HJ20TNrW3JIKFEVTg/08Xj8AKWq8buhnPZLPBFN0LJ3j8o7h1xfa0X
bufxdy+bO9MfegY9jdzNBrCkhDCLkdq16YakpGS0CEnDeywW1nwtJnER6TJkeMlw
Ii1noD6PtRBt9d2idgp24rx8zfWFcODerVMONL6dbioOrqpmeQR8ZUIBH5dCtGuR
EAG7war+kUcmmRpAYocgzR8bBZygn4Wv2HHDDLUhQpVeHmWoHEEw7sOOw9Bmjuc6
mhwycxpnl5u0/dQnJWny4yVRt8cKPWqL3nmfKiv6QMZcUqtwaybzwVyEa7DhVGN1
WZe1B9Hh407E2lYVkTlFTusVR+lriZjKzL1URNf/UcbFCOzoLjbyAni4ZV47qlyU
HDGT4YajQjhJTZ1ja4cP64z34XAHeuidjkuOM0CYqZrmrXhv+XLCUy/gXYoqTbVL
kmg5v7m5KbNxEH6Ns7pM4BxLavWYsgsl5U+f+eAuYQ==
=1a2y
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---
Control: retitle -1 Please Include CAcert Root Certificates
Control: severity -1 wishlist
Control: tags -1 wontfix
Respectfully, at the end of the day, this bug report is a wishlistrequest to include the CAcert root certificates in the ca-certificatespackage. The CAcert root certificates were removed in #718434.
Users that wish to include local CA root certificates may wish to read/usr/share/doc/ca-certificates/README.Debian for two methods toaccomplish this: drop them in /usr/local/share/ca-certificates/ and runupdate-ca-certificates, or build a local .deb package using the examplein /usr/share/doc/ca-certificates/examples/ca-certificates-local/.
As for the particulars about a user's security of fetching the CAcertroot certificates, they are distributed fromhttp://www.cacert.org/index.php?id=3 which lists the SHA1/MD5fingerprints and a link to CAcert's GPG public key for validation by theuser.
--
Kind regards,
Michael
--- End Message ---

Bug#741561: marked as done (No longer ship cacert certificates)

Reply via email to