Hi Michael, On Wed, 25 Nov 2015 12:30:18 -0600 Michael Shuler <mich...@pbandjelly.org> wrote:
> Control: tags -1 + pending > > On 11/25/2015 11:28 AM, Andrew Ayer wrote: > > ca-certificates hasn't been updated since April 2015. Since then, > > 14 CAs have been removed from the NSS root store[1, 2]. > > ca-certificates in stable hasn't been updated since October 2014. > > Since then, 6 additional CAs have been removed[3, 4]. > > ca-certificates in oldstable is even older. > > The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5 > was recently released in NSS and an upload to unstable is being > prepped. I'm not sure what these version numbers are. NSS 3.19.3 was released on August 7 and removed 5 CAs[1]. So why no release of ca-certificates until now? [1] https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/CIrDdx1e9EI > Main git repo: > http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git > > My working git repo (ie, bundle 2.6 is already branched): > http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git > > > This is concerning because some of the removed CAs have failed or > > are no longer conducting audits, which means we have no idea what > > security practices they are currently following. Applications on > > Debian which use the ca-certificates store still trust these CAs, > > putting users at risk. For example, the e-Guven root certificate, > > which was removed from the NSS store in April due to "insufficient > > and outdated audits"[5, 6], continues to be trusted in stable and > > oldstable. > > > > First, could we get an update soon to ca-certificates that reflects > > these removals? > > Yes. Thank you! > > Second, could ca-certificates be updated more frequently in the > > future? Security Team, could updates to ca-certificates be pushed > > out through security.debian.org for (old)stable? > > For stable/oldstable releases, it may be appropriate for them to go > through the stable-updates suite. OK. As a data package that needs timely updating, it should qualify for stable-updates. As I understand the process, this requires uploading to proposed-updates, and then the Stable Release Managers pull it over to stable-updates[2]. [2] https://wiki.debian.org/StableUpdates > > If there is an issue of manpower, I'm willing to help co-maintain > > ca-certificates (I'm a DM) and prepare packages for > > security.debian.org. We're lucky that Mozilla runs such a great > > root program: it's thorough and responsive, and aligns with > > Debian's values by being open and community-driven. Let's take > > full advantage of it in Debian! > > I try to track upstream releases and attend to bug reports as quickly > as possible, but patches are always welcomed. With several uploaders, > I'm not sure there needs to be another uploader, but sending patches > to fix things in the BTS would certainly be helpful. Great! I will pay attention to your Git repo and do what I can to help out. Thanks, Andrew
