On 11/25/2015 03:13 PM, Andrew Ayer wrote: >> The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5 >> was recently released in NSS and an upload to unstable is being >> prepped.
I was incorrect about the NSS release relative time being as recent as I recalled. See below. > I'm not sure what these version numbers are. NSS 3.19.3 was released > on August 7 and removed 5 CAs[1]. So why no release of ca-certificates > until now? > > [1] > https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/CIrDdx1e9EI A ca-certificates version 2.5 example - it's contained in mozilla/nssckbi.h in the ca-certificates package repo: https://bugzilla.mozilla.org/show_bug.cgi?id=1190794 Thanks for the mailing list link. I follow the NSS mercurial repository commits via RSS and check for merges from NSS dev to firefox release repos. Looks like I checked on 10/22 to see if 2.5 was in the release tree, but it was not, yet. The release tree I'm checking against is for firefox releases, so this would be the real-world majority of users getting CA updates. I started checking against actual firefox releases after the 1024-bit removal, reinstatement, removal again issues.. I don't think that cycle ever made it to a firefox release. http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git/commit/?id=f0d320ad9c517d8c5d2e308ec99e470df4cef938 "- would be nice if they would release NSS sometime soon with this version.." Obviously, it looks like I'll need to figure out a different way to track releases if we want to be spot-on with NSS releases. Yet another mailing list might be the only answer.. Feel free to add a BTS report when new NSS versions are released. Thanks again for the feedback. Michael
