On 12/17/25 13:04, Santiago Ruano Rincón wrote:
Hello,
El 03/06/25 a las 14:18, William David Edwards escribió:
Package: ca-certificates
Version: 20240203
Version 20240203 contains new CAs, most notably Sectigo Public Server
Authentication Root. Sectigo seems to have recently started issuing
certificates with this new root certificate. Please consider migrating
20240203 to stable, as its absence will most definitely cause userland
issues.
AFAICS, the actual affected version here was 20230311 from bookworm,
since bookworm was the stable version when this bug was filed, on
2025-06-03.
This was fixed with 20230311+deb12u1:
https://tracker.debian.org/news/1648789/accepted-ca-certificates-20230311deb12u1-source-into-proposed-updates/,
and actually could be (force)merged with #1095913.
I don't want to step on the maintainer's toes, so unless Julien agrees
on that, I am not planning to change the status of this bug.
I think there's 2 issues at play here:
- the specific case of that Sectigo root, which as you said was resolved
- what to do about new CA certificates in stable more generally.
Historically root CAs were around for decades, so updating the trust
store once every couple of years was more than sufficient. In recent
years CA lifetimes have reduced significantly, so this has become an
issue. I would like to start updating the package more regularly, but
have been struggling to find the spare time to even keep up in unstable
so far...
Cheers,
Julien
