Control: tags 962669 moreinfo On Thu, Jun 11, 2020 at 08:18:38PM +0100, Adam D. Barratt wrote: > On Thu, 2020-06-11 at 13:48 -0500, Michael Shuler wrote: > > On 6/11/20 1:33 PM, Adam D. Barratt wrote: > > > Just to confirm - will the certificates be automatically re-added > > > (assuming that users have either the automatically trust or prompt > > > options enabled)? > > > > (stretch-pu report cc'ed, since same applies) > > > > Excellent question. I believe we're going to hit #743339 "Previously > > removed certificates not added again". I had not found a reasonable > > fix for that case in general, to preserve a user's selections. Maybe > > a "good enough" fix will have to do for the specific ones added back. > > OK. > > In that case, how does this seem as an SUA text? > > ==================== > The ca-certificates update described in SUA 182-1 removed some > certificates issued by Symantec (under various brand names). > Unfortunately, this removal led to a number of reported regressions. > The affected certificates have therefore been reintroduced. > > If you have already installed the package from SUA 182-1, and need to > use the affected certificates, you may need to manually enable them by > running "dpkg-reconfigure ca-certificates" as root. > ====================
This does not work in various embedded scenarios. Would it work to force-enable them in /etc/ca-certificates.conf from the preinst when upgrading from old-version matching 20200601* ? Unrelated to that, please keep the Python 2 -> 3 build dependency change out of this emergency update. > Regards, > > Adam cu Adrian