On Fri, 2020-06-12 at 00:50 +0300, Adrian Bunk wrote: > Control: tags 962669 moreinfo > > On Thu, Jun 11, 2020 at 08:18:38PM +0100, Adam D. Barratt wrote: > > On Thu, 2020-06-11 at 13:48 -0500, Michael Shuler wrote: > > > On 6/11/20 1:33 PM, Adam D. Barratt wrote: > > > > Just to confirm - will the certificates be automatically re- > > > > added (assuming that users have either the automatically trust > > > > or prompt options enabled)? > > > > > > (stretch-pu report cc'ed, since same applies) > > > > > > Excellent question. I believe we're going to hit #743339 > > > "Previously removed certificates not added again". I had not > > > found a reasonable fix for that case in general, to preserve a > > > user's selections. > > > Maybe a "good enough" fix will have to do for the specific ones > > > added back. > > > > OK. > > > > In that case, how does this seem as an SUA text? [...] > > use the affected certificates, you may need to manually enable them > > by running "dpkg-reconfigure ca-certificates" as root. > > ==================== > > This does not work in various embedded scenarios.
Wouldn't embedded setups be more likely to have a hard-coded configuration? > Would it work to force-enable them in /etc/ca-certificates.conf > from the preinst when upgrading from old-version matching 20200601* ? I'll leave the technical answer to Michael. Practically, it's then not great for users who had intentionally removed the certificates - or simply decided not to trust them in the first place - prior to the upgrade. I'm not sure how we could distinguish the cases automatically. > Unrelated to that, please keep the Python 2 -> 3 build dependency > change out of this emergency update. ACK. Regards, Adam