Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi release team,
#911289 resulted in a regression, and the explicitly blacklisted roots
have been reverted. One in particular, "GeoTrust Global CA", has caused
serious issues noted in #962596. The other reverted roots also remain in
the Mozilla CA bundle[0], so #911289 will require additional research
and be re-opened when uploaded.
stretch-proposed-updates and stretch-updates both got the previous upload.
I would like to upload ca-certificates_20200611~deb9u1 with the
following changes:
----
ca-certificates (20200611~deb9u1) stretch; urgency=medium
* Rebuild for stretch.
* This oldstable release Closes: #962596, #942915
-- Michael Shuler <mich...@pbandjelly.org> Thu, 11 Jun 2020 09:11:56
-0500
ca-certificates (20200611) unstable; urgency=medium
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596
The following root certificates were added back (+):
+ "GeoTrust Global CA"
+ "GeoTrust Primary Certification Authority"
+ "GeoTrust Primary Certification Authority - G2"
+ "GeoTrust Primary Certification Authority - G3"
+ "GeoTrust Universal CA"
+ "thawte Primary Root CA"
+ "thawte Primary Root CA - G2"
+ "thawte Primary Root CA - G3"
+ "VeriSign Class 3 Public Primary Certification Authority - G4"
+ "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "VeriSign Universal Root Certification Authority"
[ Gianfranco Costamagna ]
* debian/{rules,control}:
Merge Ubuntu patch from Matthias Klose to use Python3 during build.
Closes: #942915
-- Michael Shuler <mich...@pbandjelly.org> Thu, 11 Jun 2020 08:38:00
-0500
----
Source debdiff attached.
ca-certificates_20200611~deb9u1 uploaded to mentors[1], RFS will be
submitted pending pu approval. Source can be fetched from mentors or the
`debian-stretch` git branch, commit
c151326dda72f703f7001f655e331b548eb1e411.
Binary debdiff files list matches unstable upload for 20200611 currently
on mentors - RFS: #962669.
[0]
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
[1] https://mentors.debian.net/package/ca-certificates
Kind regards,
Michael
diffstat for ca-certificates-20200601~deb9u1 ca-certificates-20200611~deb9u1
debian/changelog | 37 +++++++++++++++++++++++++++----------
debian/control | 8 ++++----
mozilla/Makefile | 2 +-
mozilla/blacklist.txt | 23 -----------------------
mozilla/certdata2pem.py | 2 +-
5 files changed, 33 insertions(+), 39 deletions(-)
diff -Nru ca-certificates-20200601~deb9u1/debian/changelog
ca-certificates-20200611~deb9u1/debian/changelog
--- ca-certificates-20200601~deb9u1/debian/changelog 2020-06-05
11:52:50.000000000 -0500
+++ ca-certificates-20200611~deb9u1/debian/changelog 2020-06-11
09:11:56.000000000 -0500
@@ -1,16 +1,33 @@
-ca-certificates (20200601~deb9u1) stretch; urgency=medium
+ca-certificates (20200611~deb9u1) stretch; urgency=medium
* Rebuild for stretch.
- * Merge changes from 20200601
- - d/control
- * This release updates the Mozilla CA bundle to 2.40, blacklists
- distrusted Symantec roots, and blacklists expired "AddTrust External
- Root". Closes: #956411, #955038, #911289, #961907
- * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
- Closes: #916833
- * Remove email-only roots from mozilla trust store. Closes: #721976
+ * This oldstable release Closes: #962596, #942915
- -- Michael Shuler <mich...@pbandjelly.org> Fri, 05 Jun 2020 11:52:50 -0500
+ -- Michael Shuler <mich...@pbandjelly.org> Thu, 11 Jun 2020 09:11:56 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+ * mozilla/blacklist:
+ Revert Symantec CA blacklist (#911289). Closes: #962596
+ The following root certificates were added back (+):
+ + "GeoTrust Global CA"
+ + "GeoTrust Primary Certification Authority"
+ + "GeoTrust Primary Certification Authority - G2"
+ + "GeoTrust Primary Certification Authority - G3"
+ + "GeoTrust Universal CA"
+ + "thawte Primary Root CA"
+ + "thawte Primary Root CA - G2"
+ + "thawte Primary Root CA - G3"
+ + "VeriSign Class 3 Public Primary Certification Authority - G4"
+ + "VeriSign Class 3 Public Primary Certification Authority - G5"
+ + "VeriSign Universal Root Certification Authority"
+
+ [ Gianfranco Costamagna ]
+ * debian/{rules,control}:
+ Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+ Closes: #942915
+
+ -- Michael Shuler <mich...@pbandjelly.org> Thu, 11 Jun 2020 08:38:00 -0500
ca-certificates (20200601) unstable; urgency=medium
diff -Nru ca-certificates-20200601~deb9u1/debian/control
ca-certificates-20200611~deb9u1/debian/control
--- ca-certificates-20200601~deb9u1/debian/control 2020-06-05
10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/debian/control 2020-06-11
09:11:56.000000000 -0500
@@ -3,12 +3,12 @@
Priority: optional
Maintainer: Michael Shuler <mich...@pbandjelly.org>
Uploaders: Raphael Geissert <geiss...@debian.org>,
- Thijs Kinkhorst <th...@debian.org>,
+ Thijs Kinkhorst <th...@debian.org>
Build-Depends: debhelper (>= 10), po-debconf
-Build-Depends-Indep: python, openssl
+Build-Depends-Indep: python3, openssl
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
+Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
Package: ca-certificates
Architecture: all
diff -Nru ca-certificates-20200601~deb9u1/mozilla/blacklist.txt
ca-certificates-20200611~deb9u1/mozilla/blacklist.txt
--- ca-certificates-20200601~deb9u1/mozilla/blacklist.txt 2020-06-03
12:48:57.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/blacklist.txt 2020-06-11
09:09:18.000000000 -0500
@@ -11,29 +11,6 @@
"TURKTRUST Mis-issued Intermediate CA 1"
"TURKTRUST Mis-issued Intermediate CA 2"
-# Distrusted Symantec Root CAs:
-"GeoTrust Global CA"
-"GeoTrust Primary Certification Authority"
-"GeoTrust Primary Certification Authority - G2"
-"GeoTrust Primary Certification Authority - G3"
-"GeoTrust Universal CA"
-"Thawte Premium Server CA"
-"thawte Primary Root CA"
-"thawte Primary Root CA - G2"
-"thawte Primary Root CA - G3"
-"Symantec Class 1 Public Primary Certification Authority - G4"
-"Symantec Class 1 Public Primary Certification Authority - G6"
-"Symantec Class 2 Public Primary Certification Authority - G4"
-"Symantec Class 2 Public Primary Certification Authority - G6"
-"Symantec Class 3 Public Primary Certification Authority - G4"
-"Symantec Class 3 Public Primary Certification Authority - G6"
-"VeriSign Class 1 Public Primary Certification Authority - G3"
-"VeriSign Class 2 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G3"
-"VeriSign Class 3 Public Primary Certification Authority - G4"
-"VeriSign Class 3 Public Primary Certification Authority - G5"
-"VeriSign Universal Root Certification Authority"
-
# Blacklist expired certificate (Not After : May 30 10:48:38 2020 GMT)
# See: https://bugs.debian.org/961907
"AddTrust External Root"
diff -Nru ca-certificates-20200601~deb9u1/mozilla/certdata2pem.py
ca-certificates-20200611~deb9u1/mozilla/certdata2pem.py
--- ca-certificates-20200601~deb9u1/mozilla/certdata2pem.py 2020-06-05
10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/certdata2pem.py 2020-06-11
09:09:18.000000000 -0500
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
diff -Nru ca-certificates-20200601~deb9u1/mozilla/Makefile
ca-certificates-20200611~deb9u1/mozilla/Makefile
--- ca-certificates-20200601~deb9u1/mozilla/Makefile 2020-06-05
10:27:08.000000000 -0500
+++ ca-certificates-20200611~deb9u1/mozilla/Makefile 2020-06-11
09:09:18.000000000 -0500
@@ -3,7 +3,7 @@
#
all:
- python certdata2pem.py
+ python3 certdata2pem.py
clean:
-rm -f *.crt