On 11/14/2012 06:12 PM, intrigeri wrote: > Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) : >> In parsing certdata.txt for the ca-certificates package, neither of >> these flags are used when the CA trust database is created, so both >> CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are >> ignored. This is why I indicated these lines are innocuous - > > Thanks a lot for the detailed explanation!
No problem! >> Should I re-upload with a changelog entry of something like: > >> * Update mozilla/certdata.txt to version 1.86 Closes: #683728 >> + Clean up of "no explicit trust" flag CKT_NSS_TRUST_UNKNOWN to >> + CKT_NSS_MUST_VERIFY_TRUST >> + - https://bugzilla.mozilla.org/show_bug.cgi?id=757189 > > I think it would be even better to replace "clean up" with some > version of "parsing certdata.txt for the ca-certificates package, > neither of these flags are used when the CA trust database is created, > so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are > ignored": IMHO, "Clean up" still describes the change itself, rather > than the reason why it is reasonable, which is, I think, as important. Bummer. I was going to update this bug after 20121114 hit unstable. I built ca-certificates_20121114 before getting this note, and it is waiting for upload by my sponsors, as of writing. This upload is being coordinated with an upload of ca-certificates-java with version breaks and depends (see full debdiff). Here is what I did include for this change in 20121114: + * Update mozilla/certdata.txt to version 1.86 Closes: #683728 + - Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for + CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: + https://bugzilla.mozilla.org/show_bug.cgi?id=757189 + Certificates added (+) (none removed): + + "Actalis Authentication Root CA" ... Full debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff So, while I did include a note about the change for context for the reader of the diff (upstream change X: reference), I not go into detail about why this upstream change is not very meaningful to functionality or packaging (upstream change X: reference - this particular change doesn't really modify anything with ca-certificates because Y). That additional info seems a bit overkill to me, but we can add that, if it would be helpful. Again, I was going to reply after upload, but since there's another question on this, I thought I would take a moment to let you know what's coming. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50a50040.9060...@pbandjelly.org
