On 11/15/2012 08:46 AM, Michael Shuler wrote: > On 11/14/2012 06:12 PM, intrigeri wrote: >> I think it would be even better to replace "clean up" with some >> version of "parsing certdata.txt for the ca-certificates package, >> neither of these flags are used when the CA trust database is created, >> so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are >> ignored": IMHO, "Clean up" still describes the change itself, rather >> than the reason why it is reasonable, which is, I think, as important.
20121114 has not been uploaded to unstable, yet, so I had some time to rebuild and include an additional note, today: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 - Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 This upstream fix does not change the CA certificates installed in ca-certificates as both flags are ignored. Only those CA certificates with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed. I hope that helps with some clarity for that upstream change. :) Full testing debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff -- Kind regards, Michael Shuler my penance: https://twitter.com/mshuler/status/269181404754096128
signature.asc
Description: OpenPGP digital signature