On Fri 01 Oct 2021 at 13:20:01 (+0200), Thomas Schmitt wrote: > I would prefer not to rely on an allow-list. > > So i currently ponder how to transplant the certificates from a Debian 10 > machine. > man update-ca-certificates talks of > /etc/ssl/certs > /etc/ca-certificates.conf > /usr/share/ca-certificates > In the latter i see on Debian 10: > ./mozilla > with 126 .crt files. > The Debian 8 machine has 172 files in there. > The ca-certificates.conf files seem just to list those files on both > machines. > > So a brute force attempt would be to rename the two directories and > the file to other names and to then copy the Debian 10 stuff to the > original names. The new /etc/ssl/certs would start empty and be > populated by update-ca-certificates(8). > > Well, same old question: How bad an idea is this ? > What should i read before making such theories ?
Looking at the Packages files for wheezy and stretch, the dependencies haven't changed: stretch Package: ca-certificates Version: 20200601~deb9u1 Installed-Size: 380 Maintainer: Michael Shuler <[email protected]> Architecture: all Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0 wheezy Package: ca-certificates Version: 20130119+deb7u1 Installed-Size: 432 Maintainer: Michael Shuler <[email protected]> Architecture: all Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0 So under the circumstances, having backed up the files in /etc and /usr/share for ca-certificates and openssl, I would install stretch's version manually, using the variant syntax: apt ./ca-certificates_20200601~deb9u1_all.deb Cheers, David.
