Bug#692911: unblock: ca-certificates/20121105
Hi, Michael Shuler wrote (18 Nov 2012 21:22:54 GMT) : 20121114 has not been uploaded to unstable, yet, so I had some time to rebuild and include an additional note, today: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 - Replace legacy no explicit trust flag of CKT_NSS_TRUST_UNKNOWN for CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 This upstream fix does not change the CA certificates installed in ca-certificates as both flags are ignored. Only those CA certificates with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed. I hope that helps with some clarity for that upstream change. :) Perfectly fine with me, much appreciated! Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85r4npc47y@boum.org
Bug#692911: unblock: ca-certificates/20121105
On 11/15/2012 08:46 AM, Michael Shuler wrote: On 11/14/2012 06:12 PM, intrigeri wrote: I think it would be even better to replace clean up with some version of parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored: IMHO, Clean up still describes the change itself, rather than the reason why it is reasonable, which is, I think, as important. 20121114 has not been uploaded to unstable, yet, so I had some time to rebuild and include an additional note, today: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 - Replace legacy no explicit trust flag of CKT_NSS_TRUST_UNKNOWN for CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 This upstream fix does not change the CA certificates installed in ca-certificates as both flags are ignored. Only those CA certificates with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed. I hope that helps with some clarity for that upstream change. :) Full testing debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff -- Kind regards, Michael Shuler my penance: https://twitter.com/mshuler/status/269181404754096128 signature.asc Description: OpenPGP digital signature
Bug#692911: unblock: ca-certificates/20121105
Hi, Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) : In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - Thanks a lot for the detailed explanation! Should I re-upload with a changelog entry of something like: diff --git a/debian/changelog b/debian/changelog index 861abed..3fe8329 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ ca-certificates (20121105) unstable; urgency=low * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +Clean up of no explicit trust flag CKT_NSS_TRUST_UNKNOWN to +CKT_NSS_MUST_VERIFY_TRUST +- https://bugzilla.mozilla.org/show_bug.cgi?id=757189 I think it would be even better to replace clean up with some version of parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored: IMHO, Clean up still describes the change itself, rather than the reason why it is reasonable, which is, I think, as important. Or should I patch out these changes from mozilla/certdata.txt and re-upload? Personally, I think these changes should be fine, once it's properly documented why they have no practical effect, but the final call is not mine. In any case, this is starting to look like a pre-approval request more than a unblock one, since the actual package to unblock has not been uploaded yet. So, I guess it might be dealt with slightly faster if the bug against release.d.o was formally put into the right category. Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85d2zfsozj@boum.org
Bug#692911: unblock: ca-certificates/20121105
On 15.11.2012 00:12, intrigeri wrote: In any case, this is starting to look like a pre-approval request more than a unblock one, since the actual package to unblock has not been uploaded yet. So, I guess it might be dealt with slightly faster if the bug against release.d.o was formally put into the right category. It's already usertagged unblock, which is the right category. If you're thinking of freeze-exception, that's been deprecated, hence wheezy / sid's reportbug not offering it any more. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4966a958bd88f716e00c740ab4cb4...@mail.adsl.funky-badger.org
Bug#692911: unblock: ca-certificates/20121105
On 11/14/2012 06:12 PM, intrigeri wrote: Michael Shuler wrote (11 Nov 2012 20:59:10 GMT) : In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - Thanks a lot for the detailed explanation! No problem! Should I re-upload with a changelog entry of something like: * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +Clean up of no explicit trust flag CKT_NSS_TRUST_UNKNOWN to +CKT_NSS_MUST_VERIFY_TRUST +- https://bugzilla.mozilla.org/show_bug.cgi?id=757189 I think it would be even better to replace clean up with some version of parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored: IMHO, Clean up still describes the change itself, rather than the reason why it is reasonable, which is, I think, as important. Bummer. I was going to update this bug after 20121114 hit unstable. I built ca-certificates_20121114 before getting this note, and it is waiting for upload by my sponsors, as of writing. This upload is being coordinated with an upload of ca-certificates-java with version breaks and depends (see full debdiff). Here is what I did include for this change in 20121114: + * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +- Replace legacy no explicit trust flag of CKT_NSS_TRUST_UNKNOWN for + CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags: + https://bugzilla.mozilla.org/show_bug.cgi?id=757189 +Certificates added (+) (none removed): ++ Actalis Authentication Root CA ... Full debdiff: http://www.pbandjelly.org/debian/ca-certificates_20120623-20121114.debdiff So, while I did include a note about the change for context for the reader of the diff (upstream change X: reference), I not go into detail about why this upstream change is not very meaningful to functionality or packaging (upstream change X: reference - this particular change doesn't really modify anything with ca-certificates because Y). That additional info seems a bit overkill to me, but we can add that, if it would be helpful. Again, I was going to reply after upload, but since there's another question on this, I thought I would take a moment to let you know what's coming. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50a50040.9060...@pbandjelly.org
Bug#692911: unblock: ca-certificates/20121105
Hi, Michael Shuler wrote (10 Nov 2012 19:02:14 GMT) : I intended to add a comment that those lines are in the debdiff from the new certdata.txt and that they are innocuous. That may be me nitpicking, but they are innocuous does not really address my desire to understand an undocumented change in a security-sensitive area. I'm still curious and feeling like this should be documented somehow, but I'll happily let others decide how important this concern of mine is important for Debian. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85625cknu7@boum.org
Bug#692911: unblock: ca-certificates/20121105
On 11/11/2012 12:15 PM, intrigeri wrote: That may be me nitpicking, but they are innocuous does not really address my desire to understand an undocumented change in a security-sensitive area. I'm still curious and feeling like this should be documented somehow, but I'll happily let others decide how important this concern of mine is important for Debian. For full context on the change, this came in an upstream patch for mozilla/certdata.txt 1.83-1.84 - this is the upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=757189 mozilla/certdata.txt 1.83 was in ca-certificates_20120623 Quick summary of the mozilla bug: there were two different flags being used within certdata.txt to indicate no explicit trust: CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN. The change upstream was to get rid of the legacy TRUST_UNKNOWN flags and replace them with MUST_VERIFY_TRUST, since this is how new flags were being added. In parsing certdata.txt for the ca-certificates package, neither of these flags are used when the CA trust database is created, so both CKT_NSS_MUST_VERIFY_TRUST and CKT_NSS_TRUST_UNKNOWN flags are ignored. This is why I indicated these lines are innocuous - CKT_NSS_MUST_VERIFY_TRUST is ignored in the same manner as CKT_NSS_TRUST_UNKNOWN when both flags were present in the file, and now only CKT_NSS_MUST_VERIFY_TRUST is in certdata.txt, and there are no more instances of CKT_NSS_TRUST_UNKNOWN in certdata.txt 1.84. Should I re-upload with a changelog entry of something like: diff --git a/debian/changelog b/debian/changelog index 861abed..3fe8329 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ ca-certificates (20121105) unstable; urgency=low * Update mozilla/certdata.txt to version 1.86 Closes: #683728 +Clean up of no explicit trust flag CKT_NSS_TRUST_UNKNOWN to +CKT_NSS_MUST_VERIFY_TRUST +- https://bugzilla.mozilla.org/show_bug.cgi?id=757189 Certificates added (+) (none removed): + Actalis Authentication Root CA + Trustis FPS Root CA Or should I patch out these changes from mozilla/certdata.txt and re-upload? -- Kind regards, Michael Shuler signature.asc Description: OpenPGP digital signature
Bug#692911: unblock: ca-certificates/20121105
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Please unblock package ca-certificates
ca-certificates/20121105 has been uploaded to unstable and includes two
important fixes for Wheezy:
ca-certificates (20121105) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.86 Closes: #683728
Certificates added (+) (none removed):
+ Actalis Authentication Root CA
+ Trustis FPS Root CA
+ StartCom Certification Authority (renewal/rehash)
+ StartCom Certification Authority G2
+ Buypass Class 2 Root CA
+ Buypass Class 3 Root CA
+ TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+ T-TeleSec GlobalRoot Class 3
+ EE Certification Centre Root CA
* Correct piuparts package remove/purge behavior Closes: #682125
- Remove deletes of /etc/ssl{,/certs} from debian/postrm
A debdiff against the package in testing is attached. Although #683728 was
requested by Eddy Nigg at StartCom, I think it is important to include the
latest available mozilla CA bundle for Wheezy.
unblock ca-certificates/20121105
- --
Kind regards,
Michael Shuler
- -- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQnpRkAAoJEKJ4t4H+SyvaODsP/298BhE9G8y4wtxpPzBVZOkY
JcOXfbnQjDMTna4pySeiHjUVuDhdBiUZ3LebnyZlVHzBZL7CvTFEcYXaptgPV+ZA
PgPp3yiGk6RaNLKJ1+VRO+H3IfhtQ/zgajm6TvvnccQofzbr5tnLTDzbHjSj3chW
jT6hxjxnQmb/7IkncNZzzEU0YwqCpYlyQhWG0+m0gEGPfErT0/ZCxwsnUHDa/hNn
vY9L1a0m8JC93zpMWWlWXgfs1yBcuKhEqVHCCjKUEAaQa7SM2d6DemVUI8WvsbYu
hUnpKWZbXzU/YegCYBhKdGveBg81+0mwhf47Bh8uKreWK4sl/XGLoLSQ/IIretQ+
Ef6CKejhq2lVZIrUyEYU+4p1ZxboyPjGqfL1uR75vkFLjchKtVPOMDx4y5+3lD/X
B4YmTuRW7D0f84vyEyWHF8AtcgCFO6W5/iB2ZQ09FBZcP/aSsoIc2nlSu/hKLbmt
kUDodIAy1AqW2xTAXOSuIxn6Adg6HfULsbpCZMxwmN9i/oeScWvWCpAXIMAFoUYG
3yoNjA2Ffd9dw6kyTPiHO92WxgiKb5RiDtLm6LND/WHwLgzHBZNpID6MaHgel/ia
XNuvfLmcNgzo48xa4VQRsD0kgy9HvUIy6O8QFkzl6T9dlKHZxpf+D7zxVh2i6UYr
bhzwenLdp8iJe5mpI6YF
=4EpY
-END PGP SIGNATURE-
ca-certificates_20120623-20121105.debdiff.gz
Description: GNU Zip compressed data
Bug#692911: unblock: ca-certificates/20121105
tags 692911 + moreinfo thanks Hi, Michael Shuler wrote (10 Nov 2012 17:52:41 GMT) : unblock ca-certificates/20121105 There are multiple instances of: -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST I guess that was imported from the new Mozilla certdata, but the way debian/changelog is phrased leads me believe the only changes is adding CA certificates, which apparently is not the case. Otherwise, looks good to me. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85ip9dwc55@boum.org
Processed: Re: Bug#692911: unblock: ca-certificates/20121105
Processing commands for cont...@bugs.debian.org: tags 692911 + moreinfo Bug #692911 [release.debian.org] unblock: ca-certificates/20121105 Added tag(s) moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 692911: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692911 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.135257181719537.transcr...@bugs.debian.org
Bug#692911: unblock: ca-certificates/20121105
On 11/10/2012 12:23 PM, intrigeri wrote: Michael Shuler wrote (10 Nov 2012 17:52:41 GMT) : unblock ca-certificates/20121105 There are multiple instances of: -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST I guess that was imported from the new Mozilla certdata, but the way debian/changelog is phrased leads me believe the only changes is adding CA certificates, which apparently is not the case. Darn. I intended to add a comment that those lines are in the debdiff from the new certdata.txt and that they are innocuous. Otherwise, looks good to me. Thank you for the look. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
