Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 06/08/2018 03:37 PM, Adam D. Barratt wrote: Ping? We're a week away from the final chance to get an update into jessie-as-oldstable before it becomes jessie-lts. Thanks for the ping. I updated the debian-jessie branch of ca-certificates with mozilla bundle 2.22, and it's ready to be uploaded. Thijs, might you have a chance to upload 20141019+deb8u4 to jessie-updates? If not, perhaps we can wrangle someone else to help. commit: ce1498e496b749f71fd96d60942d2c2aa7fdf0ca $ git diff --stat debian/20141019+deb8u3 debian-jessie debian/changelog |74 + debian/control | 1 - mozilla/certdata.txt | 28220 +-- mozilla/nssckbi.h|39 +- 4 files changed, 10787 insertions(+), 17547 deletions(-) Thanks all! -- Kind regards, Michael
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Control: tags -1 + moreinfo On Mon, 2017-10-23 at 08:59 -0400, Antoine Beaupré wrote: > On 2017-07-19 11:35:56, Michael Shuler wrote: ... > > I spent a few sessions over the past few days getting the mozilla > > bundle > > 2.14 committed to all the suite branches wheezy and newer. I have > > some > > more verification to work on and I'll get some packages rolled up > > and > > tested for all the suites. > > > > I appreciate the notes here! > > Hi! > > Any update here? According to our records, this issue is still > pending... I see you pushed the updates to wheezy, but didn't upload > the > results... Do you need help preparing the upload? > Ping? We're a week away from the final chance to get an update into jessie-as-oldstable before it becomes jessie-lts. Regards, Adam
Processed: Re: Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Processing control commands: > tags -1 + moreinfo Bug #867461 [release.debian.org] jessie-pu: package ca-certificates/20141019+deb8u3 Added tag(s) moreinfo. -- 867461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867461 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 14/01/18 22:10, Brian May wrote: > Raphael Hertzog writes: > >> Yes, please. I saw reports of failures on IRC due to missing CA >> certificates. > > Done that now. > > Does this deserve a DLA? It certainly does. But don't make it a 'security update', but just 'update'. See e.g. my tzdata advisories. > If so, I have no idea what to include. Maybe > something like: > > --- cut --- > This release does a complete update of the CA list. This includes > removing the StartCom and WoSign certificates to as they are now > untrusted by the major browser vendors. > --- cut --- > > Or do I need more details? e.g. the list of certificates added/removed > from debian/changelog? That snippet sounds good to me. Cheers, Emilio
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Raphael Hertzog writes: > Yes, please. I saw reports of failures on IRC due to missing CA > certificates. Done that now. Does this deserve a DLA? If so, I have no idea what to include. Maybe something like: --- cut --- This release does a complete update of the CA list. This includes removing the StartCom and WoSign certificates to as they are now untrusted by the major browser vendors. --- cut --- Or do I need more details? e.g. the list of certificates added/removed from debian/changelog? -- Brian May
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On Fri, January 12, 2018 10:24, Raphael Hertzog wrote: > Hi, > > On Tue, 09 Jan 2018, Brian May wrote: >> Raphael Hertzog writes: >> >> > I think this mail went through the cracks as we haven't received a >> reply >> > from you so far. Can you let us know the status and whether we can >> help to >> > get the wheezy update out ? >> >> Hello Debian-LTS team: >> >> As we are lacking any response (yet) from Michael Shuler, I am wondering >> if we should go ahead and upload the wheezy version anyway? > > Yes, please. I saw reports of failures on IRC due to missing CA > certificates. As co-maintainer of ca-certificates you have my ok for this change in wheezy, indeed a good idea. Cheers, Thijs
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Hi, On Tue, 09 Jan 2018, Brian May wrote: > Raphael Hertzog writes: > > > I think this mail went through the cracks as we haven't received a reply > > from you so far. Can you let us know the status and whether we can help to > > get the wheezy update out ? > > Hello Debian-LTS team: > > As we are lacking any response (yet) from Michael Shuler, I am wondering > if we should go ahead and upload the wheezy version anyway? Yes, please. I saw reports of failures on IRC due to missing CA certificates. 10:07 ERROR: The certificate of `downloads.sourceforge.net' hasn't got a known issuer. 10:07 that still worked a few days ago :( 10:07 (on wheezy) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Raphael Hertzog writes: > I think this mail went through the cracks as we haven't received a reply > from you so far. Can you let us know the status and whether we can help to > get the wheezy update out ? Hello Debian-LTS team: As we are lacking any response (yet) from Michael Shuler, I am wondering if we should go ahead and upload the wheezy version anyway? As far as I can tell, the only change required to the debian-wheezy branch is that the distribution in the changelog refers to "wheezy" instead of "wheezy-security". Regards -- Brian May
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Hello Michael, I think this mail went through the cracks as we haven't received a reply from you so far. Can you let us know the status and whether we can help to get the wheezy update out ? Cheers, On Mon, 23 Oct 2017, Antoine Beaupré wrote: > On 2017-07-19 11:35:56, Michael Shuler wrote: > > On 07/06/2017 11:13 PM, Paul Wise wrote: > >> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote: > >> > >>> For what it's worth, my opinion is that we should attempt to synchronize > >>> certdata.txt (and blacklist.txt, for that matter) across all suites (but > >>> not other changes to the packaging). This would remove another decision > >>> point in our infrastructure and ensure harmonious X509 processing across > >>> suites. > >> > >> I would like to see that happen too. > > > > I spent a few sessions over the past few days getting the mozilla bundle > > 2.14 committed to all the suite branches wheezy and newer. I have some > > more verification to work on and I'll get some packages rolled up and > > tested for all the suites. > > > > I appreciate the notes here! > > Hi! > > Any update here? According to our records, this issue is still > pending... I see you pushed the updates to wheezy, but didn't upload the > results... Do you need help preparing the upload? > > Thanks, > > A. > > -- > What people say, what people do, and what they say they do are > entirely different things. > - Margaret Mead > -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 2017-07-19 11:35:56, Michael Shuler wrote: > On 07/06/2017 11:13 PM, Paul Wise wrote: >> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote: >> >>> For what it's worth, my opinion is that we should attempt to synchronize >>> certdata.txt (and blacklist.txt, for that matter) across all suites (but >>> not other changes to the packaging). This would remove another decision >>> point in our infrastructure and ensure harmonious X509 processing across >>> suites. >> >> I would like to see that happen too. > > I spent a few sessions over the past few days getting the mozilla bundle > 2.14 committed to all the suite branches wheezy and newer. I have some > more verification to work on and I'll get some packages rolled up and > tested for all the suites. > > I appreciate the notes here! Hi! Any update here? According to our records, this issue is still pending... I see you pushed the updates to wheezy, but didn't upload the results... Do you need help preparing the upload? Thanks, A. -- What people say, what people do, and what they say they do are entirely different things. - Margaret Mead
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 2017-07-19 11:35:56, Michael Shuler wrote: > On 07/06/2017 11:13 PM, Paul Wise wrote: >> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote: >> >>> For what it's worth, my opinion is that we should attempt to synchronize >>> certdata.txt (and blacklist.txt, for that matter) across all suites (but >>> not other changes to the packaging). This would remove another decision >>> point in our infrastructure and ensure harmonious X509 processing across >>> suites. >> >> I would like to see that happen too. > > I spent a few sessions over the past few days getting the mozilla bundle > 2.14 committed to all the suite branches wheezy and newer. I have some > more verification to work on and I'll get some packages rolled up and > tested for all the suites. > > I appreciate the notes here! Thanks! let us know if you need help with the LTS bits. a. -- On reconnait la grandeur et la valeur d'une nation à la façon dont celle-ci traite ses animaux. - Mahatma Gandhi
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 07/06/2017 11:13 PM, Paul Wise wrote: > On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote: > >> For what it's worth, my opinion is that we should attempt to synchronize >> certdata.txt (and blacklist.txt, for that matter) across all suites (but >> not other changes to the packaging). This would remove another decision >> point in our infrastructure and ensure harmonious X509 processing across >> suites. > > I would like to see that happen too. I spent a few sessions over the past few days getting the mozilla bundle 2.14 committed to all the suite branches wheezy and newer. I have some more verification to work on and I'll get some packages rolled up and tested for all the suites. I appreciate the notes here! -- Kind regards, Michael