Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi release team,
#911289 resulted in a regression, and the explicitly blacklisted roots
have been reverted. One in particular, "GeoTrust Global CA", has caused
serious issues noted in #962596. The other reverted roots also remain in
the Mozilla CA bundle[0], so #911289 will require additional research
and be re-opened when uploaded.
stretch-proposed-updates and stretch-updates both got the previous upload.
I would like to upload ca-certificates_20200611~deb9u1 with the
following changes:
ca-certificates (20200611~deb9u1) stretch; urgency=medium
* Rebuild for stretch.
* This oldstable release Closes: #962596, #942915
-- Michael Shuler Thu, 11 Jun 2020 09:11:56
-0500
ca-certificates (20200611) unstable; urgency=medium
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596
The following root certificates were added back (+):
+ "GeoTrust Global CA"
+ "GeoTrust Primary Certification Authority"
+ "GeoTrust Primary Certification Authority - G2"
+ "GeoTrust Primary Certification Authority - G3"
+ "GeoTrust Universal CA"
+ "thawte Primary Root CA"
+ "thawte Primary Root CA - G2"
+ "thawte Primary Root CA - G3"
+ "VeriSign Class 3 Public Primary Certification Authority - G4"
+ "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "VeriSign Universal Root Certification Authority"
[ Gianfranco Costamagna ]
* debian/{rules,control}:
Merge Ubuntu patch from Matthias Klose to use Python3 during build.
Closes: #942915
-- Michael Shuler Thu, 11 Jun 2020 08:38:00
-0500
Source debdiff attached.
ca-certificates_20200611~deb9u1 uploaded to mentors[1], RFS will be
submitted pending pu approval. Source can be fetched from mentors or the
`debian-stretch` git branch, commit
c151326dda72f703f7001f655e331b548eb1e411.
Binary debdiff files list matches unstable upload for 20200611 currently
on mentors - RFS: #962669.
[0]
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
[1] https://mentors.debian.net/package/ca-certificates
Kind regards,
Michael
diffstat for ca-certificates-20200601~deb9u1 ca-certificates-20200611~deb9u1
debian/changelog| 37 +++--
debian/control |8
mozilla/Makefile|2 +-
mozilla/blacklist.txt | 23 ---
mozilla/certdata2pem.py |2 +-
5 files changed, 33 insertions(+), 39 deletions(-)
diff -Nru ca-certificates-20200601~deb9u1/debian/changelog
ca-certificates-20200611~deb9u1/debian/changelog
--- ca-certificates-20200601~deb9u1/debian/changelog2020-06-05
11:52:50.0 -0500
+++ ca-certificates-20200611~deb9u1/debian/changelog2020-06-11
09:11:56.0 -0500
@@ -1,16 +1,33 @@
-ca-certificates (20200601~deb9u1) stretch; urgency=medium
+ca-certificates (20200611~deb9u1) stretch; urgency=medium
* Rebuild for stretch.
- * Merge changes from 20200601
-- d/control
- * This release updates the Mozilla CA bundle to 2.40, blacklists
-distrusted Symantec roots, and blacklists expired "AddTrust External
-Root". Closes: #956411, #955038, #911289, #961907
- * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
-Closes: #916833
- * Remove email-only roots from mozilla trust store. Closes: #721976
+ * This oldstable release Closes: #962596, #942915
- -- Michael Shuler Fri, 05 Jun 2020 11:52:50 -0500
+ -- Michael Shuler Thu, 11 Jun 2020 09:11:56 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+ * mozilla/blacklist:
+Revert Symantec CA blacklist (#911289). Closes: #962596
+The following root certificates were added back (+):
++ "GeoTrust Global CA"
++ "GeoTrust Primary Certification Authority"
++ "GeoTrust Primary Certification Authority - G2"
++ "GeoTrust Primary Certification Authority - G3"
++ "GeoTrust Universal CA"
++ "thawte Primary Root CA"
++ "thawte Primary Root CA - G2"
++ "thawte Primary Root CA - G3"
++ "VeriSign Class 3 Public Primary Certification Authority - G4"
++ "VeriSign Class 3 Public Primary Certification Authority - G5"
++ "VeriSign Universal Root Certification Authority"
+
+ [ Gianfranco Costamagna ]
+ * debian/{rules,control}:
+Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+Closes: #942915
+
+ -- Michael Shuler Thu, 11 Jun 2020 08:38:00 -0500
ca-certificates (20200601) unstable; urgency=medium
diff -Nru ca-certificates-20200601~deb9u1/debian/control
ca-certificates-20200611~deb9u1/debian/control
--- ca-certificates-20200601~deb9u1/debian/control 2020-06-05
10:27:08.0 -0500
+++ ca-certificates-20200611~deb9u1/debian/control 2020-06-11
09:11:56.0 -0500
@@ -3,12 +3,12 @@
Priority: optional