Processed: Re: Bug#962674: stretch-pu: package ca-certificates/20200611~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #962674 [release.debian.org] stretch-pu: package 
ca-certificates/20200611~deb9u1
Added tag(s) confirmed.

-- 
962674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962674
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#962674: stretch-pu: package ca-certificates/20200611~deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2020-06-11 at 13:33 -0500, Michael Shuler wrote:
> #911289 resulted in a regression, and the explicitly blacklisted
> roots  have been reverted. One in particular, "GeoTrust Global CA",
> has caused  serious issues noted in #962596. The other reverted roots
> also remain in  the Mozilla CA bundle[0], so #911289 will require
> additional research  and be re-opened when uploaded.

As with the buster update, please go ahead; thanks.

Regards,

Adam

Bug#962674: stretch-pu: package ca-certificates/20200611~deb9u1

[Michael Shuler]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi release team,

#911289 resulted in a regression, and the explicitly blacklisted roots 
have been reverted. One in particular, "GeoTrust Global CA", has caused 
serious issues noted in #962596. The other reverted roots also remain in 
the Mozilla CA bundle[0], so #911289 will require additional research 
and be re-opened when uploaded.


stretch-proposed-updates and stretch-updates both got the previous upload.

I would like to upload ca-certificates_20200611~deb9u1 with the 
following changes:



ca-certificates (20200611~deb9u1) stretch; urgency=medium

   * Rebuild for stretch.
   * This oldstable release Closes: #962596, #942915

  -- Michael Shuler   Thu, 11 Jun 2020 09:11:56 
-0500


ca-certificates (20200611) unstable; urgency=medium

   * mozilla/blacklist:
 Revert Symantec CA blacklist (#911289). Closes: #962596
 The following root certificates were added back (+):
 + "GeoTrust Global CA"
 + "GeoTrust Primary Certification Authority"
 + "GeoTrust Primary Certification Authority - G2"
 + "GeoTrust Primary Certification Authority - G3"
 + "GeoTrust Universal CA"
 + "thawte Primary Root CA"
 + "thawte Primary Root CA - G2"
 + "thawte Primary Root CA - G3"
 + "VeriSign Class 3 Public Primary Certification Authority - G4"
 + "VeriSign Class 3 Public Primary Certification Authority - G5"
 + "VeriSign Universal Root Certification Authority"

   [ Gianfranco Costamagna ]
   * debian/{rules,control}:
 Merge Ubuntu patch from Matthias Klose to use Python3 during build.
 Closes: #942915

  -- Michael Shuler   Thu, 11 Jun 2020 08:38:00 
-0500



Source debdiff attached.

ca-certificates_20200611~deb9u1 uploaded to mentors[1], RFS will be 
submitted pending pu approval. Source can be fetched from mentors or the 
`debian-stretch` git branch, commit 
c151326dda72f703f7001f655e331b548eb1e411.


Binary debdiff files list matches unstable upload for 20200611 currently 
on mentors - RFS: #962669.


[0] 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

[1] https://mentors.debian.net/package/ca-certificates

Kind regards,
Michael

diffstat for ca-certificates-20200601~deb9u1 ca-certificates-20200611~deb9u1

 debian/changelog|   37 +++--
 debian/control  |8 
 mozilla/Makefile|2 +-
 mozilla/blacklist.txt   |   23 ---
 mozilla/certdata2pem.py |2 +-
 5 files changed, 33 insertions(+), 39 deletions(-)

diff -Nru ca-certificates-20200601~deb9u1/debian/changelog 
ca-certificates-20200611~deb9u1/debian/changelog
--- ca-certificates-20200601~deb9u1/debian/changelog2020-06-05 
11:52:50.0 -0500
+++ ca-certificates-20200611~deb9u1/debian/changelog2020-06-11 
09:11:56.0 -0500
@@ -1,16 +1,33 @@
-ca-certificates (20200601~deb9u1) stretch; urgency=medium
+ca-certificates (20200611~deb9u1) stretch; urgency=medium
 
   * Rebuild for stretch.
-  * Merge changes from 20200601
-- d/control
-  * This release updates the Mozilla CA bundle to 2.40, blacklists
-distrusted Symantec roots, and blacklists expired "AddTrust External
-Root". Closes: #956411, #955038, #911289, #961907
-  * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
-Closes: #916833
-  * Remove email-only roots from mozilla trust store. Closes: #721976
+  * This oldstable release Closes: #962596, #942915
 
- -- Michael Shuler   Fri, 05 Jun 2020 11:52:50 -0500
+ -- Michael Shuler   Thu, 11 Jun 2020 09:11:56 -0500
+
+ca-certificates (20200611) unstable; urgency=medium
+
+  * mozilla/blacklist:
+Revert Symantec CA blacklist (#911289). Closes: #962596
+The following root certificates were added back (+):
++ "GeoTrust Global CA"
++ "GeoTrust Primary Certification Authority"
++ "GeoTrust Primary Certification Authority - G2"
++ "GeoTrust Primary Certification Authority - G3"
++ "GeoTrust Universal CA"
++ "thawte Primary Root CA"
++ "thawte Primary Root CA - G2"
++ "thawte Primary Root CA - G3"
++ "VeriSign Class 3 Public Primary Certification Authority - G4"
++ "VeriSign Class 3 Public Primary Certification Authority - G5"
++ "VeriSign Universal Root Certification Authority"
+
+  [ Gianfranco Costamagna ]
+  * debian/{rules,control}:
+Merge Ubuntu patch from Matthias Klose to use Python3 during build.
+Closes: #942915
+
+ -- Michael Shuler   Thu, 11 Jun 2020 08:38:00 -0500
 
 ca-certificates (20200601) unstable; urgency=medium
 
diff -Nru ca-certificates-20200601~deb9u1/debian/control 
ca-certificates-20200611~deb9u1/debian/control
--- ca-certificates-20200601~deb9u1/debian/control  2020-06-05 
10:27:08.0 -0500
+++ ca-certificates-20200611~deb9u1/debian/control  2020-06-11 
09:11:56.0 -0500
@@ -3,12 +3,12 @@
 Priority: optional