On Wed, Jun 03, 2020 at 08:40:02AM -0500, Michael Shuler wrote: >... > Generally, expiry date has not been an issue remaining in the bundle until > removal upstream, since the certification authorities have managed migration > to new roots well and openssl>=1.1.1 handles this gracefully. This appears > to have not been the case with AddTrust and older openssl<1.1.1 bug, as that > fix was not backported, to the best of my understanding.
gnutls has the same problem (#961889). But you do have a point that libraries are supposed to handle this situation gracefully. >... > Re: security uploads: > > I have received no reply from the security team, as of this message, so > awaiting their OK/advice. Copy of email sent to team@security, since there > is no secret info in here: >... Please wait for an ACK from the security team before making uploads to -security or asking others to do so. While maintainers are allowed to update their packages quite freely in unstable (with some exceptions like library transitions ot the freeze before a release), uploads to *-security and stable distributions need an ACK first. > Kind regards, > Michael cu Adrian