Debian Bug report logs - #413766
ca-certificates: Recent addition of cacert.org may break some installations

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@luffy.cx>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ca-certificates: Recent addition of cacert.org may break some installations

Date: Wed, 07 Mar 2007 01:08:50 +0100

Package: ca-certificates
Version: 20070303
Severity: critical
Justification: breaks unrelated software

Hi !

The severity may be a bit severe, but the addition of CAcert.org Class
3 certificate really breaks unrelated software that used the other
certificate. The root certificate was located at
/usr/share/ca-certificates/cacert.org/cacert.org.crt and is now
located at /usr/share/ca-certificates/cacert.org/root.crt.

If, for example, Postfix was configured to use
/usr/share/ca-certificates/cacert.org/cacert.org.crt or
/etc/ssl/certs/cacert.org.pem, both files are now inexistent.

For example, on my Postfix installation, since I was requiring TLS to
send mails, no mail were sent because of the absence of this
certificate.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-rc4-neo.3
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]         1.5.13     Debian configuration management sy
ii  openssl                       0.9.8e-3   Secure Socket Layer (SSL) binary a

ca-certificates recommends no packages.

-- debconf information:
  ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, cacert.org/class3.crt, cacert.org/root.crt, debconf.org/ca.crt, mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AddTrust_Low-Value_Services_Root.crt, mozilla/AddTrust_Public_Services_Root.crt, mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/America_Online_Root_Certification_Authority_1.crt, mozilla/America_Online_Root_Certification_Authority_2.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, mozilla/beTRUSTed_Root_CA.crt, mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/Certum_Root_CA.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/Comodo_Secure_Services_root.crt, mozilla/Comodo_Trusted_Services_root.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, mozilla/Entrust.net_Global_Secure_Personal_CA.crt, mozilla/Entrust.net_Global_Secure_Server_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust.net_Secure_Personal_CA.crt, mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/Equifax_Secure_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, mozilla/Equifax_Secure_Global_eBusiness_CA.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt, mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt, mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/RSA_Root_Certificate_1.crt, mozilla/RSA_Security_1024_v3.crt, mozilla/RSA_Security_2048_v3.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt, mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/Thawte_Server_CA.crt, mozilla/Thawte_Time_Stamping_CA.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/UTN-USER_First-Network_Applications.crt, mozilla/UTN_USERFirst_Object_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, mozilla/ValiCert_Class_2_VA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_1_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_2_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_3_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_RSA_Secure_Server_CA.crt, mozilla/Verisign_Secure_Server_OCSP_Responder.crt, mozilla/Verisign_Time_Stamping_Authority_CA.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/Visa_International_Global_Root_2.crt, quovadis.bm/QuoVadis_Root_Certification_Authority.crt, signet.pl/signet_ca1_pem.crt, signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.crt, spi-inc.org/SPI_CA_2006-cacert.crt, spi-inc.org/spi-ca.crt
  ca-certificates/new_crts:
  ca-certificates/trust_new_crts: yes

Message #12 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Bjørn Mork <bjorn@mork.no>

To: Debian Bug Tracking System <413766@bugs.debian.org>

Subject: ca-certificates: Recent addition of cacert.org breaks apache-ssl

Date: Wed, 14 Mar 2007 14:08:55 +0100

Package: ca-certificates
Version: 20070303
Followup-For: Bug #413766

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

apache-ssl refused to start after upgrading ca-certificates to 20070303:

canardo:/etc/apache-ssl# /etc/init.d/apache-ssl start
Starting apache-ssl 1.3 web server... failed!

The ssl_error.log showed

[Wed Mar 14 13:52:22 2007] [crit] error reading CA certs
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
[Wed Mar 14 13:52:22 2007] [crit] error:02001002:system library:fopen:No such file or directory
[Wed Mar 14 13:52:22 2007] [crit] error:20074002:BIO routines:FILE_CTRL:system lib

strace on the apache-ssl process gave me a further pointer:

canardo:/etc/apache-ssl# strace -f /usr/sbin/apache-ssl -F
[..]
open("/etc/ssl/certs/cacert.org.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
close(4)                                = 0


and sure enough, /etc/ssl/certs/cacert.org.pem pointed to a file that 
was removed by the ca-certificates upgrade:

canardo:/etc/apache-ssl# ls -l /etc/ssl/certs/cacert.org.pem
lrwxrwxrwx 1 root root 52 2007-02-12 12:51 /etc/ssl/certs/cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt

Changing the symlink to point to usr/share/ca-certificates/cacert.org/root.crt
fixed the problem:

canardo:/etc/apache-ssl# ln -sf /usr/share/ca-certificates/cacert.org/root.crt /etc/ssl/certs/cacert.org.pem
canardo:/etc/apache-ssl# ls -l /etc/ssl/certs/cacert.org.pem
lrwxrwxrwx 1 root root 46 2007-03-14 13:53 /etc/ssl/certs/cacert.org.pem -> /usr/share/ca-certificates/cacert.org/root.crt

but I believe breaking existing apache-ssl installations like this is a critical 
bug.  The admin should least be warned about the necessary changes.  


Bjørn

- -- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]         1.5.11     Debian configuration management sy
ii  openssl                       0.9.8c-4   Secure Socket Layer (SSL) binary a

ca-certificates recommends no packages.

- -- debconf information:
* ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, cacert.org/class3.crt, cacert.org/root.crt, debconf.org/ca.crt, mork-ca.crt, mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AddTrust_Low-Value_Services_Root.crt, mozilla/AddTrust_Public_Services_Root.crt, mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/America_Online_Root_Certification_Authority_1.crt, mozilla/America_Online_Root_Certification_Authority_2.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, mozilla/beTRUSTed_Root_CA.crt, mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/Certum_Root_CA.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/Comodo_Secure_Services_root.crt, mozilla/Comodo_Trusted_Services_root.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, mozilla/Entrust.net_Global_Secure_Personal_CA.crt, mozilla/Entrust.net_Global_Secure_Server_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust.net_Secure_Personal_CA.crt, mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/Equifax_Secure_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, mozilla/Equifax_Secure_Global_eBusiness_CA.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt, mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt, mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/RSA_Root_Certificate_1.crt, moz!
 illa/RSA
_Security_1024_v3.crt, mozilla/RSA_Security_2048_v3.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt, mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/Thawte_Server_CA.crt, mozilla/Thawte_Time_Stamping_CA.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/UTN-USER_First-Network_Applications.crt, mozilla/UTN_USERFirst_Object_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, mozilla/ValiCert_Class_2_VA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_1_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_2_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_Class_3_Public_Primary_OCSP_Responder.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, mozilla/Verisign_RSA_Secure_Server_CA.crt, mozilla/Verisign_Secure_Server_OCSP_Responder.crt, mozilla/Verisign_Time_Stamping_Authority_CA.crt, mozilla/Visa_eCommerce_Root.crt, mo!
 zilla/Vi
sa_International_Global_Root_2.crt, quovadis.bm/QuoVadis_Root_Certification_Authority.crt, signet.pl/signet_ca1_pem.crt, signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.crt, spi-inc.org/SPI_CA_2006-cacert.crt, spi-inc.org/spi-ca.crt
  ca-certificates/new_crts:
* ca-certificates/trust_new_crts: yes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF9/Pn10rqkowbIskRAjqIAKCO8UcjUWOuZB5S9E2hvQdTQ4Z/dACfYsK3
nBTvzLxpKkw/2oJljCXq1eE=
=lvhq
-----END PGP SIGNATURE-----

Message #17 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Tatsuya Kinoshita <tats@vega.ocn.ne.jp>

To: debian-release@lists.debian.org

Cc: 413766@bugs.debian.org

Subject: Re: Please consider ca-certificates_20070303 for etch

Date: Thu, 15 Mar 2007 00:14:22 +0900 (JST)

[Message part 1 (text/plain, inline)]

On March 9, 2007 at 4:22AM -0800,
vorlon (at debian.org) wrote:

> > > > I have no idea why Ukai didn't request this upload to be hinted into
> > > > testing, I'm therefore CC'ing him. The diff seems low-risk for me, and
> > > > the inclusion of the debconf.org and cacert.org CAs seem a very good
> > > > idea to me.
>
> > Sorry, I've a little bit busy in my business.
>
> > > Well, waiting for confirmation from the maintainer that this should go to
> > > etch.
>
> > It seems no bugs introduced. Please go to etch.
>
> Ok, unblocked.

On March 8, 2007 at 12:52PM +0100,
siretart (at debian.org) wrote:

> >> debdiff ca-certificates_20061027.2.dsc ca-certificates_20070303.dsc  P diffstat
>  Makefile                   |    2
>  cacert.org/README.asc      |   30 ++++++++-----
>  cacert.org/cacert.org.crt  |   41 ------------------
>  cacert.org/class3.crt      |   35 +++++++++++++++
>  cacert.org/root.crt        |   41 ++++++++++++++++++

Bug#413766 seems that renaming cacert.org/cacert.org.crt to
cacert.org/root.crt causes problems with other packages.

Please consider fixing Bug#413766 for Etch.

--
Tatsuya Kinoshita

[Message part 2 (application/pgp-signature, inline)]

Message #22 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Tatsuya Kinoshita <tats@vega.ocn.ne.jp>

To: 413766@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Please consider ca-certificates_20070303 for etch

Date: Thu, 15 Mar 2007 01:24:30 +0900 (JST)

[Message part 1 (text/plain, inline)]

tags 413766 + patch
thanks

On March 15, 2007 at 12:14AM +0900,
tats (at vega.ocn.ne.jp) wrote:

> Bug#413766 seems that renaming cacert.org/cacert.org.crt to
> cacert.org/root.crt causes problems with other packages.
> 
> Please consider fixing Bug#413766 for Etch.

The following tiny patch may fix this bug.

----
--- ca-certificates-20070303.ORIG/cacert.org/Makefile
+++ ca-certificates-20070303/cacert.org/Makefile
@@ -3,8 +3,10 @@
 #
 
 all:
+	cp root.crt cacert.org.crt
 
 clean:
+	rm -f cacert.org.crt
 
 install:
 	for p in *.crt; do \
----

-- 
Tatsuya Kinoshita

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@luffy.cx>

To: control@bugs.debian.org

Cc: debian-release@lists.debian.org, 413766@bugs.debian.org, 413766-subscribe@bugs.debian.org

Subject: ca-certificates_20070303 breaks unrelated software

Date: Thu, 15 Mar 2007 08:53:54 +0100

severity 413766 critical
thanks

Hi !

I am  a bit  disappointed by  the downgrading of  the severity  of bug
#413766.  I have filled  it under  critical with  justfication "breaks
unrelated  software".   It was  downgraded  to  important without  any
justification  and  the  discussion  in debian-release  did  not  even
mention this bug.

I  put severity  back to  critical :  it breaks  unrelated  software !
Please, read the bug report.  Another user reported a similar issue as
a followup.

I am not subscribed to debian-release, so please Cc: me if replies are
made only on this list.
-- 
Write and test a big program in small pieces.
            - The Elements of Programming Style (Kernighan & Plauger)

Message #36 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Vincent Bernat <bernat@luffy.cx>

Cc: 413766@bugs.debian.org

Subject: Re: ca-certificates_20070303 breaks unrelated software

Date: Thu, 15 Mar 2007 01:22:50 -0700

severity 413766 important
quit

On Thu, Mar 15, 2007 at 08:53:54AM +0100, Vincent Bernat wrote:
> I am  a bit  disappointed by  the downgrading of  the severity  of bug
> #413766.  I have filled  it under  critical with  justfication "breaks
> unrelated  software".   It was  downgraded  to  important without  any
> justification  and  the  discussion  in debian-release  did  not  even
> mention this bug.

This "breaks unrelated software" only if you have configured that software
to look at the contents of this package.  Do you intend to also claim
ca-certificates "breaks unrelated software" every time it drops a CA
certificate because they determine the certificate authority isn't
trustworthy?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #43 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@luffy.cx>

To: Steve Langasek <vorlon@debian.org>

Cc: 413766@bugs.debian.org

Subject: Re: ca-certificates_20070303 breaks unrelated software

Date: Thu, 15 Mar 2007 10:18:23 +0100

On Thu, 15 Mar 2007 01:22:50 -0700, Steve Langasek <vorlon@debian.org> wrote:
> On Thu, Mar 15, 2007 at 08:53:54AM +0100, Vincent Bernat wrote:
>> I am  a bit  disappointed by  the downgrading of  the severity  of bug
>> #413766.  I have filled  it under  critical with  justfication "breaks
>> unrelated  software".   It was  downgraded  to  important without  any
>> justification  and  the  discussion  in debian-release  did  not  even
>> mention this bug.
> 
> This "breaks unrelated software" only if you have configured that software
> to look at the contents of this package.  Do you intend to also claim
> ca-certificates "breaks unrelated software" every time it drops a CA
> certificate because they determine the certificate authority isn't
> trustworthy?

This is not the case here ! There is only a renaming. The fix is easy and this
bug should stay critical to not slip out of Etch. If a function was renamed in
libc, would you say that it breaks unrelated software only if you have
configured that software to use this function ? The aim of ca-certificates is
to be used by packages requiring certificates. Its "interface" should be
stable.

Please, set back severity to critical to ensure that this bug will be fixed for
Etch and will not be forgot.

Message #48 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Vincent Bernat <bernat@luffy.cx>

Cc: 413766@bugs.debian.org

Subject: Re: ca-certificates_20070303 breaks unrelated software

Date: Thu, 15 Mar 2007 02:51:09 -0700

On Thu, Mar 15, 2007 at 10:18:23AM +0100, Vincent Bernat wrote:

> On Thu, 15 Mar 2007 01:22:50 -0700, Steve Langasek <vorlon@debian.org> wrote:
> > On Thu, Mar 15, 2007 at 08:53:54AM +0100, Vincent Bernat wrote:
> >> I am  a bit  disappointed by  the downgrading of  the severity  of bug
> >> #413766.  I have filled  it under  critical with  justfication "breaks
> >> unrelated  software".   It was  downgraded  to  important without  any
> >> justification  and  the  discussion  in debian-release  did  not  even
> >> mention this bug.

> > This "breaks unrelated software" only if you have configured that software
> > to look at the contents of this package.  Do you intend to also claim
> > ca-certificates "breaks unrelated software" every time it drops a CA
> > certificate because they determine the certificate authority isn't
> > trustworthy?

> This is not the case here ! There is only a renaming.

You didn't answer my question.

> The fix is easy and this bug should stay critical to not slip out of Etch.
> If a function was renamed in libc, would you say that it breaks unrelated
> software only if you have configured that software to use this function ?

No, because it wouldn't break any unrelated software; it would only break
*related* software.  That would be treated as a serious bug -- the same as a
bug where libc dropped a function.

And it would be treated such because library functions are something we
guarantee.  Interfaces to particular CA certificates, however, are not
something we as a project guarantee.  I understand that it's an inconvenient
upgrade problem for users who link to this certificate, but that doesn't
make it 'critical'.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #53 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@luffy.cx>

To: Steve Langasek <vorlon@debian.org>

Cc: 413766@bugs.debian.org

Subject: Re: ca-certificates_20070303 breaks unrelated software

Date: Thu, 15 Mar 2007 10:59:18 +0100

>> > This "breaks unrelated software" only if you have configured that
>> > software
>> > to look at the contents of this package.  Do you intend to also claim
>> > ca-certificates "breaks unrelated software" every time it drops a CA
>> > certificate because they determine the certificate authority isn't
>> > trustworthy?
> 
>> This is not the case here ! There is only a renaming.
> 
> You didn't answer my question.

The implied answer was "no".

>> The fix is easy and this bug should stay critical to not slip out of  Etch.
>> If a function was renamed in libc, would you say that it breaks unrelated
>> software only if you have configured that software to use this function ?
> 
> No, because it wouldn't break any unrelated software; it would only break
> *related* software.  That would be treated as a serious bug -- the same as
> a bug where libc dropped a function.

OK, I get the point.

> And it would be treated such because library functions are something we
> guarantee.  Interfaces to particular CA certificates, however, are not
> something we as a project guarantee.  I understand that it's an
> inconvenient
> upgrade problem for users who link to this certificate, but that doesn't
> make it 'critical'.

Well, I hope that the fix will go into Etch since it will permit smooth upgrade
from people using ca-certificates from bpo and relying on CAcert certificate.

Message #58 received at 413766@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@luffy.cx>

To: 413766@bugs.debian.org

Cc: control@bugs.debian.org

Subject: ca-certificates and CAcert

Date: Sun, 08 Apr 2007 08:35:54 +0200

reassign 413766 tech-ctte
thanks

Hi !

I'd like  to have some  ruling on bug #413766  affecting ca-certificates
package.  The last update  of this  package changes  the name  of CAcert
certificates, breaking  any software like  Postfix or Apache  relying on
the name  of this certificate.  The bug was  filled as critical  but was
downgraded to  important by Steve  Langasek. While I finally  agree with
him  on  the strict  technical  plan on  the  meaning  of important  and
serious, I  still think this is a  serious bug that should  be fixed for
Etch.

ca-certificates  in Sarge  does not  contain CAcert  certificate,  so no
breakage here. However, it is present in backports.org and even if it is
not  officially supported,  this  is  really easy  to  provide a  smooth
upgrade path for people using  this package from backports.org (which is
the cleanest way  for me to add CAcert certificate to  a Sarge system if
you already use backports.org).

Maintainer of ca-certificates never  acknowledged this bug.  He has just
agreed to bypass  Etch freeze, without any mention of  this bug. I think
he just doesn't care.

My  main  argument  is  :  it  will  bother  people  relying  on  CAcert
certificate _and_ it is really easy to fix.
-- 
I WILL NOT SELL SCHOOL PROPERTY
I WILL NOT SELL SCHOOL PROPERTY
I WILL NOT SELL SCHOOL PROPERTY
-+- Bart Simpson on chalkboard in episode 7F10

Message #67 received at 413766-close@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: 413766-close@bugs.debian.org

Subject: Bug#413766: fixed in ca-certificates 20080809

Date: Sat, 09 Aug 2008 21:02:04 +0000

Source: ca-certificates
Source-Version: 20080809

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive:

ca-certificates_20080809.dsc
  to pool/main/c/ca-certificates/ca-certificates_20080809.dsc
ca-certificates_20080809.tar.gz
  to pool/main/c/ca-certificates/ca-certificates_20080809.tar.gz
ca-certificates_20080809_all.deb
  to pool/main/c/ca-certificates/ca-certificates_20080809_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413766@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Kern <pkern@debian.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Aug 2008 14:58:24 -0300
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20080809
Distribution: unstable
Urgency: low
Maintainer: Philipp Kern <pkern@debian.org>
Changed-By: Philipp Kern <pkern@debian.org>
Description: 
 ca-certificates - Common CA certificates
Closes: 413766 494343
Changes: 
 ca-certificates (20080809) unstable; urgency=low
 .
   * New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.
     This file can be used for proper certificate chaining if CACert
     server certificates are used.  The old class3.pem and root.pem
     certificates are deprecated.  This new file could safely serve as
     a replacement for both.  (Closes: #494343)
   * This also reintroduces the old name for the CACert certificate,
     thus closing a long-standing bug about its rename to root.crt.
     (Closes: #413766)
Checksums-Sha1: 
 95d1aea63ff150fd0f0cc984d10c1f5d0aedb39a 788 ca-certificates_20080809.dsc
 676b81dd4601d3967404d52b061d659072fa32c0 220104 ca-certificates_20080809.tar.gz
 45296e50603e7355b6ffced3b93f32ffb9f6812e 151008 ca-certificates_20080809_all.deb
Checksums-Sha256: 
 a1ad642cf45a9b54362d9cb2787e9f83f35615e62ac94c5247da4f3cf2a9f9bf 788 ca-certificates_20080809.dsc
 caad4fae95520d088cf501f3922aacf1569c79c630a8c9a7d8dfca334b8cb8c0 220104 ca-certificates_20080809.tar.gz
 55f2cdecc84d112772b0a118e009c5f58df93227321c651f5419e11763123e57 151008 ca-certificates_20080809_all.deb
Files: 
 512ac77469897501dd3cdb9af87f9ca1 788 misc optional ca-certificates_20080809.dsc
 c155f5059006b94ad0aea7018161ab37 220104 misc optional ca-certificates_20080809.tar.gz
 3c44f9c232c2335da26d969c716af44d 151008 misc optional ca-certificates_20080809_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkieBL4ACgkQ7Ro5M7LPzdiy7QCfem82I48v9EPO8xAiiLki2xL4
k5MAoLYr9hp+rT3vUWEcLU3l+KjM3set
=9r8S
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.