Debian Bug report logs - #867461
jessie-pu: package ca-certificates/20141019+deb8u3

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Antoine Beaupre <anarcat@debian.org>

Date: Thu, 6 Jul 2017 17:51:05 UTC

Severity: normal

Tags: jessie, moreinfo

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, security@team.debian.org, michael@pbandjelly.org, ca-certificates@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Thu, 06 Jul 2017 17:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupre <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to security@team.debian.org, michael@pbandjelly.org, ca-certificates@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Thu, 06 Jul 2017 17:51:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

The ca-certificates package in jessie is still vulnerable to #858539,
that is it still ships the WoSign and StartCom certificates which have
been marked as blacklisted after october 21st 2016 by the Mozilla
team.

There was a NMU to unstable in may that seems to have trickled down
into stable (stretch) but obviously not oldstable (jessie).

I think it may be worth making an update for this. I have sent a patch
for both jessie and wheezy (the latter of which I can take of myself)
in the bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539#66

.. and attached.

I wonder, however, if we should not also update the certdata.txt file
to sync with upstream, as this features interesting additions like the
Let's Encrypt root and removal of other certificates:

+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "LuxTrust Global Root 2"
+ "Symantec Class 1 Public Primary Certification Authority - G4"
+ "Symantec Class 1 Public Primary Certification Authority - G6"
+ "Symantec Class 2 Public Primary Certification Authority - G4"
+ "Symantec Class 2 Public Primary Certification Authority - G6"
- "Buypass Class 2 CA 1"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure Global eBusiness CA"
- "Equifax Secure eBusiness CA 1"
- "IGC/A"
- "Juur-SK"
- "RSA Security 2048 v3"
- "Root CA Generalitat Valenciana"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"

This update, from upstream NSS 2.4 to 2.11 has yet to be uploaded in
unstable however, so I guess this would need to wait a trickle down
into buster and a synchronous update to stretch/jessie?

In general, this raises the question of whether we want the same
certdata.txt across all suites or we are okay with having that file
out of date in older releases.

Let me know how this should be managed.

A.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

[0001-merge-in-NMU-for-858539-jessie.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Thu, 06 Jul 2017 18:03:08 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 06 Jul 2017 18:03:08 GMT) (full text, mbox, link).

Message #10 received at 867461@bugs.debian.org (full text, mbox, reply):

Hi everyone,

In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for
wheezy, I noticed the issue was also pending in jessie. Furthermore, the
idea originally raised by pabs[1] was to also update the packages for
the latest changes in certdata.txt in wheezy, including the ISRG Root
for Let's Encrypt (LE).

While it should be fairly trivial to do this update, I wonder if the
same logic should apply to jessie itself. Right now, jessie and stretch
are synchronized, but that's only because there's an update pending in
unstable to synchronize with the upstream 2.11 NSS database.

This raises the question of how synchronized we want this file to be? It
seems a little arbitrary to me to synchronize the file from jessie to
wheezy only for this one certificate authority (LE). How about the other
authorities? It doesn't seem like we should be calling the shots on
this: if we follow the Mozilla policies here, either we update all
supported suites at once, or we accept that some suites will have
outdated material.

I have therefore opened this specific discussion with the release team
in #867461 (in CC as well). Hopefully this will bring a consistent
policy.

For what it's worth, my opinion is that we should attempt to synchronize
certdata.txt (and blacklist.txt, for that matter) across all suites (but
not other changes to the packaging). This would remove another decision
point in our infrastructure and ensure harmonious X509 processing across
suites.

[1]: https://lists.debian.org/1490430746.9127.2.camel@debian.org

Thanks for any feedback. For now I'll hold on another week or so for the
wheezy update, since it seems unreasonable to push that update out
before jessie is updated and that question is resolved.

A.

-- 
We won't have a society if we destroy the environment.
                        - Margaret Mead

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 07 Jul 2017 04:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 07 Jul 2017 04:18:04 GMT) (full text, mbox, link).

Message #15 received at 867461@bugs.debian.org (full text, mbox, reply):

On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:

> For what it's worth, my opinion is that we should attempt to synchronize
> certdata.txt (and blacklist.txt, for that matter) across all suites (but
> not other changes to the packaging). This would remove another decision
> point in our infrastructure and ensure harmonious X509 processing across
> suites.

I would like to see that happen too.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 07 Jul 2017 14:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 07 Jul 2017 14:00:05 GMT) (full text, mbox, link).

Message #20 received at 867461@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/06/2017 08:01 PM, Antoine Beaupré wrote:
> In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for
> wheezy, I noticed the issue was also pending in jessie. Furthermore, the
> idea originally raised by pabs[1] was to also update the packages for
> the latest changes in certdata.txt in wheezy, including the ISRG Root
> for Let's Encrypt (LE).
> 
> While it should be fairly trivial to do this update, I wonder if the
> same logic should apply to jessie itself. Right now, jessie and stretch
> are synchronized, but that's only because there's an update pending in
> unstable to synchronize with the upstream 2.11 NSS database.
> 
> This raises the question of how synchronized we want this file to be? It
> seems a little arbitrary to me to synchronize the file from jessie to
> wheezy only for this one certificate authority (LE). How about the other
> authorities? It doesn't seem like we should be calling the shots on
> this: if we follow the Mozilla policies here, either we update all
> supported suites at once, or we accept that some suites will have
> outdated material.
> 
> I have therefore opened this specific discussion with the release team
> in #867461 (in CC as well). Hopefully this will bring a consistent
> policy.
> 
> For what it's worth, my opinion is that we should attempt to synchronize
> certdata.txt (and blacklist.txt, for that matter) across all suites (but
> not other changes to the packaging). This would remove another decision
> point in our infrastructure and ensure harmonious X509 processing across
> suites.
> 
> [1]: https://lists.debian.org/1490430746.9127.2.camel@debian.org
> 
> Thanks for any feedback. For now I'll hold on another week or so for the
> wheezy update, since it seems unreasonable to push that update out
> before jessie is updated and that question is resolved.

But it's not just about certdata.txt. The WoSign and StartCom distrust
was actually hardcoded in NSS and hence what Mozilla enforced in NSS we
couldn't check in any other tools using ca-certificates. We also do not
sync the NSS version or backport the cert checks when such distrusts
happen. So we can only react in a similar way when the time for full
distrust has come (which is sort of the case now with these two),
otherwise we diverge in logic and potentially break users with different
expectations[1].

Kind regards
Philipp Kern

[1] If they are realistic is another question.

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 07 Jul 2017 14:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 07 Jul 2017 14:06:04 GMT) (full text, mbox, link).

Message #25 received at 867461@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Jul 07, 2017 at 03:57:35PM +0200, Philipp Kern wrote:
> On 07/06/2017 08:01 PM, Antoine Beaupré wrote:
> > In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for
> > wheezy, I noticed the issue was also pending in jessie. Furthermore, the
> > idea originally raised by pabs[1] was to also update the packages for
> > the latest changes in certdata.txt in wheezy, including the ISRG Root
> > for Let's Encrypt (LE).
> > 
> > While it should be fairly trivial to do this update, I wonder if the
> > same logic should apply to jessie itself. Right now, jessie and stretch
> > are synchronized, but that's only because there's an update pending in
> > unstable to synchronize with the upstream 2.11 NSS database.
> > 
> > This raises the question of how synchronized we want this file to be? It
> > seems a little arbitrary to me to synchronize the file from jessie to
> > wheezy only for this one certificate authority (LE). How about the other
> > authorities? It doesn't seem like we should be calling the shots on
> > this: if we follow the Mozilla policies here, either we update all
> > supported suites at once, or we accept that some suites will have
> > outdated material.
> > 
> > I have therefore opened this specific discussion with the release team
> > in #867461 (in CC as well). Hopefully this will bring a consistent
> > policy.
> > 
> > For what it's worth, my opinion is that we should attempt to synchronize
> > certdata.txt (and blacklist.txt, for that matter) across all suites (but
> > not other changes to the packaging). This would remove another decision
> > point in our infrastructure and ensure harmonious X509 processing across
> > suites.
> > 
> > [1]: https://lists.debian.org/1490430746.9127.2.camel@debian.org
> > 
> > Thanks for any feedback. For now I'll hold on another week or so for the
> > wheezy update, since it seems unreasonable to push that update out
> > before jessie is updated and that question is resolved.
> 
> But it's not just about certdata.txt. The WoSign and StartCom distrust
> was actually hardcoded in NSS and hence what Mozilla enforced in NSS we
> couldn't check in any other tools using ca-certificates. We also do not
> sync the NSS version or backport the cert checks when such distrusts
> happen. So we can only react in a similar way when the time for full
> distrust has come (which is sort of the case now with these two),
> otherwise we diverge in logic and potentially break users with different
> expectations[1].

Which brings us back to #824872 (same nss/nspr in all suites). We're
basically shipping new NSS with firefox / thunderbird but not for the
rest.
 -- Guido

> 
> Kind regards
> Philipp Kern
> 
> [1] If they are realistic is another question.
> 
>

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Mon, 17 Jul 2017 19:45:12 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 17 Jul 2017 19:45:12 GMT) (full text, mbox, link).

Message #30 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-07 16:02:51, Guido Günther wrote:
> On Fri, Jul 07, 2017 at 03:57:35PM +0200, Philipp Kern wrote:
>> On 07/06/2017 08:01 PM, Antoine Beaupré wrote:
>> > In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for
>> > wheezy, I noticed the issue was also pending in jessie. Furthermore, the
>> > idea originally raised by pabs[1] was to also update the packages for
>> > the latest changes in certdata.txt in wheezy, including the ISRG Root
>> > for Let's Encrypt (LE).
>> > 
>> > While it should be fairly trivial to do this update, I wonder if the
>> > same logic should apply to jessie itself. Right now, jessie and stretch
>> > are synchronized, but that's only because there's an update pending in
>> > unstable to synchronize with the upstream 2.11 NSS database.
>> > 
>> > This raises the question of how synchronized we want this file to be? It
>> > seems a little arbitrary to me to synchronize the file from jessie to
>> > wheezy only for this one certificate authority (LE). How about the other
>> > authorities? It doesn't seem like we should be calling the shots on
>> > this: if we follow the Mozilla policies here, either we update all
>> > supported suites at once, or we accept that some suites will have
>> > outdated material.
>> > 
>> > I have therefore opened this specific discussion with the release team
>> > in #867461 (in CC as well). Hopefully this will bring a consistent
>> > policy.
>> > 
>> > For what it's worth, my opinion is that we should attempt to synchronize
>> > certdata.txt (and blacklist.txt, for that matter) across all suites (but
>> > not other changes to the packaging). This would remove another decision
>> > point in our infrastructure and ensure harmonious X509 processing across
>> > suites.
>> > 
>> > [1]: https://lists.debian.org/1490430746.9127.2.camel@debian.org
>> > 
>> > Thanks for any feedback. For now I'll hold on another week or so for the
>> > wheezy update, since it seems unreasonable to push that update out
>> > before jessie is updated and that question is resolved.
>> 
>> But it's not just about certdata.txt. The WoSign and StartCom distrust
>> was actually hardcoded in NSS and hence what Mozilla enforced in NSS we
>> couldn't check in any other tools using ca-certificates. We also do not
>> sync the NSS version or backport the cert checks when such distrusts
>> happen. So we can only react in a similar way when the time for full
>> distrust has come (which is sort of the case now with these two),
>> otherwise we diverge in logic and potentially break users with different
>> expectations[1].
>
> Which brings us back to #824872 (same nss/nspr in all suites). We're
> basically shipping new NSS with firefox / thunderbird but not for the
> rest.

Let's not jump the gun here. We're not shipping NSS in ca-certificates,
just a tiny part of it: one text file, more or less.

Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
other ways, through the use of a blacklist.txt file. So we can
definitely fix #858539 without syncing all of NSS to wheezy.

The proposed patch here, is more or less only to merge that very file,
blacklist.txt. The *other* thing proposed to the release team (in
#867461) is to sync the *other* changes to certdata.txt from sid. But
considering *that* work seems mostly stalled, I wonder how hard to push
on that. Of course, we could also just decide, in LTS, to sync with
jessie at least: we do not need release-team approval for this. This
would be (let's be honest here) really to get Let's Encrypt directly in
wheezy, and I think it would be worthwhile.

Also I would very well see another NMU that would release those new
changes and sync up ca-certificates with NSS, at least in sid. Then it
could trickle down to buster, and from there, if everyone is okay,
trickle down to all suites. But that discussion concerns mostly the
release team and the maintainer at this point.

I'm not sure I want to bring back the question of syncing NSS across all
suites here again. It's a different question: NSS is a library, not
just a set of policies and certificates (which is, after all, what
ca-certificates is). Backporting it forcefully across all suites
may/will have an impact on programs that link against it, something that
we won't have with ca-certicates.

So while I would like NSS to be sync'd across suites as well, I'd like
to keep the questions separate here because ca-certificates is easier to
fix.

Thanks for your feedback, keep it coming.

A.

-- 
L'homme construit des maisons parce qu'il est vivant, mais il écrit des
livres parce qu'il se sait mortel.
                        - Daniel Pennac, Comme un roman

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Wed, 19 Jul 2017 16:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Shuler <michael@pbandjelly.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 19 Jul 2017 16:39:06 GMT) (full text, mbox, link).

Message #35 received at 867461@bugs.debian.org (full text, mbox, reply):

On 07/06/2017 11:13 PM, Paul Wise wrote:
> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
> 
>> For what it's worth, my opinion is that we should attempt to synchronize
>> certdata.txt (and blacklist.txt, for that matter) across all suites (but
>> not other changes to the packaging). This would remove another decision
>> point in our infrastructure and ensure harmonious X509 processing across
>> suites.
> 
> I would like to see that happen too.

I spent a few sessions over the past few days getting the mozilla bundle
2.14 committed to all the suite branches wheezy and newer. I have some
more verification to work on and I'll get some packages rolled up and
tested for all the suites.

I appreciate the notes here!

-- 
Kind regards,
Michael

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Wed, 19 Jul 2017 16:57:10 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 19 Jul 2017 16:57:10 GMT) (full text, mbox, link).

Message #40 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-19 11:35:56, Michael Shuler wrote:
> On 07/06/2017 11:13 PM, Paul Wise wrote:
>> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
>> 
>>> For what it's worth, my opinion is that we should attempt to synchronize
>>> certdata.txt (and blacklist.txt, for that matter) across all suites (but
>>> not other changes to the packaging). This would remove another decision
>>> point in our infrastructure and ensure harmonious X509 processing across
>>> suites.
>> 
>> I would like to see that happen too.
>
> I spent a few sessions over the past few days getting the mozilla bundle
> 2.14 committed to all the suite branches wheezy and newer. I have some
> more verification to work on and I'll get some packages rolled up and
> tested for all the suites.
>
> I appreciate the notes here!

Thanks!

let us know if you need help with the LTS bits.

a.

-- 
On reconnait la grandeur et la valeur d'une nation à la façon dont
celle-ci traite ses animaux.
                        - Mahatma Gandhi

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 20 Jul 2017 16:18:04 GMT) (full text, mbox, link).

Message #45 received at 867461@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> just a tiny part of it: one text file, more or less.

Yeah, and the consensus of the world external to Debian seems to be that
this might not be the smartest choice.

> Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
> other ways, through the use of a blacklist.txt file. So we can
> definitely fix #858539 without syncing all of NSS to wheezy.

That is incorrect. nss/lib/certhigh/certvfy.c contains code specific to
the StartCom/WoSign mitigation. Now the time has come for full distrust,
we can sync dropping the certs entirely by adding them to blacklist.txt,
sure. (Although they will continue to live on in the NSS source
additionally.)

But my point stands that in the next round of distrust (say, uh,
Symantec), we might actually need to push code changes to NSS.

> The proposed patch here, is more or less only to merge that very file,
> blacklist.txt. The *other* thing proposed to the release team (in
> #867461) is to sync the *other* changes to certdata.txt from sid. But
> considering *that* work seems mostly stalled, I wonder how hard to push
> on that. Of course, we could also just decide, in LTS, to sync with
> jessie at least: we do not need release-team approval for this. This
> would be (let's be honest here) really to get Let's Encrypt directly in
> wheezy, and I think it would be worthwhile.

I think it's useful to phrase the goal which is:

- Remove StartCom
- Remove WoSign
- Add Let's Encrypt

Which is easier to get behind than "should we synchronize the file".

What's the timeline on Let's Encrypt dropping the cross certification?
Is that actually planned? Because the whole point of that was that
adding LE directly isn't actually critical. (And people should use the
chain provided by ACME rather than relying on certificates shipped by
Debian.)

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 21 Jul 2017 13:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 21 Jul 2017 13:54:04 GMT) (full text, mbox, link).

Message #50 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-20 18:15:00, Philipp Kern wrote:
> On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
>> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
>> just a tiny part of it: one text file, more or less.
>
> Yeah, and the consensus of the world external to Debian seems to be that
> this might not be the smartest choice.

I'm not sure I understand what you are proposing as an alternative
here. Should we stop shipping ca-certificates? Or make it a binary
package of the NSS source package?

>> Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
>> other ways, through the use of a blacklist.txt file. So we can
>> definitely fix #858539 without syncing all of NSS to wheezy.
>
> That is incorrect. nss/lib/certhigh/certvfy.c contains code specific to
> the StartCom/WoSign mitigation. Now the time has come for full distrust,
> we can sync dropping the certs entirely by adding them to blacklist.txt,
> sure. (Although they will continue to live on in the NSS source
> additionally.)

I don't understand this: how is it incorrect? #858539 applies only to
ca-certificates, and can be fixed without patching NSS.

Now to update the NSS package itself is another question, again.

> But my point stands that in the next round of distrust (say, uh,
> Symantec), we might actually need to push code changes to NSS.

Sure, but that doesn't necessarily affect ca-certificates directly, in
that we can update ca-certificates orthogonally right now.

>> The proposed patch here, is more or less only to merge that very file,
>> blacklist.txt. The *other* thing proposed to the release team (in
>> #867461) is to sync the *other* changes to certdata.txt from sid. But
>> considering *that* work seems mostly stalled, I wonder how hard to push
>> on that. Of course, we could also just decide, in LTS, to sync with
>> jessie at least: we do not need release-team approval for this. This
>> would be (let's be honest here) really to get Let's Encrypt directly in
>> wheezy, and I think it would be worthwhile.
>
> I think it's useful to phrase the goal which is:
>
> - Remove StartCom
> - Remove WoSign
> - Add Let's Encrypt
>
> Which is easier to get behind than "should we synchronize the file".

Sure. The point I was trying to make here was that we seem to be
favoring certain well-known CAs over other less well-known. I'm actually
with that (e.g. because I don't like Amazon very much), but I'm not sure
that's a position that should be reflected in our work.

> What's the timeline on Let's Encrypt dropping the cross certification?
> Is that actually planned? Because the whole point of that was that
> adding LE directly isn't actually critical. (And people should use the
> chain provided by ACME rather than relying on certificates shipped by
> Debian.)

I can't answer those questions, unfortunately, but it's a fair point.

Pabs? What was the idea behind migrating LE down to wheezy?

A.

-- 
La publicité est la dictature invisible de notre société.
                        - Jacques Ellul

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 21 Jul 2017 20:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 21 Jul 2017 20:51:07 GMT) (full text, mbox, link).

Message #55 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-21 22:19:20, Philipp Kern wrote:
> My point was that you state what your delta is and essentially boils 
> down to attach the diff of what will actually happen to the .deb. I 
> think it's generally fine to add new CAs and remove fully distrusted 
> ones, instead of saying "it should just be in sync with unstable". The 
> latter contains a lot more nuance if you know that some of the rules are 
> only available in code.

Thank you for taking the time to clarify your position, I understand it
much better now. :)

Makes perfect sense, I'll try to be clearer in future communications to
avoid such confusion.

A.

-- 
Si les triangles avaient un Dieu, ils lui donneraient trois côtés.
                        - Montesquieu, Lettres persanes

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 21 Jul 2017 21:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 21 Jul 2017 21:06:04 GMT) (full text, mbox, link).

Message #60 received at 867461@bugs.debian.org (full text, mbox, reply):

On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
> > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> >> just a tiny part of it: one text file, more or less.
> >
> > Yeah, and the consensus of the world external to Debian seems to be that
> > this might not be the smartest choice.
> 
> I'm not sure I understand what you are proposing as an alternative
> here. Should we stop shipping ca-certificates? Or make it a binary
> package of the NSS source package?

Most distros rebase to the latest NSS release across all supported suites.

We also did this once or twice in -security (for changes which were too
instrusive to backport) and upstream apparently usually supports this.

But it's quite some effort to test all the reverse deps (that's why backporting
isolated fixes is easier in such cases) to ensure no breakage creeps in, so
this would need a volunteer to deal with testing reverse deps.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 21 Jul 2017 22:03:06 GMT) (full text, mbox, link).

Message #65 received at 867461@bugs.debian.org (full text, mbox, reply):

Hi,
On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> > On 2017-07-20 18:15:00, Philipp Kern wrote:
> > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> > >> just a tiny part of it: one text file, more or less.
> > >
> > > Yeah, and the consensus of the world external to Debian seems to be that
> > > this might not be the smartest choice.
> > 
> > I'm not sure I understand what you are proposing as an alternative
> > here. Should we stop shipping ca-certificates? Or make it a binary
> > package of the NSS source package?
> 
> Most distros rebase to the latest NSS release across all supported suites.
> 
> We also did this once or twice in -security (for changes which were too
> instrusive to backport) and upstream apparently usually supports this.
> 
> But it's quite some effort to test all the reverse deps (that's why backporting
> isolated fixes is easier in such cases) to ensure no breakage creeps in, so
> this would need a volunteer to deal with testing reverse deps.

Which could be mitigated via p-u since this at least allows others
(including machines that build all the rdeps and run the autopkg tests)
to see things before the hit everybody running stable.
Cheers,
 -- Guido

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Sat, 22 Jul 2017 09:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 22 Jul 2017 09:45:04 GMT) (full text, mbox, link).

Message #70 received at 867461@bugs.debian.org (full text, mbox, reply):

On Fri, Jul 21, 2017 at 04:47:23PM -0400, Antoine Beaupré wrote:
> On 2017-07-21 22:19:20, Philipp Kern wrote:
> > My point was that you state what your delta is and essentially boils 
> > down to attach the diff of what will actually happen to the .deb. I 
> > think it's generally fine to add new CAs and remove fully distrusted 
> > ones, instead of saying "it should just be in sync with unstable". The 
> > latter contains a lot more nuance if you know that some of the rules are 
> > only available in code.
> 
> Thank you for taking the time to clarify your position, I understand it
> much better now. :)
> 
> Makes perfect sense, I'll try to be clearer in future communications to
> avoid such confusion.

Mozilla has various extra distrust/partial trust rules that are now
coded in either NSS or Firefox itself. But we're not even using the
distrust/partial trust information currently in certdata.txt.

Other than what is in certdata.txt + code, there are also
certificates that are distrusted by using OneCRL.

I currently see no reason not to ship certdata.txt in all
distributions.

In any case, I think we should try to implement all the rules that
Mozilla applies in all software that deals with certificate. And
at least Mozilla is interested in that, and at least some of the
OpenSSL people would also like to see OpenSSL have more checks
than that currently happen.

Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Sat, 22 Jul 2017 13:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 22 Jul 2017 13:45:04 GMT) (full text, mbox, link).

Message #75 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-21 15:51, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
>> On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
>>> Let's not jump the gun here. We're not shipping NSS in 
>>> ca-certificates,
>>> just a tiny part of it: one text file, more or less.
>> Yeah, and the consensus of the world external to Debian seems to be 
>> that
>> this might not be the smartest choice.
> I'm not sure I understand what you are proposing as an alternative
> here. Should we stop shipping ca-certificates? Or make it a binary
> package of the NSS source package?

I don't think anyone has a good answer to this right now as the 
additional restrictions on CAs to implement distrust are generally not 
machine-readable these days and especially not supported cross-library.

>>> Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
>>> other ways, through the use of a blacklist.txt file. So we can
>>> definitely fix #858539 without syncing all of NSS to wheezy.
>> 
>> That is incorrect. nss/lib/certhigh/certvfy.c contains code specific 
>> to
>> the StartCom/WoSign mitigation. Now the time has come for full 
>> distrust,
>> we can sync dropping the certs entirely by adding them to 
>> blacklist.txt,
>> sure. (Although they will continue to live on in the NSS source
>> additionally.)
> 
> I don't understand this: how is it incorrect? #858539 applies only to
> ca-certificates, and can be fixed without patching NSS.
> 
> Now to update the NSS package itself is another question, again.

So that was a mismatch of expectations. You said "what Mozilla enforced 
in NSS" and you meant the full distrust. I meant the partial one. I now 
see [0], which is for the full one, which is fine (which is also what I 
said).

>> But my point stands that in the next round of distrust (say, uh,
>> Symantec), we might actually need to push code changes to NSS.
> 
> Sure, but that doesn't necessarily affect ca-certificates directly, in
> that we can update ca-certificates orthogonally right now.

Sure.

>>> The proposed patch here, is more or less only to merge that very 
>>> file,
>>> blacklist.txt. The *other* thing proposed to the release team (in
>>> #867461) is to sync the *other* changes to certdata.txt from sid. But
>>> considering *that* work seems mostly stalled, I wonder how hard to 
>>> push
>>> on that. Of course, we could also just decide, in LTS, to sync with
>>> jessie at least: we do not need release-team approval for this. This
>>> would be (let's be honest here) really to get Let's Encrypt directly 
>>> in
>>> wheezy, and I think it would be worthwhile.
>> 
>> I think it's useful to phrase the goal which is:
>> 
>> - Remove StartCom
>> - Remove WoSign
>> - Add Let's Encrypt
>> 
>> Which is easier to get behind than "should we synchronize the file".
> 
> Sure. The point I was trying to make here was that we seem to be
> favoring certain well-known CAs over other less well-known. I'm 
> actually
> with that (e.g. because I don't like Amazon very much), but I'm not 
> sure
> that's a position that should be reflected in our work.

My point was that you state what your delta is and essentially boils 
down to attach the diff of what will actually happen to the .deb. I 
think it's generally fine to add new CAs and remove fully distrusted 
ones, instead of saying "it should just be in sync with unstable". The 
latter contains a lot more nuance if you know that some of the rules are 
only available in code.

Kind regards and thanks for your work
Philipp Kern

[0] 
https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/blacklist.txt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Mon, 02 Oct 2017 20:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Jacob Hoffman-Andrews <jsha@eff.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 Oct 2017 20:33:02 GMT) (full text, mbox, link).

Message #80 received at 867461@bugs.debian.org (full text, mbox, reply):

What's the latest status on this?

Thanks,
Jacob

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Mon, 23 Oct 2017 13:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 23 Oct 2017 13:03:03 GMT) (full text, mbox, link).

Message #85 received at 867461@bugs.debian.org (full text, mbox, reply):

On 2017-07-19 11:35:56, Michael Shuler wrote:
> On 07/06/2017 11:13 PM, Paul Wise wrote:
>> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
>> 
>>> For what it's worth, my opinion is that we should attempt to synchronize
>>> certdata.txt (and blacklist.txt, for that matter) across all suites (but
>>> not other changes to the packaging). This would remove another decision
>>> point in our infrastructure and ensure harmonious X509 processing across
>>> suites.
>> 
>> I would like to see that happen too.
>
> I spent a few sessions over the past few days getting the mozilla bundle
> 2.14 committed to all the suite branches wheezy and newer. I have some
> more verification to work on and I'll get some packages rolled up and
> tested for all the suites.
>
> I appreciate the notes here!

Hi!

Any update here? According to our records, this issue is still
pending... I see you pushed the updates to wheezy, but didn't upload the
results... Do you need help preparing the upload?

Thanks,

A.

-- 
What people say, what people do, and what they say they do are
entirely different things.
                        - Margaret Mead

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 21 Dec 2017 10:51:06 GMT) (full text, mbox, link).

Message #90 received at 867461@bugs.debian.org (full text, mbox, reply):

Hello Michael,

I think this mail went through the cracks as we haven't received a reply
from you so far. Can you let us know the status and whether we can help to
get the wheezy update out ?

Cheers,

On Mon, 23 Oct 2017, Antoine Beaupré wrote:
> On 2017-07-19 11:35:56, Michael Shuler wrote:
> > On 07/06/2017 11:13 PM, Paul Wise wrote:
> >> On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
> >> 
> >>> For what it's worth, my opinion is that we should attempt to synchronize
> >>> certdata.txt (and blacklist.txt, for that matter) across all suites (but
> >>> not other changes to the packaging). This would remove another decision
> >>> point in our infrastructure and ensure harmonious X509 processing across
> >>> suites.
> >> 
> >> I would like to see that happen too.
> >
> > I spent a few sessions over the past few days getting the mozilla bundle
> > 2.14 committed to all the suite branches wheezy and newer. I have some
> > more verification to work on and I'll get some packages rolled up and
> > tested for all the suites.
> >
> > I appreciate the notes here!
> 
> Hi!
> 
> Any update here? According to our records, this issue is still
> pending... I see you pushed the updates to wheezy, but didn't upload the
> results... Do you need help preparing the upload?
> 
> Thanks,
> 
> A.
> 
> -- 
> What people say, what people do, and what they say they do are
> entirely different things.
>                         - Margaret Mead
> 

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Tue, 09 Jan 2018 07:21:09 GMT) (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 09 Jan 2018 07:21:09 GMT) (full text, mbox, link).

Message #95 received at 867461@bugs.debian.org (full text, mbox, reply):

Raphael Hertzog <hertzog@debian.org> writes:

> I think this mail went through the cracks as we haven't received a reply
> from you so far. Can you let us know the status and whether we can help to
> get the wheezy update out ?

Hello Debian-LTS team:

As we are lacking any response (yet) from Michael Shuler, I am wondering
if we should go ahead and upload the wheezy version anyway?

As far as I can tell, the only change required to the debian-wheezy
branch is that the distribution in the changelog refers to "wheezy"
instead of "wheezy-security".

Regards
-- 
Brian May <bam@debian.org>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 12 Jan 2018 09:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 12 Jan 2018 09:27:07 GMT) (full text, mbox, link).

Message #100 received at 867461@bugs.debian.org (full text, mbox, reply):

Hi,

On Tue, 09 Jan 2018, Brian May wrote:
> Raphael Hertzog <hertzog@debian.org> writes:
> 
> > I think this mail went through the cracks as we haven't received a reply
> > from you so far. Can you let us know the status and whether we can help to
> > get the wheezy update out ?
> 
> Hello Debian-LTS team:
> 
> As we are lacking any response (yet) from Michael Shuler, I am wondering
> if we should go ahead and upload the wheezy version anyway?

Yes, please. I saw reports of failures on IRC due to missing CA
certificates.

10:07 <glandium> ERROR: The certificate of `downloads.sourceforge.net' hasn't got a known issuer.
10:07 <glandium> that still worked a few days ago :(
10:07 <glandium> (on wheezy)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 12 Jan 2018 13:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 12 Jan 2018 13:24:03 GMT) (full text, mbox, link).

Message #105 received at 867461@bugs.debian.org (full text, mbox, reply):

On Fri, January 12, 2018 10:24, Raphael Hertzog wrote:
> Hi,
>
> On Tue, 09 Jan 2018, Brian May wrote:
>> Raphael Hertzog <hertzog@debian.org> writes:
>>
>> > I think this mail went through the cracks as we haven't received a
>> reply
>> > from you so far. Can you let us know the status and whether we can
>> help to
>> > get the wheezy update out ?
>>
>> Hello Debian-LTS team:
>>
>> As we are lacking any response (yet) from Michael Shuler, I am wondering
>> if we should go ahead and upload the wheezy version anyway?
>
> Yes, please. I saw reports of failures on IRC due to missing CA
> certificates.

As co-maintainer of ca-certificates you have my ok for this change in
wheezy, indeed a good idea.


Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Sun, 14 Jan 2018 21:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 14 Jan 2018 21:15:03 GMT) (full text, mbox, link).

Message #110 received at 867461@bugs.debian.org (full text, mbox, reply):

Raphael Hertzog <hertzog@debian.org> writes:

> Yes, please. I saw reports of failures on IRC due to missing CA
> certificates.

Done that now.

Does this deserve a DLA? If so, I have no idea what to include. Maybe
something like:

--- cut ---
This release does a complete update of the CA list. This includes
removing the StartCom and WoSign certificates to as they are now
untrusted by the major browser vendors.
--- cut ---

Or do I need more details? e.g. the list of certificates added/removed
from debian/changelog?
-- 
Brian May <bam@debian.org>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Mon, 15 Jan 2018 09:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Emilio Pozuelo Monfort <pochu@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 15 Jan 2018 09:24:03 GMT) (full text, mbox, link).

Message #115 received at 867461@bugs.debian.org (full text, mbox, reply):

On 14/01/18 22:10, Brian May wrote:
> Raphael Hertzog <hertzog@debian.org> writes:
> 
>> Yes, please. I saw reports of failures on IRC due to missing CA
>> certificates.
> 
> Done that now.
> 
> Does this deserve a DLA?

It certainly does. But don't make it a 'security update', but just 'update'. See
e.g. my tzdata advisories.

> If so, I have no idea what to include. Maybe
> something like:
> 
> --- cut ---
> This release does a complete update of the CA list. This includes
> removing the StartCom and WoSign certificates to as they are now
> untrusted by the major browser vendors.
> --- cut ---
> 
> Or do I need more details? e.g. the list of certificates added/removed
> from debian/changelog?

That snippet sounds good to me.

Cheers,
Emilio

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Wed, 21 Feb 2018 09:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to vadyba@klientai.eu:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 21 Feb 2018 09:51:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Fri, 08 Jun 2018 20:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 08 Jun 2018 20:42:05 GMT) (full text, mbox, link).

Message #125 received at 867461@bugs.debian.org (full text, mbox, reply):

Control: tags -1 + moreinfo

On Mon, 2017-10-23 at 08:59 -0400, Antoine Beaupré wrote:
> On 2017-07-19 11:35:56, Michael Shuler wrote:
...
> > I spent a few sessions over the past few days getting the mozilla
> > bundle
> > 2.14 committed to all the suite branches wheezy and newer. I have
> > some
> > more verification to work on and I'll get some packages rolled up
> > and
> > tested for all the suites.
> > 
> > I appreciate the notes here!
> 
> Hi!
> 
> Any update here? According to our records, this issue is still
> pending... I see you pushed the updates to wheezy, but didn't upload
> the
> results... Do you need help preparing the upload?
> 

Ping? We're a week away from the final chance to get an update into
jessie-as-oldstable before it becomes jessie-lts.

Regards,

Adam

Added tag(s) moreinfo. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 867461-submit@bugs.debian.org. (Fri, 08 Jun 2018 20:42:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#867461; Package release.debian.org. (Mon, 11 Jun 2018 01:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Shuler <michael@pbandjelly.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 11 Jun 2018 01:36:03 GMT) (full text, mbox, link).

Message #132 received at 867461@bugs.debian.org (full text, mbox, reply):

On 06/08/2018 03:37 PM, Adam D. Barratt wrote:
> 
> Ping? We're a week away from the final chance to get an update into
> jessie-as-oldstable before it becomes jessie-lts.

Thanks for the ping. I updated the debian-jessie branch of 
ca-certificates with mozilla bundle 2.22, and it's ready to be uploaded.

Thijs, might you have a chance to upload 20141019+deb8u4 to 
jessie-updates? If not, perhaps we can wrangle someone else to help.

commit: ce1498e496b749f71fd96d60942d2c2aa7fdf0ca

$ git diff --stat debian/20141019+deb8u3 debian-jessie
 debian/changelog     |    74 +
 debian/control       |     1 -
 mozilla/certdata.txt | 28220 
+++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------------------------------------
 mozilla/nssckbi.h    |    39 +-
 4 files changed, 10787 insertions(+), 17547 deletions(-)

Thanks all!
-- 
Kind regards,
Michael

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sun, 17 Jun 2018 19:21:14 GMT) (full text, mbox, link).

Notification sent to Antoine Beaupre <anarcat@debian.org>:
Bug acknowledged by developer. (Sun, 17 Jun 2018 19:21:14 GMT) (full text, mbox, link).

Message #137 received at 867461-done@bugs.debian.org (full text, mbox, reply):

Control: tags -1 + wontfix

On Sun, 2018-06-10 at 20:33 -0500, Michael Shuler wrote:
> On 06/08/2018 03:37 PM, Adam D. Barratt wrote:
> > 
> > Ping? We're a week away from the final chance to get an update into
> > jessie-as-oldstable before it becomes jessie-lts.
> 
> Thanks for the ping. I updated the debian-jessie branch of 
> ca-certificates with mozilla bundle 2.22, and it's ready to be
> uploaded.
> 
> Thijs, might you have a chance to upload 20141019+deb8u4 to 
> jessie-updates? If not, perhaps we can wrangle someone else to help.

Unfortunately there was no reply to the above query, and the window for
getting fixes in to the final point release for jessie (before it moves
to LTS support) has now closed.

Regards,

Adam

Message #138 received at 867461-done@bugs.debian.org (full text, mbox, reply):

Adam D. Barratt wrote:

> Unfortunately there was no reply to the above query, and the window for
> getting fixes in to the final point release for jessie (before it moves
> to LTS support) has now closed.

ACK. However, that this occured is really regrettable. What happened
here so we can avoid it in the future? :(

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Jul 2018 07:29:23 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 23:50:25 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #867461 jessie-pu: package ca-certificates/20141019+deb8u3

Debian Bug report logs - #867461
jessie-pu: package ca-certificates/20141019+deb8u3