> What is this list you refer to? Propably non-existent. I just assumed (hoped) there 'd be a set of rules or a list of packages for which regular updates are considered security relevant even if there are not exactly bugs to fix; and I think ca-certificates might deserve to be on such a list. The ideal situation for ca-certificates would of course be something else: Some kind of package-independent update infrastructure, like those for clamav, razor, and so on. On further thought I may have overrated this issue. Systems that stay off the internet 100% of their lifetime (and only dial in to other isolated systems for application specific data updates) don't need ca-certificates at all.
It's satisfying (and reassuring as of staying with Debian) to know that the intention is to maintain ca-certificates for as long as a release is the stable one, anyway; squeeze just fell victim to a compatibility breaking openssl update at a bad time just before a ca-certificates update round. So Thanks for all your efforts! And maybe I should stop filling the list of misunderstandings in this discussion ;-) Regards Christoph
