Control: tags -1 + pending On 11/25/2015 11:28 AM, Andrew Ayer wrote: > ca-certificates hasn't been updated since April 2015. Since then, 14 > CAs have been removed from the NSS root store[1, 2]. ca-certificates in > stable hasn't been updated since October 2014. Since then, 6 additional > CAs have been removed[3, 4]. ca-certificates in oldstable is even older.
The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5 was recently released in NSS and an upload to unstable is being prepped. Main git repo: http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git My working git repo (ie, bundle 2.6 is already branched): http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git > This is concerning because some of the removed CAs have failed or are no > longer conducting audits, which means we have no idea what security > practices they are currently following. Applications on Debian > which use the ca-certificates store still trust these CAs, putting > users at risk. For example, the e-Guven root certificate, which > was removed from the NSS store in April due to "insufficient and outdated > audits"[5, 6], continues to be trusted in stable and oldstable. > > First, could we get an update soon to ca-certificates that reflects these > removals? Yes. > Second, could ca-certificates be updated more frequently in the future? > Security Team, could updates to ca-certificates be pushed out through > security.debian.org for (old)stable? For stable/oldstable releases, it may be appropriate for them to go through the stable-updates suite. > If there is an issue of manpower, I'm willing to help co-maintain > ca-certificates (I'm a DM) and prepare packages for security.debian.org. > We're lucky that Mozilla runs such a great root program: it's thorough > and responsive, and aligns with Debian's values by being open and > community-driven. Let's take full advantage of it in Debian! I try to track upstream releases and attend to bug reports as quickly as possible, but patches are always welcomed. With several uploaders, I'm not sure there needs to be another uploader, but sending patches to fix things in the BTS would certainly be helpful. Thanks! Michael
