On 6/5/20 4:15 AM, Adrian Bunk wrote:
Compared to 20200601 and 20200601~deb10u1 this contains the following
additional files:
/usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
/usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt
/usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/doc/ca-certificates/NEWS.Debian.gz
The additional NEWS.Debian.gz is either correct or harmless,
the additional certificates are not.
This is due to the backport missing the "Remove email-only roots from
mozilla trust store" (#721976) change that is in 20200601.
Great catch, thanks, result of using currentver~debXuY as discussed with
some people for better update recognition, while backporting as little
as possible. I was diffing 20161130+nmu1+deb9u1 to
ca-certificates-20200601~deb9u1, so this is also a good check the other
direction.
I hadn't removed d/NEWS, which was dropped in later versions.
I also had not modified certdata2pem.py from the latest. I will take a
look at the changes for #721976 and see if it seems ok, I think the
email root removal backport is reasonable.
Please update the stretch-pu request with that fixed and let me know
when the corrected debdiff is approved.
Will do, thank you for the feedback.
--
Kind regards,
Michael
