Control: reassign -1 postfix-mta-sts-resolver On Mon, Nov 08, 2021 at 03:57:00PM +0200, Adrian Bunk wrote: > On Tue, Oct 19, 2021 at 09:13:56AM +0200, Julien Cristau wrote: > > On Mon, Oct 18, 2021 at 11:05:14PM +0200, Kurt Roeckx wrote: > > > On Mon, Oct 18, 2021 at 10:40:59PM +0200, Julien Cristau wrote: > > > > On Mon, Oct 18, 2021 at 02:50:50PM +0200, Benjamin Hof wrote: > > > > > Hi, > > > > > > > > > > I think the following change might be the relevant one: > > > > > > > > > > --- a/update-ca-certificates > > > > > +++ b/update-ca-certificates > > > > > @@ -164,8 +164,6 @@ > > > > > done > > > > > fi > > > > > > > > > > -rm -f "$CERTBUNDLE" > > > > > - > > > > > ADDED_CNT=$(wc -l < "$ADDED") > > > > > REMOVED_CNT=$(wc -l < "$REMOVED") > > > > > > > > > > It triggers this stderr output during openssl rehash (l. 184): > > > > > > > > > > rehash: warning: skipping ca-certificates.crt,it does not contain > > > > > exactly one certificate or CRL > > > > > > > > > Ah, that makes sense. Annoying... > > > > > > > > Kurt/Sebastian, do you think there's a chance openssl rehash could grow > > > > some sort of ignore option so update-ca-certificates could ask it to > > > > skip ca-certificates.crt, to avoid spitting out a warning for it? > > > > > > As in rehash all files in that directory, excluding a file? I > > > guess that's an option. I guess it's not an option to move the > > > file to a different location. > > > > > Exactly. /etc/ssl/certs/ca-certificates.crt is the package's main > > "interface" so I suspect it'd be quite painful to move. Likewise moving > > the certs and hash symlinks themselves would break packages/scripts > > looking them up that way. > > > > The other option for me would be to revert the fix for bug #920348. > > In any case, there is nothing happening here specific to > postfix-mta-sts-resolver, the same problem would happen with > any other package that does not permit stderr output in the > autopkgtest when upgrading ca-certificates is tested. > > The failing part of the autopkgtest is a testing->unstable upgrade of > ca-certificates. > > Any objections to reassigning this to ca-certificates? > After thinking about this a bit more I think ca-certificates is doing the right thing here, and permitting this stderr output is a reasonable workaround for affected packages until we can avoid the warning with an openssl change.
Cheers, Julien
