On 12/16/2013 04:37 PM, Christoph Lechleitner wrote:
Why is the ca-certificates package not in the list of security relevant
packages?

The Debian Security team does place some importance on keeping ca-certificates updated, as can be seen in various uploads over the years, however, as per release policy, stable release packages are typically not updated for non-RC reasons.

The outdated ca-certificates make squeeze installations a pain to maintain.

I understand. That was the reason for keeping this bug report open and on my todo list.

Part of our business is to maintain custom software for squeeze based
systems that exist more or less offline and will not be updated to
wheezy or higher for years to come.
We are therefore forced to maintain build and test systems and pbuilder
tarballs for squeeze amd64 and i386 - and to keep their installation
reproducable from scratch by maintaining a partial squeeze mirror.

This sounds like an inherited risk in your business model.

Backporting one more package and maintaining it for some time should be
no problem, especially if the package merely contains data files.

I will look into the according squeeze and wheezy source packages as
soon as I can find time.

It may be easier to look through the git repo, if that helps to see more granular history and the various stable release branches:

  http://anonscm.debian.org/gitweb/?p=collab-maint/ca-certificates.git

Why does wheezy's ca-certificates package depend on a recent version of
the openssl binary package?

http://bugs.debian.org/611102

If it weren't for this dependency, wheezy's ca-certificates package
could probably be used for squeeze without any changes.

It would.

Or am I in for a shock once I look into the source package(s)?

What does that even mean?

--
Kind regards,
Michael


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to