Hi, On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote: > On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote: > > On 2017-07-20 18:15:00, Philipp Kern wrote: > > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote: > > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates, > > >> just a tiny part of it: one text file, more or less. > > > > > > Yeah, and the consensus of the world external to Debian seems to be that > > > this might not be the smartest choice. > > > > I'm not sure I understand what you are proposing as an alternative > > here. Should we stop shipping ca-certificates? Or make it a binary > > package of the NSS source package? > > Most distros rebase to the latest NSS release across all supported suites. > > We also did this once or twice in -security (for changes which were too > instrusive to backport) and upstream apparently usually supports this. > > But it's quite some effort to test all the reverse deps (that's why > backporting > isolated fixes is easier in such cases) to ensure no breakage creeps in, so > this would need a volunteer to deal with testing reverse deps.
Which could be mitigated via p-u since this at least allows others (including machines that build all the rdeps and run the autopkg tests) to see things before the hit everybody running stable. Cheers, -- Guido
