lp:debian/ca-certificates

Created by James Westby on 2009-12-19 and last modified on 2015-04-26
Get this branch:
bzr branch lp:debian/ca-certificates
Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Development

Recent revisions

32. By Michael Shuler on 2015-04-26

* debian/postinst:
  Set mode and group of /usr/local/share/ca-certificates based on current
  /usr/local permissions and ownership. Closes: #611501
* sbin/update-ca-certificates:
  Allow customisation of the paths used by update-ca-certificates.
  Add an option to set the certs in a directory to the defaults.
  Thanks for the patches, Paul Wise. Closes: #774059, #774201
  Fix shellcheck warnings and a little indentation.
* sbin/update-ca-certificates.8:
  Correct concatenated file name in man page from certificates.crt to
  ca-certificates.crt. Closes: #782230
* mozilla/{certdata.txt,nssckbi.h}:
  Update Mozilla certificate authority bundle to version 2.4.
  The following certificate authorities were added (+):
  + "CFCA EV ROOT"
  + "COMODO RSA Certification Authority"
  + "Entrust Root Certification Authority - EC1"
  + "Entrust Root Certification Authority - G2"
  + "GlobalSign ECC Root CA - R4"
  + "GlobalSign ECC Root CA - R5"
  + "IdenTrust Commercial Root CA 1"
  + "IdenTrust Public Sector Root CA 1"
  + "S-TRUST Universal Root CA"
  + "Staat der Nederlanden EV Root CA"
  + "Staat der Nederlanden Root CA - G3"
  + "USERTrust ECC Certification Authority"
  + "USERTrust RSA Certification Authority" Closes: #762709
  The following certificate authorities were removed (-):
  - "America Online Root Certification Authority 1"
  - "America Online Root Certification Authority 2"
  - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
  - "GTE CyberTrust Global Root"
  - "Thawte Premium Server CA"
  - "Thawte Server CA"

31. By Michael Shuler on 2014-10-19

* debian/copyright:
  Add coverage for all files reported by lintian
  file-without-copyright-information warning.
* debian/source/lintian-overrides:
  Add file-without-copyright-information override for SPI certificate file.
* sbin/update-ca-certificates:
  Restore SELinux label after generating ca-certificates.crt file.
  Thanks to Laurent Bigonville for the patch. Closes: #742957
  Tidy indentation whitespace.
  Thanks to Antonio Terceiro for the patch. Closes: #742663
* debian/control:
  Update to Standards-Version: 3.9.6 (no other changes needed).
  Update Vcs-Browser link to cgit URL.

30. By Michael Shuler on 2014-09-27

* Update Mozilla certificate authority bundle to version 2.1.
  The following certificate authorities were added (+):
  + "DigiCert Assured ID Root G2"
  + "DigiCert Assured ID Root G3"
  + "DigiCert Global Root G2"
  + "DigiCert Global Root G3"
  + "DigiCert Trusted Root G4"
  + "QuoVadis Root CA 1 G3"
  + "QuoVadis Root CA 2 G3"
  + "QuoVadis Root CA 3 G3"
  + "WoSign"
  + "WoSign China"
  The following certificate authorities were removed (-):
  - "Entrust.net Secure Server CA"
  - "RSA Root Certificate 1"
  - "TDC Internet Root CA"
  - "ValiCert Class 1 VA"
  - "ValiCert Class 2 VA"
* Include clear list of CAs added/removed, as above, and include better note
  in README.Debian for trust reconfiguration. Closes: #743365
* Remove debian/config in debian/rules clean target.
* Include d/{changelog,NEWS} entries in 20140223 for duplicate CKA_LABEL
  rename of "StartCom Certification Authority"_2.

29. By Michael Shuler on 2014-03-25

* Update mozilla/certdata.txt to version 1.97+revert_of_936304
  Mozilla reverted the removal of 1024-bit root certificates for
  Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
  version number in nssckbi.h.
  Certificates added (+) (none removed):
  + "Entrust.net Secure Server CA"
  + "GTE CyberTrust Global Root"
  + "RSA Root Certificate 1"
  + "ValiCert Class 1 VA"
  + "ValiCert Class 2 VA"

28. By Michael Shuler on 2014-02-23

* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
* Fix certdata2pem.py for multiple CAs using the same CKA_LABEL. Thanks
  to Marc Deslauriers for the patch. Closes: #683403, LP: #1031333
* Sort local CA certificates on update-ca-certificates runs. Thanks to
  Vaclav Ovsik for the suggestion and patch. Closes: #727136
* Add trailing newline to certificate, if it is missing. Closes: #635570
* Update mozilla/certdata.txt to version 1.97.
  Certificates added (+), removed (-), and renamed (~):
  + "ACCVRAIZ1"
  + "Atos TrustedRoot 2011"
  + "E-Tugra Certification Authority"
  + "SG TRUST SERVICES RACINE"
  + "T-TeleSec GlobalRoot Class 2"
  + "TWCA Global Root CA"
  + "TeliaSonera Root CA v1"
  + "Verisign Class 3 Public Primary Certification Authority"
  ~ "Verisign Class 3 Public Primary Certification Authority"_2
    (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
  - "Entrust.net Secure Server CA"
  - "Firmaprofesional Root CA"
  - "GTE CyberTrust Global Root"
  - "RSA Root Certificate 1"
  - "TDC OCES Root CA"
  - "ValiCert Class 1 VA"
  - "ValiCert Class 2 VA"
  - "Wells Fargo Root CA"

27. By Michael Shuler on 2013-09-06

* Add ca-certificates-local source package example to documentation
* Update local certificate handling in README.Debian.
  Closes: #718173, LP: #487845
* Update CA inclusion policy for ca-certificates in README.Debian. With
  the exception of SPI and CAcert, only those CAs included in Mozilla's
  trust store will be included in ca-certificates in Debian.
  Closes: #647848, LP: #103074
* Clarify that not all software that uses SSL uses ca-certificates in
  README.Debian. Closes: #664769
* Add mozilla/nssckbi.h to source, since certdata.txt no longer contains
  a version number.
* Update debian/copyright to "Copyright: Mozilla Contributors" for
  mozilla/{certdata.txt,nssckbi.h}.
* Update mozilla/certdata.txt to version 1.94
  Certificates added (+) and removed (-):
  + "CA Disig Root R1"
  + "CA Disig Root R2"
  + "China Internet Network Information Center EV Certificates Root"
  + "D-TRUST Root Class 3 CA 2 2009"
  + "D-TRUST Root Class 3 CA 2 EV 2009"
  + "PSCProcert"
  + "Swisscom Root CA 2"
  + "Swisscom Root EV CA 2"
  + "TURKTRUST Certificate Services Provider Root 2007"
  - "Equifax Secure eBusiness CA 2"
  - "TC TrustCenter Universal CA III"

26. By Thijs Kinkhorst on 2013-06-10

[ Michael Shuler ]
* Install CAcert root and class3 certificates individually, no longer
  installing the concatenation of the two. The individual certificates
  are installed as cacert.org_root.crt and cacert.org_class3.crt for ease
  of identification. Additionally, this allows openssl maintainers to drop
  a problematic patch to c_rehash for handling multi-certificate files.
  (see #642314) Closes: #692323
* Update Vcs-* fields for lintian vcs-field-not-canonical
* Update to machine-readable debian/copyright file v1.0

[ Thijs Kinkhorst ]
* Drop upgrading code for upgrades from Debian Etch and earlier.
* Remove obsolete debconf.org CA certificate. DebConf now uses an
  intermediate certificate signed by SPI. (Closes: #693405)
* Remove obsolete SPI CA certiticate.
* Update Standards-Version: 3.9.4 (no changes needed)
* Clean up man page (LP#: 850997).

25. By Michael Shuler on 2013-01-19

* Update mozilla/certdata.txt to version 1.87 Closes: #697366
  Certificates removed (-) (none added):
  - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
* Remove unneeded and confusing usage of interest-noawait; remove unneeded
  Pre-Depends on dpkg. Thanks to Guillem Jover for the help and patch.
  Closes: #537051

24. By Michael Shuler on 2012-11-14

[ Don Armstrong ]
* Breaks ca-certificates-java (<<20121112+nmu1); partially fixing #537051.
* Provide update-ca-certificates and update-ca-certificates-fresh
  triggers.
* Call the triggers using no-await so that the configuration files from
  the newer version of ca-certificates-java are in places before the
  upgrade. Closes: #537051.

[ Michael Shuler ]
* Add note to previous mozilla/certdata.txt changelog entry to document
  CKT_NSS_MUST_VERIFY_TRUST changes.

23. By Michael Shuler on 2012-11-05

* Update mozilla/certdata.txt to version 1.86 Closes: #683728
  Certificates added (+) (none removed):
  + "Actalis Authentication Root CA"
  + "Trustis FPS Root CA"
  + "StartCom Certification Authority" (renewal/rehash)
  + "StartCom Certification Authority G2"
  + "Buypass Class 2 Root CA"
  + "Buypass Class 3 Root CA"
  + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
  + "T-TeleSec GlobalRoot Class 3"
  + "EE Certification Centre Root CA"
* Correct piuparts package remove/purge behavior Closes: #682125
  - Remove deletes of /etc/ssl{,/certs} from debian/postrm

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:debian/squeeze/ca-certificates
This branch contains Public information 
Everyone can see this information.

Subscribers