The CA add/remove info is in the changelog for users that wish to know
what certificate authorities were added or removed. The default
installation of apt-listchanges results in lots of emails from users
wondering why the package maintainer is emailing them or halting their
automated upgrades.
These roots are trusted in the Mozilla program only for S/MIME, so should not be
included in ca-certificates, which most applications use to validate TLS
certificates.
Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that
depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use
ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove
thes because:
(a) S/MIME is relatively uncommon, and
(b) The CAs that have both TLS and S/MIME bits will continue to work, and
(c) Nearly all of the 12 removed email-only CAs have ceased operation of their
email certificate services
Verisign Class 1 Public Primary Certification Authority - G3
Verisign Class 2 Public Primary Certification Authority - G3
UTN USERFirst Email Root CA
SwissSign Platinum CA - G2
AC Raiz Certicamara S.A.
TC TrustCenter Class 3 CA II
ComSign CA
S-TRUST Universal Root CA
Symantec Class 1 Public Primary Certification Authority - G6
Symantec Class 2 Public Primary Certification Authority - G6
Symantec Class 1 Public Primary Certification Authority - G4
Symantec Class 2 Public Primary Certification Authority - G4
This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.
This reverts commit 1ef0fd15cc.
While this worked great to fix the error, it also broke the counting on
upgrade for how many certificates were removed.. (-_-)
This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.
We create a directory under /usr/local, but ensure it has the same
permissions as /usr/local itself. I believe this satisfies the
new policy requirement about the staff group.
