From: jcristau@debian.org   
      
   On 12/17/25 13:04, Santiago Ruano Rincón wrote:   
   > Hello,   
   >   
   > El 03/06/25 a las 14:18, William David Edwards escribió:   
   >> Package: ca-certificates   
   >> Version: 20240203   
   >>   
   >> Version 20240203 contains new CAs, most notably Sectigo Public Server   
   >> Authentication Root. Sectigo seems to have recently started issuing   
   >> certificates with this new root certificate. Please consider migrating   
   >> 20240203 to stable, as its absence will most definitely cause userland   
   >> issues.   
   > AFAICS, the actual affected version here was 20230311 from bookworm,   
   > since bookworm was the stable version when this bug was filed, on   
   > 2025-06-03.   
   >   
   > This was fixed with 20230311+deb12u1:   
   > https://tracker.debian.org/news/1648789/accepted-ca-certificat   
   s-20230311deb12u1-source-into-proposed-updates/,   
   > and actually could be (force)merged with #1095913.   
   >   
   > I don't want to step on the maintainer's toes, so unless Julien agrees   
   > on that, I am not planning to change the status of this bug.   
   I think there's 2 issues at play here:   
   - the specific case of that Sectigo root, which as you said was resolved   
   - what to do about new CA certificates in stable more generally.   
   Historically root CAs were around for decades, so updating the trust   
   store once every couple of years was more than sufficient. In recent   
   years CA lifetimes have reduced significantly, so this has become an   
   issue.  I would like to start updating the package more regularly, but   
   have been struggling to find the spare time to even keep up in unstable   
   so far...   
      
   Cheers,   
   Julien   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)