update-ca-certificates error. ca-certificates.crt empty (with pt_BR locale)

Bug #153625 reported by Fernando Ribeiro
20
Affects Status Importance Assigned to Milestone
Landscape Server
Medium
Unassigned
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
High
James Westby
Dapper
High
James Westby
Edgy
High
Unassigned
Feisty
High
Unassigned
Gutsy
High
Unassigned

Bug Description

Installing ca-certificates would leave Brazilian users with an empty certificates
file due to an error in the tranlations for that locale.

This can be reproduced by installing the current version of ca-certificates
in dapper, edgy, feisty or gutsy in a pt_BR locale, i.e.

  $ sudo locale-gen pt_BR.UTF-8
  $ export LC_ALL=pt_BR.UTF-8
  $ sudo aptitude install ca-certificates

you will find that the /etc/ssl/certs/ca-certificates.crt file is present, but of
zero size.

If you do nothing more than install a fixed version of the package then you
should find that the file is no longer empty, and you were given no debconf
prompts.

The following things should also be true:

  * Running "dpkg-reconfigure ca-certifcates" before installing a fixed version
     will mean that you are shown a debconf prompt with all of the certificates
     pre-selected, and your choices will be reflected in the generated ca-certificates.crt
     file. (e.g. deselecting all the certificates will leave you with an empty file again).
  * Changing out of the pt_BR locale before upgrading will leave you with
     an empty file and no questions will be asked.

Also, exactly the same behaviour should be observed after installing a fixed version,
when upgrading to a new release.

-- Original report:

fernando@getec-supn2-02:~$ sudo update-ca-certificates --verbose
[sudo] password for fernando:
Updating certificates in /etc/ssl/certs....Doing .
unable to load certificate
11081:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
WARNING: ca-certificates.crt does not contain a certificate or CRL: skipping
ssl-cert-snakeoil.pem => 61de0230.0
done.
fernando@getec-supn2-02:~$ file /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt: empty

Revision history for this message
Fernando Ribeiro (ipsec) wrote :

In /etc/ca-certificates.conf is normal all certificates disabled (!) ?

Revision history for this message
Christian Reis (kiko) wrote :

This same problem affects me; it is serious because it affects bzr's ability to branch from launchpad.net.

Changed in ca-certificates:
status: New → Confirmed
Revision history for this message
Gabriel Mazetto (brodock) wrote :

same with me...
i installed a clean 7.10 Ubuntu Server 64bits and when i tried to install ca-certificates i got it installed ok (that's what apt-get said) but no certs in /etc/ssl/certs...

when i did an update-ca-certificates --verbose i got this output:

# update-ca-certificates --verbose
Updating certificates in /etc/ssl/certs....Doing .
unable to load certificate
5445:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
WARNING: ca-certificates.crt does not contain a certificate or CRL: skipping
ssl-cert-snakeoil.pem => be24ca9c.0
done.

all i have installed was openssh-server before and then i was installing landscape-client but got blocked by this issue to get it working.

i assume this is medium/high urgency as it blocks clean installation to work properly

Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

The problem Landscape have in this case is that connection will fail if the certificate bundle in /etc/ssl/certs/ca-certificates.conf do not contain the CA certificate required to validate the one presented by https://landscape.canonical.com. In fact, this is not restricted to Landscape but generalized to any software that depend on the certificate bundle from ca-certificates. For example, doing "wget https://landscape.canonical.com" will also fail in these cases.

The quick and dirty solution is to reconfigure ca-certificates with:

    sudo dpkg-reconfigure ca-certificates

I am unsure which CA certificate is required to validate https://landscape.canonical.com, so I selected all of them in the second dialog ("Select certificates to activate"). And it work: configure-landscape complete just fine then.

Revision history for this message
Gabriel Mazetto (brodock) wrote :

reconfigure wasn't enough for me... i had to manually edit /etc/ca-certificates.conf and remove the starting __ ! __ from every line

Revision history for this message
Christian Reis (kiko) wrote :

Man, that's a lot of certificates to enable. My wrists hurt now.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It happens here with a pt_BR.UTF-8 locale.

If I install ca-certificates in a en-US.UTF-8 locale, it works: /etc/ssl/certs/ca-certificates.crt gets populated, /etc/ssl/certs has lots of symlinks and /etc/ca-certificates.conf has the "!" removed.

If I install the package in a pt_BR.UTF-8 locale (didn't test other non-english locales), then the ca-certificates.crt file is empty, all certs in ca-certificates.conf have the "!" char and no symlinks (other than the snake oil one) are created.

Revision history for this message
berg (berg-foss) wrote :

MANY bugs happened because the empty ca-certificate:

https://bugs.launchpad.net/ubuntu/+source/boinc/+bug/159135
https://bugs.launchpad.net/ubuntu/+source/esniper/+bug/164264

Why not coming enable ?? like browsers ??

Revision history for this message
Daniel Hahler (blueyed) wrote :

Does "sudo dpkg-reconfigure ca-certificates" ask you if you "Trust new CAs certificates" and then which ones to enable/disable?

Andreas, can you reproduce what you've discovered using the following commands? (where the first one should disable all, but the latter should make it work again)
LANG=pt_BR.UTF-8 sudo dpkg-reconfigure ca-certificates
and
LANG=en-US.UTF-8 sudo dpkg-reconfigure ca-certificates

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Daniel, after the package is installed, dpkg-reconfigure doesn't help much anymore. Even if I answer "yes", it doesn't show me the certificate list nor enables certificates in /etc/ca-certificates.conf

It's only at installation time that the locale makes a difference for me.

Changed in landscape:
importance: Undecided → Medium
Revision history for this message
Gabriel Mazetto (brodock) wrote :

only happens with server edition. Ubuntu desktop works fine

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Are you sure? The below was just run on an up-to-date gutsy desktop:

root@duo:~# apt-get purge ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  ca-certificates*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 573kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 113253 files and directories currently installed.)
Removing ca-certificates ...
Removing hash symlinks in /etc/ssl/certs ...done.
Purging configuration files for ca-certificates ...

root@duo:~# LANG=pt_BR.UTF-8 LC_ALL=pt_BR.UTF-8 LANGUAGE=pt_BR.UTF-8 apt-get install ca-certificates
Lendo lista de pacotes... Pronto
Construindo árvore de dependências
Reading state information... Pronto
Os NOVOS pacotes a seguir serão instalados:
  ca-certificates
0 pacotes atualizados, 1 pacotes novos instalados, 0 a serem removidos e 0 não atualizados.
É preciso fazer o download de 97,3kB de arquivos.
Depois de desempacotar, 573kB adicionais de espaço em disco serão usados.
Obtendo:1 http://br.archive.ubuntu.com gutsy/main ca-certificates 20070303 [97,3kB]
Baixados 97,3kB em 0s (98,3kB/s)
Pré-configurando pacotes ...
Selecionando pacote previamente não selecionado ca-certificates.
(Lendo banco de dados ... 113136 arquivos e diretórios atualmente instalados.)
Descompactando ca-certificates (de .../ca-certificates_20070303_all.deb) ...
Instalando ca-certificates (20070303) ...
Updating certificates in /etc/ssl/certs....done.

root@duo:~# ls -la /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 0 2008-03-21 20:19 /etc/ssl/certs/ca-certificates.crt

Now let's repeat but with en_US locale:
(same purging as before not shown this time)
root@duo:~# LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LANGUAGE=en_US.UTF-8 apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ca-certificates
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/97.3kB of archives.
After unpacking 573kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package ca-certificates.
(Reading database ... 113136 files and directories currently installed.)
Unpacking ca-certificates (from .../ca-certificates_20070303_all.deb) ...
Setting up ca-certificates (20070303) ...
Updating certificates in /etc/ssl/certs....done.

root@duo:~# ls -la /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 153268 2008-03-21 20:21 /etc/ssl/certs/ca-certificates.crt

Daniel Hahler (blueyed)
Changed in ca-certificates:
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: update-ca-certificates error. ca-certificates.crt empty (depending on locale)

The pt_BR translation file is introducing a typo:

debian/po/pt_BR.po:

#. Type: multiselect
#. Choices
#: ../templates:2001
msgid "${new_crts}"
msgstr "${new_certs}" <------
(...)
#. Type: multiselect
#. Choices
#: ../templates:3001
msgid "${enable_crts}"
msgstr "${enable_certs}" <-----

It should be ${new_crts} and ${enable_crts} above. Notice the incorrect extra "e" in both cases.

Now, who can fix this in the package? :)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was fixed in version 20070303-0.1 from upstream (Debian):
http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20070303-0.1/changelog

No specific mention to this problem, but the pt_BR po file there is correct.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ups, I'm sorry. The 20070303-0.1 doesn't fix the pt_BR locale, it's the pt locale that got updated among other things. pt_BR is still broken and this bug still happens with debian upstream. I'll file a bug there.

Revision history for this message
Daniel Hahler (blueyed) wrote :

Andreas, thank you for you investigation and a way to fix it! I've just send a patch to your Debian bug report, which fixes the root cause: those substitution vars should not be extracted for translation.

Is everybody having this problem (empty certs) using the pt_BR locale? If not, please report a new bug and provide a way to reproduce it, if possible.

As seen, sometimes the smalled details (used locale) are important.

Thank you.

Changed in ca-certificates:
milestone: none → ubuntu-8.04
Revision history for this message
Christian Reis (kiko) wrote : Re: [Bug 153625] Re: update-ca-certificates error. ca-certificates.crt empty (depending on locale)

On Mon, Mar 24, 2008 at 07:51:47PM -0000, Daniel Hahler wrote:
> Is everybody having this problem (empty certs) using the pt_BR locale?

We are, at least. Andreas is a wizard!
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3376 0125

Changed in ca-certificates:
status: Unknown → New
Revision history for this message
James Westby (james-w) wrote :

Hi,

Here's a patch to fix this issue directly, as there has been
no movement in Debian, and we should get this done for
Hardy.

Thanks,

James

Revision history for this message
berg (berg-foss) wrote :

Yes , I use Pt-BR locale and have empty certs too

Revision history for this message
Steve Langasek (vorlon) wrote :

James, Daniel,

Thanks for preparing this patch. I'm uploading it now, with two changes:

- the version number should be 20070303-0ubuntu1 rather than 20070303ubuntu1 for a native package, so that it sorts earlier than an NMU numbered 20070303-0.1 in Debian (this is not a theoretical, this is in fact the current version of the package in unstable)
- the maintainer field needs to be updated, per the DebianMaintainerField spec.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20070303-0ubuntu1

---------------
ca-certificates (20070303-0ubuntu1) hardy; urgency=low

  [ James Westby ]
  * Fix installation on pt_BR locales. This was caused by the .templates
    choices strings being marked for translation, and then a translator
    changing the substitution variable name. Thanks to Andreas Hasenack
    for spotting the problem, and Daniel Hahler for the fix. (LP: #153625)
    When merging this package check if the Debian upload fixed debian
    bug 472507 as that is where the issue is reported.

  [ Steve Langasek ]
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- Steve Langasek <email address hidden> Sat, 29 Mar 2008 05:54:49 +0000

Changed in ca-certificates:
status: Triaged → Fix Released
Revision history for this message
James Westby (james-w) wrote : Re: [Bug 153625] Re: update-ca-certificates error. ca-certificates.crt empty (with pt_BR locale)

On Sat, 2008-03-29 at 06:04 +0000, Steve Langasek wrote:
> James, Daniel,
>
> Thanks for preparing this patch. I'm uploading it now, with two
> changes:
>
> - the version number should be 20070303-0ubuntu1 rather than 20070303ubuntu1 for a native package, so that it sorts earlier than an NMU numbered 20070303-0.1 in Debian (this is not a theoretical, this is in fact the current version of the package in unstable)
> - the maintainer field needs to be updated, per the DebianMaintainerField spec.
>

Thanks Steve,

I'll make sure to get it right next time.

Thanks,

James

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Can this be fixed in gutsy too?

Revision history for this message
James Westby (james-w) wrote :

On Sat, 2008-03-29 at 13:09 +0000, Andreas Hasenack wrote:
> Can this be fixed in gutsy too?
>

You would need to apply for a stable release update. You can
find the requirements and process documented at

  https://wiki.ubuntu.com/StableReleaseUpdates

Thanks,

James

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

1. Impact: programs doing certificate validation using openssl root certificates shipped with the distribution stop working with encrypted connections if ca-certificates was installed in a pt_BR locale. Examples: wget, curl, landscape-client.
2. The problem was a variable that was wrongly tagged to be translated. It just happened that the pt_BR translation was the first one to hit it. The fix is in hardy, package version 20070303-0ubuntu1
3. Patch is available in this report, as well in the aforementioned package, and attached to upstream debian report. I understand that the final patch is slightly different due to policies.
4. TEST CASE: see comment at https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/153625/comments/12
5. Possible, unverified regression, is that users loose whatever certificates they may have marked as trusted before, i.e., they would have to go through the list again in the worst case scenario. But since the default behavior of this package is to mark all certs as trusted, I don't expect many users would have a custom list. I also personally didn't test if a simple upgrade is enough to fix this issue for users who already have the broken package. This is my first SRU request: I'm not sure if I have to do these tests or if some QA team will do it.
Finally, I also didn't check if previous Ubuntu releases have this bug too. I only know of Gutsy and Hardy, which I have installed.

Revision history for this message
Daniel Hahler (blueyed) wrote :

Dapper, Edgy and Feisty are also affected.

Revision history for this message
Martin Pitt (pitti) wrote :

Patch approved, thanks for figuring this out. Please restore the original comment header in debian/po/templates.pot.

Changed in ca-certificates:
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

Oh, I guess this needs sponsoring.

Changed in ca-certificates:
importance: Undecided → High
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

James, this should be a good exercise to get some SRU experience. :) Can you please prepare debdiffs for all stable releases and test them? Please make sure that version numbers; since dapper and edgy have the same version ATM, the convention is to use 20050804+0.6.06 and 20050804+0.6.10.

Please attach the debdiffs here, I'll upload them.

Changed in ca-certificates:
assignee: nobody → james-w
status: In Progress → Confirmed
Revision history for this message
James Westby (james-w) wrote :

This isn't the best fix that we can provide for our users,
so I am going to write a second patch that improves
it for users who were hit by this bug.

Thanks,

James

Changed in ca-certificates:
assignee: nobody → james-w
status: Fix Released → In Progress
Revision history for this message
Daniel Holbach (dholbach) wrote :

Unsubscribing Ubuntu Sponsors for main from this bug for now.

Revision history for this message
James Westby (james-w) wrote :

Hi,

Attached is my improved fix for hardy, it does the following things

  * If the user has an empty file and the template has not been seen
     it probably means that they installed under pt_BR and were hit by
     this issue and they have not run dpkg-reconfigure ca-certificates.
     It will then just behave like a new install.

  * If the has an empty file an the template has been seen it means
     one of two things
     - Either they were hit by the issue and ran dpkg-reconfigure
       ca-certificates.
     - Or they were not hit by the issue and have deselected all
       certificates.

     = To help the first case if $LC_ALL=pt_BR.UTF-8 then we show
        the question with critical priority and preselect everything,
        so that they can select, but it's easy to get the behaviour
        of a fresh install.

     = If they are not currently under pt_BR.UTF-8 then we leave it
        as is. The only users who will suffer from this are those that
        were hit by the issue, ran dpkg-reconfigure, and have since
        changed locales.

  * Otherwise it just does nothing.

I have tested the following scenarios

   * install in pt_BR and then upgrade - like default install
   * install in pt_BR, dpkg-reconfigure and upgrade - question with all certs selected by default
   * install in pt_BR, switch to en_GB, upgrade - like default install
   * install in pt_BR, dpkg-reconfigure, switch to en_GB, upgrade - still empty file
      - dpkg-reconfigure shows the question with no certs highlighted by default.
   * install new version in pt_BR - like default install

   * install in en_GB, upgrade - like default install
   * install new version in en_GB - like default install
   * install in en_GB, dpkg-reconfigure and deselect all, upgrade - empty file
   * install in en_GB, dpkg-reconfigure and deselect all,
        switch to pt_BR, upgrade - shown the question and have to deselect all again.

I think this is good, as the only users it really annoys are those that
changed locales. Those who changed to en_GB have an empty file,
but dpkg-reconfigure will still work for them. Those that changed
to pt_BR have an extra question, but at least they don't get
certificates they don't want activated without their consent.

My only remaining worry is preseeding, does that set the seen
attribute of the questions that are preseeded? Otherwise
there may be unexpected behaviour their.

Also using a lt-ne version check only means that the last case will
be asked the question multiple times, once when they go
to the fixed version, and once for each dist-upgrade until hardy,
so if they are on edgy that could be as many as 4 times.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

Hi,

Sorry, a new version with the bug mentioned in the changelog.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

Hi,

Here is a version with the improvements suggested by Colin.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

Hi,

Another version with slightly different checking of
the locale as suggested by pitti.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

Hi,

This is the previous diff with a small style improvement.

Thanks,

James

Revision history for this message
Martin Pitt (pitti) wrote :

Patch looks great to me now, thank you! I uploaded it to hardy. Approved for SRU, too.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20070303-0ubuntu2

---------------
ca-certificates (20070303-0ubuntu2) hardy; urgency=low

  * Improve on the last fix by trying to fix up the problem for
    those that were affected. (LP: #153625)
    - If upgrading from a broken version and the file is empty,
      then
      - if the question was never seen then act like a default
        install
      - if the question was seen and we are in pt_BR locale then
        ask the question again defaulting to selected for all
        certificates.
      - else do nothing.
    - This covers the common cases well, but may require people
      who changed their locales to either answer a question they
      already answered, or to run dpkg-reconfigure manually.
    - All of this code should be dropped after hardy, as all upgrades
      must go through hardy, and everyone will have a fixed version
      then.

 -- James Westby <email address hidden> Tue, 01 Apr 2008 14:58:12 +0100

Changed in ca-certificates:
status: In Progress → Fix Released
Revision history for this message
James Westby (james-w) wrote :

Hi,

Following will be the individual debdiffs for each supported
release. Each is tested using the same test cases as
outlined above.

I am subscribed to the bug reports for the package since
this morning.

I hope I have everything right in these, I'll be happy to
update any for any problems there may be.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
James Westby (james-w) wrote :

I wasn't too sure on what version number I should
give this one, as it is the only one that has a version
not in another release.

Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored (with minimized debdiffs) and approved into -proposed. Please test the packages in -proposed once they hit and give feedback here for verification. Thank you!

Changed in ca-certificates:
status: Confirmed → Fix Committed
importance: Undecided → High
status: New → Fix Committed
importance: Undecided → High
status: New → Fix Committed
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
James Westby (james-w) wrote :

Hi,

I've tested the debs in proposed and realised I made a mistake.

When I tested my versions I was installing using dpkg, when
switching to apt for testing -proposed the questions were
being asked too many times.

I had forgotten that apt will call the config script multiple times
when upgrading, and so the forcing of the question to unseen
for some people meant that it was asked multiple times.

Colin suggsted that I could work around this by adding another
attribute when the question is forced using db_fset. This seems
to work well, and would provide a way to limit the number of
times the question is asked without resorting to the version
comparisons that early versions of my patch had.

The proposed situation would look like:

  * Use the same logic as before to detect whether
     the user appears to be affected, if they are then ask the
     question and use db_fset to record the fact that we
     did this. Then check for this new attribute as well
     to make sure it is only forced once.
  * Only clean up the attribute in the postinst of the version
     in Hardy, so that it will mean the question is only
     asked once, rather than once per release upgrade, as the
     current version has it.

The remaining open question is how to handle those that
have already tested the .debs in -proposed. They may have
been asked the question more than once, and there is
nothing we can do about that. However, currently they would
not have the new attribute set, and so would be asked again
next time they upgraded their distribution.

One solution would be to set the flag unconditionally if they
are upgrading from the version in -proposed. That should be
ok, as they will have had the problem fixed up, and we don't
need to ask them again.

I will post some more patches for this solution later.

Apologies for not catching this earlier.

Thanks,

James

Revision history for this message
Martin Pitt (pitti) wrote :

Hi James,

James Westby [2008-04-07 14:12 -0000]:
> When I tested my versions I was installing using dpkg, when
> switching to apt for testing -proposed the questions were
> being asked too many times.

Ah, sorry, I didn't catch that either.

> The remaining open question is how to handle those that
> have already tested the .debs in -proposed. They may have
> been asked the question more than once, and there is
> nothing we can do about that. However, currently they would
> not have the new attribute set, and so would be asked again
> next time they upgraded their distribution.

To be honest I wouldn't be too concerned about it. We should not make
the code more complicated as absolutely necessary.

Revision history for this message
James Westby (james-w) wrote : Re: [Bug 153625] Re: update-ca-certificates error. ca-certificates.crt empty (with pt_BR locale)

Hi Martin,

Thanks for replying, I realise you are busy.

On Mon, 2008-04-07 at 15:03 +0000, Martin Pitt wrote:
> > The remaining open question is how to handle those that
> > have already tested the .debs in -proposed. They may have
> > been asked the question more than once, and there is
> > nothing we can do about that. However, currently they would
> > not have the new attribute set, and so would be asked again
> > next time they upgraded their distribution.
>
> To be honest I wouldn't be too concerned about it. We should not make
> the code more complicated as absolutely necessary.
>

That makes sense. At least this approach would limit the number
of upgrades that gave them extra questions to 1, rather than
the number that it takes to get to Hardy as before, so it
still benefits them.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

Hi,

Attached is my new proposed version for Hardy. It fixes the
double question problem, and cleans up the value that we
use to do that in the postinst.

The new candidate SRUs will not clean up this value, so that
hunk will not be present in those patches when I post them.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
James Westby (james-w) wrote :

Hi,

Here are the debdiffs against the versions in -proposed
for the SRUs.

I changed my mind again, and these versions do clean up
in postinst, as without this there would be be problems when
upgrading to a new release.

Without cleaning up the user could be offered a prompt
to select new certificates that had been added in that
release, but any answer they gave would just be ignored,
and the certificates would not be enabled.

I couldn't see a way to avoid this without completely reworking
the scripts.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
James Westby (james-w) wrote :
James Westby (james-w)
description: updated
Martin Pitt (pitti)
Changed in ca-certificates:
status: Fix Released → In Progress
James Westby (james-w)
Changed in ca-certificates:
status: Fix Committed → In Progress
status: Fix Committed → In Progress
status: Fix Committed → In Progress
status: Fix Committed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

I uploaded the latest Hardy patch yesterday, so I think this was erroneously reopened in hardy.

Changed in ca-certificates:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Let's stop worrying about Edgy. It goes EOL at Saturday.

Changed in ca-certificates:
status: In Progress → Won't Fix
Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored, fixed the target (hardy -> gutsy-proposed, etc.) and accepted into *-proposed. Please test again and give feedback here. Thank you!

Sorry for the delay, hardy release stress and all that...

Changed in ca-certificates:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote :

I performed the Gutsy verification of this bug by following the steps provided and found that '/etc/ssl/certs/ca-certificates.crt' was a zero byte file. I then installed the ca-certificates package from gutsy-proposed and the file then contained data. I also upgrade from Gutsy to Hardy with the zero byte ca-certificates.crt file and found that after the upgrade the file contained data.

Revision history for this message
Brian Murray (brian-murray) wrote :

I performed the Dapper verification of this bug by following the steps provided and found that '/etc/ssl/certs/ca-certificates.crt' was a zero byte file. I then installed the ca-certificates package from dapper-proposed and the file then contained data.

Revision history for this message
Brian Murray (brian-murray) wrote :

I performed the Feisty verification of this bug, using a 7.04-server install, by following the steps provided and found that '/etc/ssl/certs/ca-certificates.crt' was a zero byte file. I then installed the ca-certificates package from feisty-proposed and the file then contained data.

Revision history for this message
Martin Pitt (pitti) wrote :

Thanks, Brian! All verified now.

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to -updates.

Changed in ca-certificates:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks guys!

Changed in landscape:
status: New → Fix Released
Changed in ca-certificates:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.