ca-certificates pops a bad debconf prompt on upgrade to disco

Bug #1824411 reported by Steve Langasek on 2019-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Medium
Unassigned

Bug Description

On upgrade from cosmic to disco, I get a debconf prompt from ca-certificates:

     New certificates to activate:

  mozilla/GlobalSign_Root_CA_-_R6.crt
  mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt

Neither of these two new certificates are selected by default.

Looking at the config script, I see that this question is being asked at critical priority.

It also appears that this is only being asked because ca-certificates/trust_new_crts is set to 'ask'. This is not a default setting and I have no memory of setting this, but the debconf database says this question has been seen. It's possible I did choose this option at some point despite not having memory of it; though I worry that since this is a continuously-upgraded system, something picked this for me at some point in the past due to a bug.

But having decided for 'ask', the UX here is still pretty bad.

 - If the package's recommendation (and default behavior) is to enable these new certs on upgrade, then the debconf prompt should also have them preselected. Otherwise, this prompt looks like something the package maintainer is NOT recommending that you do, so then why prompt for it at all.
 - Presenting only the certificate filenames is not a great basis for anyone making a decision about whether or not to enable these certs. If I actually wanted to manage which certs are enabled, in order to make an informed decision I would expect to see things like the CN of the cert and possibly some EKU information, not a filename.

Steve Langasek (vorlon) on 2019-04-11
Changed in ca-certificates (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers