This updates p11-kit and ca-certificates packages to allow new PKCS #11 flag CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER used in the newer certdata.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-f7bb54009e
Please login to add feedback.
This update has been submitted for testing by ueno.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
I just updated ca-certificates from F31 updates-testing without getting the p11-kit updates, and it broke certificate validation for all sites (including dnf trying to check the metalink). The ca-certificates update needs a requires on the newer version of p11-kit.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Notwithstanding the command about missing dependency.
Broke TLS in flatpak applications (discord and cawbird), had to downgrade both p11-kit and ca-certificates.
Perhaps not a concern if the advisory is installed or the update reaches stable, rather than just an upgrade to ca-certificates, but certificate validation broke entirely when I upgraded ca-certificates. I had to manually downgrade the package with an rpm downloaded on another device.
Correcting because it's not actually an issue for users.
@cmadams, yes, that's why this update contains both ca-certificates and p11-kit. @pizzadude, that's interesting; maybe the flatpak runtime needs an updated p11-kit.
Anyway I will drop ca-cerfificate from this update for now.
ueno edited this update.
Removed build(s):
Karma has been reset.
This update has been submitted for testing by ueno.
@ueno ca-certificates just needs to have its p11-kit version requirement updated to show the new dependency.
+1
ueno edited this update.
New build(s):
Removed build(s):
Karma has been reset.
ueno edited this update.
New build(s):
Karma has been reset.
@cmadams right, re-added ca-certificates with a versioned dependency on p11-kit. thanks!
This update has been pushed to testing.
LGTM
Works for me. No regressions noted compared to previous version.
This update can be pushed to stable now if the maintainer wishes
Looks good now!
Works
pwalter edited this update.
Looks good to me.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.