Upgrade Stable's ca-certificates to those from Testing.

[fred barclay]

G'day mates! As usual, this is in Offtopic because it doesn't deal with pure Debian, but rather a Debian Stable derivative (LMDE Betsy). I've already asked on the Mint forums but I wanted to get you chaps' advice and opinions as well. So, not a support request but more a generic security question.

Due to a known bug with the 20141019+deb8u1 ca-certificates package, boincmgr (provided by the boinc-manager package) does not communicate with the project servers of World Community Grid, but instead complains that the Peer Certificate cannot be authenticated with the given CA certificates. The temporary fix is to downgrade the ca-certificates to 20141019, but I'm rather uncomfortable doing this due to the security implications.

Jessie already has all the dependencies for the ca-certificates package (20160104) in Stretch. If the Stretch ca-certificates will work with boincmgr (testing in a VM in-progress), what are the risks of simply grabbing the Stretch ca-certs and using those?
In another words, can I expect security or stability issues, if I use the newer ca-certs package from Testing on my Stable machine? Or is this just a bad idea all around?

Cheers!
Fred

[stevepusser]

As far as I can tell, those certificates are safe to install on a Jessie base.

[minos]

Hey,
exact, it's annoying to always have to downgrade ca-certificates... that's why I was looking for a better workaround.

So, are you using ca-certificates from Debian Testing depots ?
Is it ok, BOINC can speak with the worldcommunitygrid without problem ?

If yes, how to ?
in /etc/apt/sources.list insert "testing" instead of "jessie" is enough ?
then apt-get update > apt-get install ca-certificates ?

Thx for your feedback and help

[emariz]

The package ca-certificates has only two dependencies (1), and if one compares the dependency chain of this package in the different Debian releases, one realises it is composed of the same two packages at the same versions. This means that the Unstable version of the desired package should be installable in Stretch, Jessie and Wheezy. In this particular case, one can download (through a web browser) the desired DEB package from Unstable and install it manually using
dpkg --install /path/to/package.deb

If the package had, say, a dozen dependencies at a particular version, a manual inspection of the dependency chain would be impossible (or plain inconclusive). For one would need to analyse the possibility of installing every one of those dependencies and every one of their own dependencies (until one reaches a deep, simple level where every stated dependency is common to any Debian release). This is precisely why Aptitude and Apt exist.

1. https://packages.debian.org/sid/ca-certificates

[fred barclay]

So, are you using ca-certificates from Debian Testing depots ?
Is it ok, BOINC can speak with the worldcommunitygrid without problem ?

I did use the ca-certs from Testing but even then BOINC wouldn't communicate with WCG. I hope you get it working--I had to (temporarily) give up.