Guys, can you have a look?

In D49294#1124877, @kevans wrote:

This looks reasonable to me, thanks! We'll want an associated EN, as well- are you OK with preparing for that?

I must admit that I have no idea how to create an EN. Whould that apply only to stable branches?

Are you talking about https://www.freebsd.org/security/advisories/FreeBSD-EN-23:11.caroot.asc?

In D49294#1124880, @michaelo wrote:

In D49294#1124877, @kevans wrote:

This looks reasonable to me, thanks! We'll want an associated EN, as well- are you OK with preparing for that?

I must admit that I have no idea how to create an EN. Whould that apply only to stable branches?

So we can MFC these kinds of changes to stable/ branches without overhead, but we then submit EN to get secteam@ to roll them into patch releases following MFC. You can use the pre-existing caroot EN you pointed at for most of the fields, but you'd want to grab a fresh copy of the EN template in case there's some verbiage updates int he parts that we don't fill out: https://www.freebsd.org/security/errata-template.txt -- the completed template then gets attached to a new bugzilla PR for secteam to track (I think we can just file a new "Base System" > misc PR for "Bundled caroot in existing releases is out of date", attach the template then assign it to secteam@ with the "needs_errata" flag set).

In D49294#1124887, @kevans wrote:

In D49294#1124880, @michaelo wrote:

In D49294#1124877, @kevans wrote:

This looks reasonable to me, thanks! We'll want an associated EN, as well- are you OK with preparing for that?

I must admit that I have no idea how to create an EN. Whould that apply only to stable branches?

So we can MFC these kinds of changes to stable/ branches without overhead, but we then submit EN to get secteam@ to roll them into patch releases following MFC. You can use the pre-existing caroot EN you pointed at for most of the fields, but you'd want to grab a fresh copy of the EN template in case there's some verbiage updates int he parts that we don't fill out: https://www.freebsd.org/security/errata-template.txt -- the completed template then gets attached to a new bugzilla PR for secteam to track (I think we can just file a new "Base System" > misc PR for "Bundled caroot in existing releases is out of date", attach the template then assign it to secteam@ with the "needs_errata" flag set).

Alright, I will do. Let me first merge and MFC. I will work on a new EN in parallel.

Awesome, thanks! Let me know if you need help with the process- I'd like others to be comfortable with updating the caroot bundle as I'd never intended to be the long-term maintainer of it, but I've failed repeatedly to entice anyone else into dealing with it.

Awesome, thanks! Let me know if you need help with the process- I'd like others to be comfortable with updating the caroot bundle as I'd never intended to be the long-term maintainer of it, but I've failed repeatedly to entice anyone else into dealing with it.

Let's make sure we have a good process doc as an outcome of this as well (link to EN process etc.)

In D49294#1124889, @kevans wrote:

Awesome, thanks! Let me know if you need help with the process- I'd like others to be comfortable with updating the caroot bundle as I'd never intended to be the long-term maintainer of it, but I've failed repeatedly to entice anyone else into dealing with it.

Who is supported to cherry-pick to releng? If me, do I need someone else's approval or can I just pick from stable with git cherry-pick -x stable/XY?

Who is supported to cherry-pick to releng?

Secteam will do that. You can just fill out the erratum template and mail it to secteam.

In D49294#1125562, @emaste wrote:

Who is supported to cherry-pick to releng?

Secteam will do that. You can just fill out the erratum template and mail it to secteam.

Great, I have it almost complete. Will file the issue as soon as the MFC is done.

MFC'ed and issue created: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285546

No reaction from secteam...

In D49294#1130871, @michaelo wrote:

No reaction from secteam...

Just dropping a note for posterity that they ack'd ~40 minutes after that comment