[12:06] <smoser> sdeziel_: thanks for seeing that. 
[12:48] <sdeziel_> np
[12:50] <smoser> so yeah, the bug is that if 'add' is never called, then /etc/ssl/certs/ca-certificates.crt is not updated. 
[12:54] <sdeziel> smoser: if you don't report it, please let me know and I will, thanks
[13:22] <smoser> sdeziel: i submitted using reportbug, but i don't have 100% confidence that my sendmail and such are workign correctly.
[13:22] <smoser> https://pastebin.ubuntu.com/p/2C2ChVfTfz/ is what i submitted.
[13:38] <sdeziel> smoser: can't find it on Debian nor Ubuntu :/
[13:58] <sdeziel> smoser: I think this is a regression introduced by https://salsa.debian.org/debian/ca-certificates/-/commit/8f8f4a525bd6a6c8a8d13530cda194d60275313d
[13:58] -ubottu:#ubuntu-security- Commit 8f8f4a5 in debian/ca-certificates "Don't remove ca-certificates.crt before updating it"
[14:59] <smoser> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051345
[14:59] -ubottu:#ubuntu-security- Debian bug 1051345 in ca-certificates "ca-certificates: update-ca-certificates does not recreate ca-certificates.crt if all certificates are deselected" [Normal, Open]
[14:59] <smoser> sdeziel: ^ it did get there. 
[14:59] <sdeziel> smoser: many thanks!
[15:00] <smoser> i dont know what the proper ehavior is, but without the chnge yo pointed to above, the file would be not-present.
[15:01] <smoser> maybe the right thing is to be present and zero length ? i dont know. 
[15:02] <smoser> but you're right that that change made it worse.
[19:03] <sarnold> smoser: btw the 'equivs' package can help you fake up packages to placate apt, when you've got good reasons for doing something that far out of the ordinary
[19:04] <sarnold> smoser: if by chance you still need all the ca-certificates machinery, and can't just wholesale stub out the package, dpkg exclude paths can be a lifesaver...
[19:05] <sarnold> smoser: I did something like this that I'm 70% sure does the right thing (I only set this up a few weeks ago) $ cat /etc/dpkg/dpkg.cfg.d/excludes 
[19:05] <sarnold> path-exclude=/usr/share/fonts/opentype/urw-base35/NimbusMonoPS*
[19:05] <smoser> i had never heard of that. 
[19:06] <smoser> and then it just chooses to not install those things. 
[19:06] <sarnold> I learned about it from people trying to find documentation in ubuntu or debian docker images :) heh
[19:07] <sarnold> ooh, nice bug report. I'm surprised you're the first to find this, though :(
[19:08] <smoser> you think its common that people just ignore all the certificates that ca-certificates gives them ?
[19:09] <teward> common, no.  some people, yes.
[19:27] <sarnold> heh, yeah, exactly that; though I guess a lot of the folks who might do that wouldn't be allowed to open bug reports about it
[19:34] <smoser> so you're saying its a good thing I didn't ask if i could open a bug report ;)
[19:39] <sarnold> exactly! $employer would certainly say "no you can't possibly do that, just fix it internally and never ever share the fix with anyone anywhere ever"
[19:39] <sarnold> "you know, open source"
[21:38] <teward> > exactly! $employer would certainly say "no you can't possibly do that, just fix it internally and never ever share the fix with anyone anywhere ever"
[21:38] <teward> guess i'm glad my employer is OK with me contributing back to open source XD
[21:39] <sarnold> *nod*