On Fri, Nov 01, 2024 at 10:59:43AM +0000, Stuart Henderson wrote:
> On 2024/11/01 11:41, Theo Buehler wrote:
> > Baltimore will expire shortly after 7.7 release (May 12, 2025)
> > Apart from a warning on that, there was only the usual Unizeto error:
> > 
> > ERROR: '/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2' cannot be verified with libressl
> 
> The usual date format issue.

yep

> > Nothing particularly interesting this time. Comodo was hoisted over
> > COMODO again.
> 
> This is because of lc() in the sort order; the order of the "equal
> except for case" lines then depends on the perl hash order which is
> random.

ah. Yes, it's annoying noise.

> The diff below makes the output from format-pem repeatable (at the cost
> of one-off churn). Do we want that? (I think so).

Yes, I think we do. Thanks

ok tb

A slight downside is that COMODO and Comodo will no longer be next to
each other, but I don't think it matters.

I suggest I commit my update as it is.  Then switching to the new
format-pem.pl will only result in reshuffling cert.pem rather than
interleaving it with additions and removals. I have that ready. I can
send it out if you want to verify it or commit directly.