From 24be2b6f93046c62701388cb20b35e3a9175ac18 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 27 Sep 2023 13:36:23 +0800
Subject: [PATCH] make-ca: Add a note about hg.mozilla.org trust chain update

Why are they using a new trust chain even when the old root CA is not
expired?
---
 postlfs/security/make-ca.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index fe05974e1f..5bbf6f0066 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -79,6 +79,18 @@
       </listitem>
     </itemizedlist>
 
+    <note>
+      <para>
+        This package ships a CA certificate for validating the identity of
+        <ulink url='&certhost;'/>.  If the trust chain of this website
+        has been changed after the release of make-ca-&make-ca-version;,
+        it may fail to get the revision of <filename>certdata.txt</filename>
+        from server.  Use an updated make-ca release at
+        <ulink url='https://github.com/lfs-book/make-ca/releases'>the
+        release page</ulink> if this issue happens.
+      </para>
+    </note>
+
     <bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Required</bridgehead>