In case we have a git clone from Linux that is accessed via cygwin git
the files executable status will be derived from the file content (shebang)
and won't match the git repo, leading to a initially dirty tree.
This can be worked around by setting "core.filemode=false", but let's try
to match the cygwin permissions with the in-repo permissions so this isn't
needed.
Let's encrypt signs current certificates based on their root
certificate "ISRG Root X1". They provide two different versions
of "ISRG Root X1", though. One is self-signed using "ISRG Root X1"
and one is cross-signed using "DST Root CA X3" [1]. Some systems
still distribute certificate chains with the cross-signed version.
"DST Root CA X3" expired on 2021-09-30. This can lead to valid
certificates being considered invalid on devices with the expired
certificate still in their CA certificate bundle.
Ubuntu[2] and RedHat[3][4] recently dropped this certificates from their
`ca-certificates` packages for the same reasons.
The blacklist code in certdata2pem is copied from the debian version
of the file as it comes with ca-certificates_20210119.tar.xz.
[1] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021
[2] https://ubuntu.com/security/notices/USN-5089-1
[3] https://access.redhat.com/errata/RHBA-2021:3649
[4] https://access.redhat.com/articles/6338021
