Comment 15 for bug 1905790

> + certs = CERT_CreateSubjectCertList (NULL, handle, &cert->derSubject,

Doesn't this need a return value test? AFAICT, CERT_CreateSubjectCertList might return NULL, and CERTLIST_HEAD (certs) will unconditionally look up a member? There's a second instance of this pattern in print_trusted_certificates().

However, since the postinst only calls nss-database-pem-exporter from inside import_nss_ca_certs(), the "set -e" won't have any effect there, so I think this is OK in practice. I'd normally ask for more explicit error handling (or at least comments in the postinst) but since this migration code will only exist in this SRU, I think it's OK to leave it as-is.

> + if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then

Doesn't this now need bumping to 0.4? The current version in focal-updates is 2.2.3-3ubuntu0.3. Otherwise I think the upgrade path won't activate for anyone already on 2.2.3-3ubuntu0.2 or 2.2.3-3ubuntu0.3?