It's my understanding that is about generating the .iso file from the .deb files, not about generating the .deb files from source. Generating .deb from source in a reproducible way is still a work in progress.
For the major browsers, this probably makes little difference, but for anything else, this will most likely result in not verifying the revocation status of certificates anymore or making things slower.
As far as I know, most browser vendors already download the CRLs, and then update the browsers based on what they downloaded. For instance firefox seems to be using CRLite. There is a lack of support for something like that in the non-major browsers and non-browsers. The alternative they have is to download the CRL instead of the OCSP reply, which is larger, probably making things slower. Or they could just not check the status, which is most likely what will happen.
CRLite changes the failure mode of the status check, it no longer just ignores error in downloading the status information.
I did some research a while ago into ensuring up to date CRLs for a non-browser use case. Besides the problem of the massive size of CRLs, I couldn't find good tools for automatic updates across all trusted CRLs.
My conclusion was that it isn't really practical unless you only trust one or two CAs.
Making something like CRLite more like a standard seems worthwhile. I looked at the Mozilla bits but AFAICT there’s not much if any documentation of the low-level bits and pieces.
C2 is error detection, not correction. C1 is the error correction. I think what wikipedia is trying to say is that the C2 error detection just points out something is wrong, even after the C1 error correction, and so you can't fix it. But a data CD has additional error correction, so it can correct more errors.
An audio CD has 2352 audio bytes per sector. The sector also contains C1 error correction and C2 error detection.
On a data CD, those 2352 bytes are split in 2048 data bytes, plus an additional 4 error detection, 276 error correction, plus some other bytes including an address. So there is an extra layer of error correction.
You're pointing to one of the other security issues for which a fix was released today.
reply