Re: The Difference between debcheckout and dgit and what they try to accomplish

To: debian-devel@lists.debian.org
Subject: Re: The Difference between debcheckout and dgit and what they try to accomplish
From: Russ Allbery <rra@debian.org>
Date: Wed, 19 Jun 2019 09:45:38 -0700
Message-id: <[🔎] 87muidcyml.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20190619155144.GA11415@riva.ucam.org> (Colin Watson's message of "Wed, 19 Jun 2019 16:51:44 +0100")
References: <[🔎] tslwohl8hg0.fsf@suchdamage.org> <[🔎] 23814.51605.807245.567676@chiark.greenend.org.uk> <[🔎] tslh88p844s.fsf@suchdamage.org> <[🔎] 20190617045305.GA23375@alf.mars> <[🔎] 20190617054439.n266jcxyv6v5tlrq@an3as.eu> <[🔎] 20190617162105.GA19788@alf.mars> <[🔎] 87blyvth38.fsf@zephyr.silentflame.com> <[🔎] 23818.12611.56193.200708@chiark.greenend.org.uk> <[🔎] 20190619155144.GA11415@riva.ucam.org>

Colin Watson <cjwatson@debian.org> writes:

> Is it at all likely that the ftpmaster api service might migrate away
> from Let's Encrypt at this point?  I would assume probably not.  In that
> case, you could at least make the situation substantially better with no
> further DSA work required by pinning the appropriate LE root certificate
> in dgit.

debian.org already publishes a CAA record, which conveys that information
(although has its own verification concerns, but I think debian.org is
using DNSSEC so you can verify the record that way).  It says that all
debian.org hosts will only use certificates from either LE or Amazon:

gwaihir:~$ host -t caa debian.org
debian.org has CAA record 0 iodef "mailto:dsa@debian.org";
debian.org has CAA record 128 issuewild ";"
debian.org has CAA record 128 issue "letsencrypt.org"
debian.org has CAA record 128 issue "amazon.com"

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ansgar Burchardt <ansgar@43-1.org>

References:
- The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Andreas Tille <andreas@an3as.eu>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: binutils security support (Re: fixing debian-security-support upgrades from stretch (for good))
Next by Date: Re: The Difference between debcheckout and dgit and what they try to accomplish
Previous by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Next by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Index(es):
- Date
- Thread