Re: The Difference between debcheckout and dgit and what they try to accomplish

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: The Difference between debcheckout and dgit and what they try to accomplish
From: Sam Hartman <hartmans@debian.org>
Date: Wed, 19 Jun 2019 12:53:13 -0400
Message-id: <[🔎] tsl36k5y0sm.fsf@suchdamage.org>
In-reply-to: <[🔎] 87muidcyml.fsf@hope.eyrie.org> (Russ Allbery's message of "Wed, 19 Jun 2019 09:45:38 -0700")
References: <[🔎] tslwohl8hg0.fsf@suchdamage.org> <[🔎] 23814.51605.807245.567676@chiark.greenend.org.uk> <[🔎] tslh88p844s.fsf@suchdamage.org> <[🔎] 20190617045305.GA23375@alf.mars> <[🔎] 20190617054439.n266jcxyv6v5tlrq@an3as.eu> <[🔎] 20190617162105.GA19788@alf.mars> <[🔎] 87blyvth38.fsf@zephyr.silentflame.com> <[🔎] 23818.12611.56193.200708@chiark.greenend.org.uk> <[🔎] 20190619155144.GA11415@riva.ucam.org> <[🔎] 87muidcyml.fsf@hope.eyrie.org>

>>>>> "Russ" == Russ Allbery <rra@debian.org> writes:

    Russ> Colin Watson <cjwatson@debian.org> writes:
    >> Is it at all likely that the ftpmaster api service might migrate
    >> away from Let's Encrypt at this point?  I would assume probably
    >> not.  In that case, you could at least make the situation
    >> substantially better with no further DSA work required by pinning
    >> the appropriate LE root certificate in dgit.

    Russ> debian.org already publishes a CAA record, which conveys that
    Russ> information (although has its own verification concerns, but I
    Russ> think debian.org is using DNSSEC so you can verify the record
    Russ> that way).  It says that all debian.org hosts will only use
    Russ> certificates from either LE or Amazon:

Russ, you may be more up to date on webpki than I am.
Does that say anything about which root letsencrypt will chain to?
I.E. can letsencrypt change what their chain looks like?

Reply to:

Follow-Ups:
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Russ Allbery <rra@debian.org>

References:
- The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Andreas Tille <andreas@an3as.eu>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Colin Watson <cjwatson@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: The Difference between debcheckout and dgit and what they try to accomplish
Next by Date: Re: The Difference between debcheckout and dgit and what they try to accomplish
Previous by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Next by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Index(es):
- Date
- Thread