Re: The Difference between debcheckout and dgit and what they try to accomplish

To: debian-devel@lists.debian.org
Subject: Re: The Difference between debcheckout and dgit and what they try to accomplish
From: Ansgar Burchardt <ansgar@43-1.org>
Date: Thu, 20 Jun 2019 00:09:50 +0200
Message-id: <[🔎] 87a7ed6xch.fsf@43-1.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87muidcyml.fsf@hope.eyrie.org> (Russ Allbery's message of "Wed, 19 Jun 2019 09:45:38 -0700")
References: <[🔎] tslwohl8hg0.fsf@suchdamage.org> <[🔎] 23814.51605.807245.567676@chiark.greenend.org.uk> <[🔎] tslh88p844s.fsf@suchdamage.org> <[🔎] 20190617045305.GA23375@alf.mars> <[🔎] 20190617054439.n266jcxyv6v5tlrq@an3as.eu> <[🔎] 20190617162105.GA19788@alf.mars> <[🔎] 87blyvth38.fsf@zephyr.silentflame.com> <[🔎] 23818.12611.56193.200708@chiark.greenend.org.uk> <[🔎] 20190619155144.GA11415@riva.ucam.org> <[🔎] 87muidcyml.fsf@hope.eyrie.org>

Russ Allbery writes:
> Colin Watson writes:
>> Is it at all likely that the ftpmaster api service might migrate away
>> from Let's Encrypt at this point?  I would assume probably not.  In that
>> case, you could at least make the situation substantially better with no
>> further DSA work required by pinning the appropriate LE root certificate
>> in dgit.
>
> debian.org already publishes a CAA record, which conveys that information
> (although has its own verification concerns, but I think debian.org is
> using DNSSEC so you can verify the record that way).  It says that all
> debian.org hosts will only use certificates from either LE or Amazon:

The CAA record does not indicate a future commitment and could change at
any time.  If you want to rely on debian.org to use some specific CAs,
you would have to ask DSA.

(Nor does the CAA record indicate that all currently valid certificates
must come from the listed CAs; the CAA record could have been different
when those were issued.)

Ansgar

Reply to:

References:
- The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sam Hartman <hartmans@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Andreas Tille <andreas@an3as.eu>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Colin Watson <cjwatson@debian.org>
- Re: The Difference between debcheckout and dgit and what they try to accomplish
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: The Difference between debcheckout and dgit and what they try to accomplish
Next by Date: Programs contain ads - acceptable for packaging for Debian?
Previous by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Next by thread: Re: The Difference between debcheckout and dgit and what they try to accomplish
Index(es):
- Date
- Thread