Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys

To: Reinhard Tartler <siretart@gmail.com>

Cc: Chris Wilson <chris+google@qwirx.com>, Box Backup <boxbackup@boxbackup.org>, 907135@bugs.debian.org

Subject: Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys

From: Chris Wilson <chris+google@qwirx.com>

Date: Thu, 6 Jun 2019 00:45:42 +0100

Message-id: <[🔎] CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>

Reply-to: Chris Wilson <chris+google@qwirx.com>, 907135@bugs.debian.org

In-reply-to: <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>

References: <CAJ0cceZeyTQchRgmuD_+oT4bAXxawGJwYfTcXF3fgtUdauK0Zg@mail.gmail.com> <CAOg7f83Kx7CzaHQeOfebQm_CgYn9pncbtF7GJrZiXnMR1QnMKQ@mail.gmail.com> <CAJ0cceZT+bO=eocQBz3w9jKiH9mzFF6=9nVV1hH111zZD0A3Jg@mail.gmail.com> <CAOg7f82=L4roj72-5h_MX8v5ek3emT2H08f3V0q7cag19XPXJg@mail.gmail.com> <CAJ0cceZinrGBwKcqJjjorN_yaRNg2MJUW0u69gEzsvQH0-JUwA@mail.gmail.com> <CAOg7f80ECWfpHGm6Rau1-9SLZ2vOZyEJnCKGFD8+bZLEXrmdqw@mail.gmail.com> <CAJ0cceZPdn-DNrzAwKttN-z+rymOa7bbqk_9hMPtq-ixP5nfSw@mail.gmail.com> <CAOg7f82fx8_Z7uXxRW8RowJfecu24asksHNHG4-KXj6qYOVnPQ@mail.gmail.com> <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com> <153509781359.14425.9739764818059750522.reportbug@localhost>

Hi Reinhard,

Could you have a look at this patch (documented here) to see if it's something like what you were hoping for?

Thanks, Chris.

On Fri, 31 May 2019 at 22:55, Reinhard Tartler <siretart@gmail.com> wrote:

On Fri, May 31, 2019 at 5:03 PM Chris Wilson <chris+google@qwirx.com> wrote:
Hi Reinhard,

Presumably the many other affected packages have had similar difficulty in developing a comprehensive solution? I also wasn't aware of a time constraint. Not that it would have helped me much, as I was moving house, but it would have been good to know that there was a risk of not making Debian 10.

I'm sorry, I should have communicated that point earlier. I've been bitten by this with other packages as well.
The release schedule is documented here: https://wiki.debian.org/DebianBuster
The most recent update from the release team is https://lists.debian.org/debian-devel-announce/2019/04/msg00003.html - and newer updates will be linked from https://release.debian.org/.

In short: The team is minimizing changes as much as possible, and getting updates in becomes more and more a similar big deal as updating something in stable.

I could create a special branch with a cut-down version of the solution, e.g. forcing the SecurityLevel to -1 (compatibility and warn) for the time being, in order to get the fix out in time for Debian 10, and then put the full version into backports?

That would be amazing, if the patch is easy to review, I'd be happy to upload it as a distro patch based on the current package and try to get this approved by the release team. It might even be accepted as a stable update, depending on how invasive it is.

Thanks,
-rt

Reply to: