Bug#863453: unblock: acmetool/0.0.59-1

To: Peter Colberg <peter@colberg.org>, 863453@bugs.debian.org
Subject: Bug#863453: unblock: acmetool/0.0.59-1
From: Jonathan Wiltshire <jmw@debian.org>
Date: Tue, 30 May 2017 23:05:56 +0100
Message-id: <[🔎] 20170530220556.wp7br47p2iplgwpj@powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 863453@bugs.debian.org
In-reply-to: <[🔎] 20170530124526.iyphivxqu22je7he@alcyone>
References: <[🔎] 20170527021057.5fbgbhvfgmhqbvrl@alcyone> <[🔎] 20170529121147.ovmhk6kcgmkxpy7p@powdarrmonkey.net> <[🔎] 20170530124526.iyphivxqu22je7he@alcyone>

Hi,

On Tue, May 30, 2017 at 08:45:26AM -0400, Peter Colberg wrote:
> Control: tag -1 - moreinfo
> 
> On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote:
> > None of these issues seem to have corresponding BTS bugs. If they did,
> > which severity would you choose? (hint: if they're not at least
> > 'serious'...)
> 
> I would assign the following severities:
> 
>   * Validate hostnames in 'acmetool want' [1]
> 
>     Severity: normal
> 
>     This improves the error handling when the user passes an invalid host name.
> 
>     https://github.com/hlandau/acme/issues/204
> 
>   * Allow environment variables to be passed to challenge hooks [2]
> 
>     Severity: normal
> 
>     https://github.com/hlandau/acme/issues/166 

These would be nice in the long term, but I don't really think they're
critical right now.

>   * Allow acmeapi to obtain new nonces if nonce pool is depleted [3]
> 
>     Severity: important
> 
>     This fixes a potential failure to acquire certificates.
> 
>     https://github.com/hlandau/acme/issues/214

Let's assume that if the Let's Encrypt responder is giving you 503s, it's
game over anyway.

>   * Don't attempt fdb permission tests on non-cgo builds [4]
> 
>     Severity: serious
> 
>     This fixes an FTBFS on architectures using gcc-go.

Does this actually affect stretch builds, or just architectures outside
those?

>     https://github.com/hlandau/acme/issues/219
> 
>   * Add read/write timeouts to redirector server [5]
> 
>     Severity: serious
> 
>     This fixes a denial-of-service in the HTTP-to-HTTPS redirector.

Is this likely, given there is only really one set of (proabably
well-behaved) clients in the real world? Possibly I've misunderstood the
purpose of this redirector.

>   * Allow hidden files within the state directory [6]
> 
>     Severity: important
> 
>     This ignores dot files in /var/lib/acme, e.g., .git/.
> 
>     https://github.com/hlandau/acme/issues/153

This might be a bit noisy, but it's not a show-stopper is it?

I'm erring on the side of deferring all of these and cherry-picking them if
real-world issues get reported for stable. It's an awful lot of changes for
this late in the process and not really suitable.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Reply to:

References:
- Bug#863453: unblock: acmetool/0.0.59-1
  - From: Peter Colberg <peter@colberg.org>
- Bug#863453: unblock: acmetool/0.0.59-1
  - From: Jonathan Wiltshire <jmw@debian.org>
- Bug#863453: unblock: acmetool/0.0.59-1
  - From: Peter Colberg <peter@colberg.org>

Prev by Date: Bug#863734: unblock: gnupg2/2.1.18-8
Next by Date: Bug#863519: unblock blockdiag/1.5.3+dfsg-2
Previous by thread: Bug#863453: unblock: acmetool/0.0.59-1
Next by thread: Processed: Re: Bug#863453: unblock: acmetool/0.0.59-1
Index(es):
- Date
- Thread