Stable Upgrade: Need Advice
Hello Release Team, SRMs,
I need some advice about what course of action to take with the
certbot suite of packages. (rel.d.o bug 887399).
Right now, the version that's in stable is partially non-functional
due to a security bug fixed upstream by blacklisting the only
challenge mechanism that the software supports. (Specifically, the
nginx and apache plugins don't work; people using the webroot or
standalone modes can still renew and get new certificates.)
There are basically three ways I see of getting out of this problem:
1. Backport 0.21.1 to stable. This is the course of action I think
I'd personally like to see; I'd be OK with unwinding the changes that
I made to switch to py3 to reduce the amount of change that we're
making in stable, but it's still a fairly large jump.
2. RM the version out of stable completely, and tell people to use
stretch-backports if they want to use certbot. Not a great solution,
but the version in stable right now should probably be considered
RC-buggy.
3. Attempt to backport the HTTP-01 changes to 0.10.2. This is a
large amount of work, and I realistically don't have the time to do
it. Upstream isn't interested in doing this work either, so we'd be
somewhat out on a limb on our own with a security-sensitive piece of
software.
Please let me know if there's clarification I can make; I'm honestly
not sure how to strike the balance here.
Thanks!
--
Harlan Lieberman-Berg
~hlieberman
Reply to: