Bug#887399: stretch-pu: package python-certbot/0.10.2-1

To: Harlan Lieberman-Berg <hlieberman@debian.org>, 887399@bugs.debian.org
Subject: Bug#887399: stretch-pu: package python-certbot/0.10.2-1
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 30 Mar 2018 18:52:35 +0200
Message-id: <[🔎] 20180330165235.4ozxargylwc5cdzn@betterave.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 887399@bugs.debian.org
In-reply-to: <151605749911.30780.8281113995162562151.reportbug@aztlan>
References: <151605749911.30780.8281113995162562151.reportbug@aztlan> <151605749911.30780.8281113995162562151.reportbug@aztlan>

Control: tag -1 moreinfo

On Mon, Jan 15, 2018 at 18:04:59 -0500, Harlan Lieberman-Berg wrote:

> Due to a security issue in the underlying Let's Encrypt protocol, one of the main methods of getting certificates from Let's Encrypt has been disabled (the TLS-SNI-01 protocol; https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 for more info).
> 
> This puts us in a bit of an awkward spot.  The upstream certbot provider is preparing to do a new release that has support for HTTP-01 inside the python-certbot-apache and python-certbot-nginx plugins, as well as the required work in python-acme and python-certbot (and certbot), but I'm not sure backporting the patches is realistic.  A lot of development has been done in the interim, both in the certbot packaging and in the upstream software.  Without those patches, users with the apache or nginx plugins will fail to update their certificates starting 2018-04-09.
> 
> I can talk to the certbot upstream to see if they'd be willing to help backport the patches (CCed), but initial conversations seem to indicate that doing so will be difficult.
> 
> The other approach that we can take is to backport the next version that supports the new challenge through to s-p-u and into stable.  I'm guessing that you will ask me to unwind the work I did to convert to python3 in the last release (sadface), but I can do that if that's what it needs to get this fixed in stable.
> 
I'm not sure that'd be wise, if it would mean shipping something
untested.  To me, the workable alternatives seem to be to either remove
those packages from stable, or update them to a current version.  At
least the 0.21 packages have presumably had some testing in
stretch-backports.  The switches to python 3 and debhelper 11 are
unfortunate, and at least the latter would need to be reverted.  I'm
worried about local scripts or other integration using python2 and
breaking if we were to move certbot to python3; how likely is that?  On
the other hand, I guess if they're still using the package from stable
it's going to break on them soon anyway.

What is the minimal set of source packages that we would need to update?
Is it python-acme, python-certbot, python-certbot-apache and
python-certbot-nginx?

Cheers,
Julien

Reply to:

Prev by Date: Processed: Re: Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Next by Date: Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Previous by thread: Bug#887148: stretch-pu: package python-certifi/2016.2.28-1+deb9u1
Next by thread: Processed: Re: Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Index(es):
- Date
- Thread