[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1070856: bookworm-pu: package riseup-vpn/0.21.11+ds1-5+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: riseup-vpn@packages.debian.org, nilesh@debian.org
Control: affects -1 + src:riseup-vpn
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
The bug got introduced due to a change in the external services that riseup-vpn
interacts with (riseup's servers) and failing to identify their letsencrypt certs.

Full details at Bug#1070270

[ Impact ]
The package is rendered unusable and the user will not be able to use riseup-vpn
and connect to the vpn.

[ Tests ]
Tried this on a fresh stable VM with multiple different angles.
This has also been tried on a stable user's machine and the problem is verified
to have been fixed.

[ Risks ]
This is a leaf package and the changes are fairly minimal. Very low risk to stable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
     Add patch to fixup client verification problems with
     riseup-vpn which renders the package useless otherwise.
     At the moment, the current code is unable to identify the
     letsencrypt certs. Used a systempool for the same and create
     a newcertpool as a fallback. Also added a Depends in d/control
     for ca-certificates for the same reason.

[ Other info ]
Since this is a leaf package and the breakage is due to external services, this may be a
candidate for stable-updates suite as per https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-the-stable-updates-suite

> Examples of circumstances in which the upload may qualify for such treatment are:
> ...
> Uploads to stable-updates should target their suite name in the changelog as usual, e.g. bookworm.

Since I was confident that this should be accepted, I did a (source-only) dput/upload.

diff -Nru riseup-vpn-0.21.11+ds1/debian/changelog riseup-vpn-0.21.11+ds1/debian/changelog
--- riseup-vpn-0.21.11+ds1/debian/changelog	2023-03-09 09:51:22.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/changelog	2024-05-10 20:13:39.000000000 +0530
@@ -1,3 +1,15 @@
+riseup-vpn (0.21.11+ds1-5+deb12u1) bookworm; urgency=medium
+
+  * Add patch to fixup client verification problems with
+    riseup-vpn which renders the package useless otherwise.
+    At the moment, the current code is unable to identify the
+    letsencrypt certs. Used a systempool for the same and create
+    a newcertpool as a fallback. Also added a Depends in d/control
+    for ca-certificates for the same reason.
+    (Closes: #1070270)
+
+ -- Nilesh Patra <nilesh@debian.org>  Fri, 10 May 2024 20:13:39 +0530
+
 riseup-vpn (0.21.11+ds1-5) unstable; urgency=medium
 
   * Add procps, iproute2 and iptables to Depends (Closes: #1031905)
diff -Nru riseup-vpn-0.21.11+ds1/debian/control riseup-vpn-0.21.11+ds1/debian/control
--- riseup-vpn-0.21.11+ds1/debian/control	2023-03-09 09:51:22.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/control	2024-05-10 20:13:39.000000000 +0530
@@ -52,6 +52,7 @@
 Architecture: any
 Depends: ${shlibs:Depends},
          ${misc:Depends},
+         ca-certificates,
          iproute2,
          iptables,
          pkexec,
diff -Nru riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch
--- riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch	1970-01-01 05:30:00.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch	2024-05-10 20:13:39.000000000 +0530
@@ -0,0 +1,27 @@
+From 14cf64b10a97c29688f252a7d9d3481c8484aa1d Mon Sep 17 00:00:00 2001
+From: max b <bittmanmax@gmail.com>
+Date: Wed, 8 Mar 2023 12:41:45 -0800
+Subject: [PATCH] Add system certs to bonafide
+
+lilypad/float is now using letsencrypt certs for vpnweb so instead of
+instantiating an empty cert pool, we can just use the system pool and
+then add the manually configured cert for backwards compatibility.
+---
+ pkg/vpn/bonafide/bonafide.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/pkg/vpn/bonafide/bonafide.go
++++ b/pkg/vpn/bonafide/bonafide.go
+@@ -94,7 +94,11 @@
+ 
+ // New Bonafide: Initializes a Bonafide object. By default, no Credentials are passed.
+ func New() *Bonafide {
+-	certs := x509.NewCertPool()
++	certs, err := x509.SystemCertPool()
++	if err != nil {
++		log.Println("Error loading SystemCertPool, falling back to empty pool")
++		certs = x509.NewCertPool()
++	}
+ 	certs.AppendCertsFromPEM(config.CaCert)
+ 	client := &http.Client{
+ 		Transport: &http.Transport{
diff -Nru riseup-vpn-0.21.11+ds1/debian/patches/series riseup-vpn-0.21.11+ds1/debian/patches/series
--- riseup-vpn-0.21.11+ds1/debian/patches/series	2023-02-26 02:39:10.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/patches/series	2024-05-10 20:13:39.000000000 +0530
@@ -3,3 +3,4 @@
 skip-tests-with-postreq.patch
 fix-non-eng-locales.patch
 more-polkit-proc.patch
+add-system-certs.patch
Reply to: