Hi Reinhard, Presumably the many other affected packages have had similar difficulty in developing a comprehensive solution? I also wasn't aware of a time constraint. Not that it would have helped me much, as I was moving house, but it would have been good to know that there was a risk of not making Debian 10.
I could create a special branch with a cut-down version of the solution, e.g. forcing the SecurityLevel to -1 (compatibility and warn) for the time being, in order to get the fix out in time for Debian 10, and then put the full version into backports? Thanks, Chris. On Fri, 31 May 2019 at 12:16, Reinhard Tartler <siret...@gmail.com> wrote: > Hi Chris, > > On Sun, May 19, 2019 at 12:21 PM Chris Wilson <chris+goo...@qwirx.com> > wrote: > >> Hi Reinhard and all, >> >> Good news, I have just finished fixing this problem, and merged it into >> master with https://github.com/boxbackup/boxbackup/pull/36. Please could >> you cut a new Debian package release and see if the tests pass for you? Or >> if not, point me to the failure logs? >> >> If anyone wants to know more, the issue is quite complex, and there are >> no easy answers, which is why it took so long to fix. I've done my best to >> describe it at >> https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates. Please >> feel free to correct any mistakes that I've made. >> > > Thanks a lot for your assistance! > > I've now (finally) uploaded the package to debian/experimental, the build > logs will be available at > https://buildd.debian.org/status/package.php?p=boxbackup&suite=experimental > soon. > > Unfortunately, the changes are quite invasive and do not qualify for > inclusion into "Debian testing" this late in the Debian release cycle (cf. > https://salsa.debian.org/debian/boxbackup/commit/6017757bc079f4446aa77bc5c0855c52741280f4?w=1 > - all of which would need to be reviewed and approved by the Release Team). > That's very unfortunate, because it very likely means that boxbackup will > not be part of Debian 10 (buster). > > I am also sympathetic -- the nature of the issue seems to require such > invasive changes and coming up with a simple, focused and reviewable fix is > super hard. > > The best that we can do at this point is to get it included into > "buster-backports" as soon as that suite opens, probably shortly after > buster is released, which should be within (hopefully) a small number of > weeks. > > > Best, > -rt > > -- > regards, > Reinhard >
