Hello Release Team, SRMs, I need some advice about what course of action to take with the certbot suite of packages. (rel.d.o bug 887399).
Right now, the version that's in stable is partially non-functional due to a security bug fixed upstream by blacklisting the only challenge mechanism that the software supports. (Specifically, the nginx and apache plugins don't work; people using the webroot or standalone modes can still renew and get new certificates.) There are basically three ways I see of getting out of this problem: 1. Backport 0.21.1 to stable. This is the course of action I think I'd personally like to see; I'd be OK with unwinding the changes that I made to switch to py3 to reduce the amount of change that we're making in stable, but it's still a fairly large jump. 2. RM the version out of stable completely, and tell people to use stretch-backports if they want to use certbot. Not a great solution, but the version in stable right now should probably be considered RC-buggy. 3. Attempt to backport the HTTP-01 changes to 0.10.2. This is a large amount of work, and I realistically don't have the time to do it. Upstream isn't interested in doing this work either, so we'd be somewhat out on a limb on our own with a security-sensitive piece of software. Please let me know if there's clarification I can make; I'm honestly not sure how to strike the balance here. Thanks! -- Harlan Lieberman-Berg ~hlieberman
