Bug#863453: unblock: acmetool/0.0.59-1
Hi, On Tue, May 30, 2017 at 08:45:26AM -0400, Peter Colberg wrote: > Control: tag -1 - moreinfo > > On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote: > > None of these issues seem to have corresponding BTS bugs. If they did, > > which severity would you choose? (hint: if they're not at least > > 'serious'...) > > I would assign the following severities: > > * Validate hostnames in 'acmetool want' [1] > > Severity: normal > > This improves the error handling when the user passes an invalid host > name. > > https://github.com/hlandau/acme/issues/204 > > * Allow environment variables to be passed to challenge hooks [2] > > Severity: normal > > https://github.com/hlandau/acme/issues/166 These would be nice in the long term, but I don't really think they're critical right now. > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > > Severity: important > > This fixes a potential failure to acquire certificates. > > https://github.com/hlandau/acme/issues/214 Let's assume that if the Let's Encrypt responder is giving you 503s, it's game over anyway. > * Don't attempt fdb permission tests on non-cgo builds [4] > > Severity: serious > > This fixes an FTBFS on architectures using gcc-go. Does this actually affect stretch builds, or just architectures outside those? > https://github.com/hlandau/acme/issues/219 > > * Add read/write timeouts to redirector server [5] > > Severity: serious > > This fixes a denial-of-service in the HTTP-to-HTTPS redirector. Is this likely, given there is only really one set of (proabably well-behaved) clients in the real world? Possibly I've misunderstood the purpose of this redirector. > * Allow hidden files within the state directory [6] > > Severity: important > > This ignores dot files in /var/lib/acme, e.g., .git/. > > https://github.com/hlandau/acme/issues/153 This might be a bit noisy, but it's not a show-stopper is it? I'm erring on the side of deferring all of these and cherry-picking them if real-world issues get reported for stable. It's an awful lot of changes for this late in the process and not really suitable. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#863453: unblock: acmetool/0.0.59-1
Control: tag -1 - moreinfo On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote: > None of these issues seem to have corresponding BTS bugs. If they did, > which severity would you choose? (hint: if they're not at least > 'serious'...) I would assign the following severities: * Validate hostnames in 'acmetool want' [1] Severity: normal This improves the error handling when the user passes an invalid host name. https://github.com/hlandau/acme/issues/204 * Allow environment variables to be passed to challenge hooks [2] Severity: normal https://github.com/hlandau/acme/issues/166 * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] Severity: important This fixes a potential failure to acquire certificates. https://github.com/hlandau/acme/issues/214 * Don't attempt fdb permission tests on non-cgo builds [4] Severity: serious This fixes an FTBFS on architectures using gcc-go. https://github.com/hlandau/acme/issues/219 * Add read/write timeouts to redirector server [5] Severity: serious This fixes a denial-of-service in the HTTP-to-HTTPS redirector. * Allow hidden files within the state directory [6] Severity: important This ignores dot files in /var/lib/acme, e.g., .git/. https://github.com/hlandau/acme/issues/153 I strongly believe the users of the acmetool package would be best served by Debian if all of the above fixes were included in stretch. Regards, Peter [1] https://github.com/hlandau/acme/commit/96126c04eb76c1921127731ea3ae562a67459b2d [2] https://github.com/hlandau/acme/commit/c8f5d91e3b1d5fab90fda1298a65f5f283555097 [3] https://github.com/hlandau/acme/commit/a087733bf7567b224b8d192e2747f794fc93a27c [4] https://github.com/hlandau/acme/commit/ca02f4791ab63b92907c2dfcf7d1f9a1f62b7b87 [5] https://github.com/hlandau/acme/commit/b9637d98466b45de1b7fc848474d1fc10ef60667 [6] https://github.com/hlandau/acme/commit/677aa28007341961102375d45857e26fac149e80
Bug#863453: unblock: acmetool/0.0.59-1
Control: tag -1 moreinfo On Fri, May 26, 2017 at 10:10:57PM -0400, Peter Colberg wrote: > * Validate hostnames in 'acmetool want' [1] > * Allow environment variables to be passed to challenge hooks [2] > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > * Don't attempt fdb permission tests on non-cgo builds [4] > * Add read/write timeouts to redirector server [5] > * Allow hidden files within the state directory [6] None of these issues seem to have corresponding BTS bugs. If they did, which severity would you choose? (hint: if they're not at least 'serious'...) Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#863453: unblock: acmetool/0.0.59-1
Hi Niels, On Sat, May 27, 2017 at 05:51:00AM +, Niels Thykier wrote: > Any particular reason why you have waited until now with filing the > unblock request? I am writing my PhD thesis and had paused work on Debian. Your latest message to debian-devel-announce made me realise it is high time to make an exception for acmetool to be in its best shape for stretch. Peter
Bug#863453: unblock: acmetool/0.0.59-1
Control: tags -1 moreinfo Peter Colberg: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Dear Debian Release Team, > > [...] Hi, > > Could you please unblock a new upstream bugfix release of acmetool, a > client for the Let’s Encrypt TLS certificate authority? This version > was uploaded to Debian unstable back in February, shortly after the > beginning of the full freeze [0]. > Any particular reason why you have waited until now with filing the unblock request? > The release comprises the following bug and usability fixes: > > * Validate hostnames in 'acmetool want' [1] > * Allow environment variables to be passed to challenge hooks [2] > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > * Don't attempt fdb permission tests on non-cgo builds [4] > * Add read/write timeouts to redirector server [5] > * Allow hidden files within the state directory [6] > > Regards, > Peter > > [...] Thanks, ~Niels
Bug#863453: unblock: acmetool/0.0.59-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Debian Release Team, Please accept my apology for the belated request: unblock acmetool/0.0.59-1 Could you please unblock a new upstream bugfix release of acmetool, a client for the Let’s Encrypt TLS certificate authority? This version was uploaded to Debian unstable back in February, shortly after the beginning of the full freeze [0]. The release comprises the following bug and usability fixes: * Validate hostnames in 'acmetool want' [1] * Allow environment variables to be passed to challenge hooks [2] * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] * Don't attempt fdb permission tests on non-cgo builds [4] * Add read/write timeouts to redirector server [5] * Allow hidden files within the state directory [6] Regards, Peter [0] https://tracker.debian.org/news/839171 [1] https://github.com/hlandau/acme/commit/96126c04eb76c1921127731ea3ae562a67459b2d [2] https://github.com/hlandau/acme/commit/c8f5d91e3b1d5fab90fda1298a65f5f283555097 [3] https://github.com/hlandau/acme/commit/a087733bf7567b224b8d192e2747f794fc93a27c [4] https://github.com/hlandau/acme/commit/ca02f4791ab63b92907c2dfcf7d1f9a1f62b7b87 [5] https://github.com/hlandau/acme/commit/b9637d98466b45de1b7fc848474d1fc10ef60667 [6] https://github.com/hlandau/acme/commit/677aa28007341961102375d45857e26fac149e80 diff -Nru acmetool-0.0.58/.travis/after_success acmetool-0.0.59/.travis/after_success --- acmetool-0.0.58/.travis/after_success 2016-09-03 08:30:08.0 -0400 +++ acmetool-0.0.59/.travis/after_success 2017-02-17 06:26:01.0 -0500 @@ -32,20 +32,25 @@ # Prepare Ubuntu PPA signing key. echo Preparing Ubuntu PPA signing key... -cd "$ACME_DIR/.travis" -wget -c "https://www.devever.net/~hl/f/gnupg-ppa-data.tar.gz.enc; -openssl enc -d -aes-128-cbc -md sha256 -salt -pass env:PPA_ENCRYPTION_PASS -in "gnupg-ppa-data.tar.gz.enc" -out "gnupg-ppa-data.tar.gz" -tar xvf gnupg-ppa-data.tar.gz -shred -u gnupg-ppa-data.tar.* -cd "$ACME_DIR" +wget -qO ppa-private.asc.enc "https://www.devever.net/~hl/f/ppa-private-${PPA_ENCRYPTION_ID}.asc.enc; +export PPA_ENCRYPTION_ID= +openssl enc -d -aes-128-cbc -md sha256 -salt -pass env:PPA_ENCRYPTION_PASS -in "ppa-private.asc.enc" -out "ppa-private.asc" +export PPA_ENCRYPTION_PASS= +shred -u ppa-private.asc.enc export GNUPGHOME="$ACME_DIR/.travis/.gnupg" +mkdir -p "$GNUPGHOME" +gpg --batch --import < ppa-private.asc +shred -u ppa-private.asc +cat < "$HOME/.devscripts" -DEBSIGN_KEYID="Hugo Landau (2016 PPA Signing)" +DEBSIGN_KEYID="Hugo Landau (2017 PPA Signing) " END -UBUNTU_RELEASES="xenial precise trusty vivid wily" +UBUNTU_RELEASES="precise trusty xenial yakkety zesty vivid" for distro_name in $UBUNTU_RELEASES; do echo Creating Debian source environment for ${distro_name}... $GOPATH/src/github.com/$TRAVIS_REPO_SLUG/.travis/make_debian_env "$GOPATH/releasing/dbuilds/$distro_name" "$GOPATH/releasing/dist/" "$TRAVIS_TAG" "$distro_name" @@ -90,7 +95,7 @@ cat < /tmp/rpm-metadata { "project_id": $COPR_PROJECT_ID, - "chroots": ["fedora-23-i386", "fedora-23-x86_64", "epel-7-x86_64", "fedora-24-i386", "fedora-24-x86_64"] + "chroots": ["fedora-23-i386", "fedora-23-x86_64", "epel-7-x86_64", "fedora-24-i386", "fedora-24-x86_64", "fedora-25-i386", "fedora-25-x86_64", "fedora-26-i386", "fedora-26-x86_64"] } END else diff -Nru acmetool-0.0.58/.travis/boulder.patch acmetool-0.0.59/.travis/boulder.patch --- acmetool-0.0.58/.travis/boulder.patch 2016-09-03 08:30:08.0 -0400 +++ acmetool-0.0.59/.travis/boulder.patch 2017-02-17 06:26:01.0 -0500 @@ -11,7 +11,7 @@ # If we reach here, a child died early. Log what died: diff --git a/test/config-next/va.json b/test/config-next/va.json -index c237d7f..1336bb5 100644 +index 374ff68..4e701da 100644 --- a/test/config-next/va.json +++ b/test/config-next/va.json @@ -4,7 +4,7 @@ @@ -23,35 +23,42 @@ "httpsPort": 5001, "tlsPort": 5001 }, -@@ -56,4 +56,4 @@ - "dnsTimeout": "10s", - "dnsAllowLoopbackAddresses": true - } --} -\ No newline at end of file -+} diff --git a/test/config/ca.json b/test/config/ca.json -index a4d71c8..9057f6f 100644 +index eb6a2c1..7c6c0e3 100644 --- a/test/config/ca.json +++ b/test/config/ca.json -@@ -5,10 +5,10 @@ +@@ -5,11 +5,11 @@ "ecdsaProfile": "ecdsaEE", - "debugAddr": "localhost:8001", + "debugAddr": ":8001", "Issuers": [{ - "ConfigFile": "test/test-ca.key-pkcs11.json", + "File": "test/test-ca.key", - "CertFile": "test/test-ca2.pem" + "CertFile": "test/test-ca2.pem", + "NumSessions": 2 }, { - "ConfigFile": "test/test-ca.key-pkcs11.json", + "File": "test/test-ca.key", - "CertFile": "test/test-ca.pem" + "CertFile": "test/test-ca.pem", + "NumSessions": 2 }], - "expiry": "2160h", +diff