Bug#863453: unblock: acmetool/0.0.59-1
Hi, On Tue, May 30, 2017 at 08:45:26AM -0400, Peter Colberg wrote: > Control: tag -1 - moreinfo > > On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote: > > None of these issues seem to have corresponding BTS bugs. If they did, > > which severity would you choose? (hint: if they're not at least > > 'serious'...) > > I would assign the following severities: > > * Validate hostnames in 'acmetool want' [1] > > Severity: normal > > This improves the error handling when the user passes an invalid host > name. > > https://github.com/hlandau/acme/issues/204 > > * Allow environment variables to be passed to challenge hooks [2] > > Severity: normal > > https://github.com/hlandau/acme/issues/166 These would be nice in the long term, but I don't really think they're critical right now. > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > > Severity: important > > This fixes a potential failure to acquire certificates. > > https://github.com/hlandau/acme/issues/214 Let's assume that if the Let's Encrypt responder is giving you 503s, it's game over anyway. > * Don't attempt fdb permission tests on non-cgo builds [4] > > Severity: serious > > This fixes an FTBFS on architectures using gcc-go. Does this actually affect stretch builds, or just architectures outside those? > https://github.com/hlandau/acme/issues/219 > > * Add read/write timeouts to redirector server [5] > > Severity: serious > > This fixes a denial-of-service in the HTTP-to-HTTPS redirector. Is this likely, given there is only really one set of (proabably well-behaved) clients in the real world? Possibly I've misunderstood the purpose of this redirector. > * Allow hidden files within the state directory [6] > > Severity: important > > This ignores dot files in /var/lib/acme, e.g., .git/. > > https://github.com/hlandau/acme/issues/153 This might be a bit noisy, but it's not a show-stopper is it? I'm erring on the side of deferring all of these and cherry-picking them if real-world issues get reported for stable. It's an awful lot of changes for this late in the process and not really suitable. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#863453: unblock: acmetool/0.0.59-1
Control: tag -1 - moreinfo On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote: > None of these issues seem to have corresponding BTS bugs. If they did, > which severity would you choose? (hint: if they're not at least > 'serious'...) I would assign the following severities: * Validate hostnames in 'acmetool want' [1] Severity: normal This improves the error handling when the user passes an invalid host name. https://github.com/hlandau/acme/issues/204 * Allow environment variables to be passed to challenge hooks [2] Severity: normal https://github.com/hlandau/acme/issues/166 * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] Severity: important This fixes a potential failure to acquire certificates. https://github.com/hlandau/acme/issues/214 * Don't attempt fdb permission tests on non-cgo builds [4] Severity: serious This fixes an FTBFS on architectures using gcc-go. https://github.com/hlandau/acme/issues/219 * Add read/write timeouts to redirector server [5] Severity: serious This fixes a denial-of-service in the HTTP-to-HTTPS redirector. * Allow hidden files within the state directory [6] Severity: important This ignores dot files in /var/lib/acme, e.g., .git/. https://github.com/hlandau/acme/issues/153 I strongly believe the users of the acmetool package would be best served by Debian if all of the above fixes were included in stretch. Regards, Peter [1] https://github.com/hlandau/acme/commit/96126c04eb76c1921127731ea3ae562a67459b2d [2] https://github.com/hlandau/acme/commit/c8f5d91e3b1d5fab90fda1298a65f5f283555097 [3] https://github.com/hlandau/acme/commit/a087733bf7567b224b8d192e2747f794fc93a27c [4] https://github.com/hlandau/acme/commit/ca02f4791ab63b92907c2dfcf7d1f9a1f62b7b87 [5] https://github.com/hlandau/acme/commit/b9637d98466b45de1b7fc848474d1fc10ef60667 [6] https://github.com/hlandau/acme/commit/677aa28007341961102375d45857e26fac149e80
Bug#863453: unblock: acmetool/0.0.59-1
Control: tag -1 moreinfo On Fri, May 26, 2017 at 10:10:57PM -0400, Peter Colberg wrote: > * Validate hostnames in 'acmetool want' [1] > * Allow environment variables to be passed to challenge hooks [2] > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > * Don't attempt fdb permission tests on non-cgo builds [4] > * Add read/write timeouts to redirector server [5] > * Allow hidden files within the state directory [6] None of these issues seem to have corresponding BTS bugs. If they did, which severity would you choose? (hint: if they're not at least 'serious'...) Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#863453: unblock: acmetool/0.0.59-1
Hi Niels, On Sat, May 27, 2017 at 05:51:00AM +, Niels Thykier wrote: > Any particular reason why you have waited until now with filing the > unblock request? I am writing my PhD thesis and had paused work on Debian. Your latest message to debian-devel-announce made me realise it is high time to make an exception for acmetool to be in its best shape for stretch. Peter
Bug#863453: unblock: acmetool/0.0.59-1
Control: tags -1 moreinfo Peter Colberg: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Dear Debian Release Team, > > [...] Hi, > > Could you please unblock a new upstream bugfix release of acmetool, a > client for the Let’s Encrypt TLS certificate authority? This version > was uploaded to Debian unstable back in February, shortly after the > beginning of the full freeze [0]. > Any particular reason why you have waited until now with filing the unblock request? > The release comprises the following bug and usability fixes: > > * Validate hostnames in 'acmetool want' [1] > * Allow environment variables to be passed to challenge hooks [2] > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > * Don't attempt fdb permission tests on non-cgo builds [4] > * Add read/write timeouts to redirector server [5] > * Allow hidden files within the state directory [6] > > Regards, > Peter > > [...] Thanks, ~Niels
Bug#863453: unblock: acmetool/0.0.59-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Debian Release Team,
Please accept my apology for the belated request:
unblock acmetool/0.0.59-1
Could you please unblock a new upstream bugfix release of acmetool, a
client for the Let’s Encrypt TLS certificate authority? This version
was uploaded to Debian unstable back in February, shortly after the
beginning of the full freeze [0].
The release comprises the following bug and usability fixes:
* Validate hostnames in 'acmetool want' [1]
* Allow environment variables to be passed to challenge hooks [2]
* Allow acmeapi to obtain new nonces if nonce pool is depleted [3]
* Don't attempt fdb permission tests on non-cgo builds [4]
* Add read/write timeouts to redirector server [5]
* Allow hidden files within the state directory [6]
Regards,
Peter
[0] https://tracker.debian.org/news/839171
[1]
https://github.com/hlandau/acme/commit/96126c04eb76c1921127731ea3ae562a67459b2d
[2]
https://github.com/hlandau/acme/commit/c8f5d91e3b1d5fab90fda1298a65f5f283555097
[3]
https://github.com/hlandau/acme/commit/a087733bf7567b224b8d192e2747f794fc93a27c
[4]
https://github.com/hlandau/acme/commit/ca02f4791ab63b92907c2dfcf7d1f9a1f62b7b87
[5]
https://github.com/hlandau/acme/commit/b9637d98466b45de1b7fc848474d1fc10ef60667
[6]
https://github.com/hlandau/acme/commit/677aa28007341961102375d45857e26fac149e80
diff -Nru acmetool-0.0.58/.travis/after_success acmetool-0.0.59/.travis/after_success
--- acmetool-0.0.58/.travis/after_success 2016-09-03 08:30:08.0 -0400
+++ acmetool-0.0.59/.travis/after_success 2017-02-17 06:26:01.0 -0500
@@ -32,20 +32,25 @@
# Prepare Ubuntu PPA signing key.
echo Preparing Ubuntu PPA signing key...
-cd "$ACME_DIR/.travis"
-wget -c "https://www.devever.net/~hl/f/gnupg-ppa-data.tar.gz.enc;
-openssl enc -d -aes-128-cbc -md sha256 -salt -pass env:PPA_ENCRYPTION_PASS -in "gnupg-ppa-data.tar.gz.enc" -out "gnupg-ppa-data.tar.gz"
-tar xvf gnupg-ppa-data.tar.gz
-shred -u gnupg-ppa-data.tar.*
-cd "$ACME_DIR"
+wget -qO ppa-private.asc.enc "https://www.devever.net/~hl/f/ppa-private-${PPA_ENCRYPTION_ID}.asc.enc;
+export PPA_ENCRYPTION_ID=
+openssl enc -d -aes-128-cbc -md sha256 -salt -pass env:PPA_ENCRYPTION_PASS -in "ppa-private.asc.enc" -out "ppa-private.asc"
+export PPA_ENCRYPTION_PASS=
+shred -u ppa-private.asc.enc
export GNUPGHOME="$ACME_DIR/.travis/.gnupg"
+mkdir -p "$GNUPGHOME"
+gpg --batch --import < ppa-private.asc
+shred -u ppa-private.asc
+cat < "$HOME/.devscripts"
-DEBSIGN_KEYID="Hugo Landau (2016 PPA Signing) "
+DEBSIGN_KEYID="Hugo Landau (2017 PPA Signing) "
END
-UBUNTU_RELEASES="xenial precise trusty vivid wily"
+UBUNTU_RELEASES="precise trusty xenial yakkety zesty vivid"
for distro_name in $UBUNTU_RELEASES; do
echo Creating Debian source environment for ${distro_name}...
$GOPATH/src/github.com/$TRAVIS_REPO_SLUG/.travis/make_debian_env "$GOPATH/releasing/dbuilds/$distro_name" "$GOPATH/releasing/dist/" "$TRAVIS_TAG" "$distro_name"
@@ -90,7 +95,7 @@
cat < /tmp/rpm-metadata
{
"project_id": $COPR_PROJECT_ID,
- "chroots": ["fedora-23-i386", "fedora-23-x86_64", "epel-7-x86_64", "fedora-24-i386", "fedora-24-x86_64"]
+ "chroots": ["fedora-23-i386", "fedora-23-x86_64", "epel-7-x86_64", "fedora-24-i386", "fedora-24-x86_64", "fedora-25-i386", "fedora-25-x86_64", "fedora-26-i386", "fedora-26-x86_64"]
}
END
else
diff -Nru acmetool-0.0.58/.travis/boulder.patch acmetool-0.0.59/.travis/boulder.patch
--- acmetool-0.0.58/.travis/boulder.patch 2016-09-03 08:30:08.0 -0400
+++ acmetool-0.0.59/.travis/boulder.patch 2017-02-17 06:26:01.0 -0500
@@ -11,7 +11,7 @@
# If we reach here, a child died early. Log what died:
diff --git a/test/config-next/va.json b/test/config-next/va.json
-index c237d7f..1336bb5 100644
+index 374ff68..4e701da 100644
--- a/test/config-next/va.json
+++ b/test/config-next/va.json
@@ -4,7 +4,7 @@
@@ -23,35 +23,42 @@
"httpsPort": 5001,
"tlsPort": 5001
},
-@@ -56,4 +56,4 @@
- "dnsTimeout": "10s",
- "dnsAllowLoopbackAddresses": true
- }
--}
-\ No newline at end of file
-+}
diff --git a/test/config/ca.json b/test/config/ca.json
-index a4d71c8..9057f6f 100644
+index eb6a2c1..7c6c0e3 100644
--- a/test/config/ca.json
+++ b/test/config/ca.json
-@@ -5,10 +5,10 @@
+@@ -5,11 +5,11 @@
"ecdsaProfile": "ecdsaEE",
- "debugAddr": "localhost:8001",
+ "debugAddr": ":8001",
"Issuers": [{
- "ConfigFile": "test/test-ca.key-pkcs11.json",
+ "File": "test/test-ca.key",
- "CertFile": "test/test-ca2.pem"
+ "CertFile": "test/test-ca2.pem",
+ "NumSessions": 2
}, {
- "ConfigFile": "test/test-ca.key-pkcs11.json",
+ "File": "test/test-ca.key",
- "CertFile": "test/test-ca.pem"
+ "CertFile": "test/test-ca.pem",
+ "NumSessions": 2
}],
- "expiry": "2160h",
+diff
