Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Indeed -- sorry about that, everyone! I intended for that to go out before I went on vacation (and didn't have email access), but it looks like I didn't quite manage it. I'm doing the uploads again now. On Mon, Jan 21, 2019 at 6:05 AM Julien Cristau wrote: > > On Thu, Jan 17, 2019 at 01:48:24PM -0800, Brad Warren wrote: > > I just wanted to make sure this was still on everyone’s radar. The > > change server side where tens of thousands of Debian users will begin > > being unable to renew their certificates is in less than a month. > > > It is, but the initial uploads used the wrong version numbers and had to > be rejected. AIUI Harlan should be back this week, hopefully he can get > to this. > > Cheers, > Julien > > > > On Jan 8, 2019, at 4:24 PM, Harlan Lieberman-Berg > > > wrote: > > > > > > Hello Julien, everyone, > > > > > > I've uploaded the relevant packages for your examination. The > > > packages uploaded are: > > > > > > - python-acme_0.28.0-1+deb9u1 > > > - python-certbot_0.28.0-1+deb9u1 > > > - python-certbot-nginx_0.28.0-1+deb9u1 > > > - python-certbot-apache_0.28.0-1+deb9u1 > > > - python-josepy_1.1.0-2+deb9u1 > > > - parsedatetime_2.1-3+deb9u1 > > > > > > On Sun, Dec 2, 2018 at 7:55 PM Harlan Lieberman-Berg > > > wrote: > > >> > > >> On Sun, Dec 2, 2018 at 10:48 AM Julien Cristau > > >> wrote: > > >>> OK, let's do that then. Sorry for not getting back to this sooner. > > >> > > >> Sounds good. I'm preparing the uploads now. > > >> > > >> It looks like I will need to rebuild the version of > > >> python-parsedatetime in stable to also build the python3 version. I > > >> could also backport a newer version that builds python3. Let me know. > > >> > > >> Sincerely, > > >> -- > > >> Harlan Lieberman-Berg > > >> ~hlieberman > > > > > > > > > > > > -- > > > Harlan Lieberman-Berg > > > ~hlieberman > > > > > > -- > > > To unsubscribe, send mail to 887399-unsubscr...@bugs.debian.org. > > > -- Harlan Lieberman-Berg ~hlieberman
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
On Thu, Jan 17, 2019 at 01:48:24PM -0800, Brad Warren wrote: > I just wanted to make sure this was still on everyone’s radar. The > change server side where tens of thousands of Debian users will begin > being unable to renew their certificates is in less than a month. > It is, but the initial uploads used the wrong version numbers and had to be rejected. AIUI Harlan should be back this week, hopefully he can get to this. Cheers, Julien > > On Jan 8, 2019, at 4:24 PM, Harlan Lieberman-Berg > > wrote: > > > > Hello Julien, everyone, > > > > I've uploaded the relevant packages for your examination. The > > packages uploaded are: > > > > - python-acme_0.28.0-1+deb9u1 > > - python-certbot_0.28.0-1+deb9u1 > > - python-certbot-nginx_0.28.0-1+deb9u1 > > - python-certbot-apache_0.28.0-1+deb9u1 > > - python-josepy_1.1.0-2+deb9u1 > > - parsedatetime_2.1-3+deb9u1 > > > > On Sun, Dec 2, 2018 at 7:55 PM Harlan Lieberman-Berg > > wrote: > >> > >> On Sun, Dec 2, 2018 at 10:48 AM Julien Cristau wrote: > >>> OK, let's do that then. Sorry for not getting back to this sooner. > >> > >> Sounds good. I'm preparing the uploads now. > >> > >> It looks like I will need to rebuild the version of > >> python-parsedatetime in stable to also build the python3 version. I > >> could also backport a newer version that builds python3. Let me know. > >> > >> Sincerely, > >> -- > >> Harlan Lieberman-Berg > >> ~hlieberman > > > > > > > > -- > > Harlan Lieberman-Berg > > ~hlieberman > > > > -- > > To unsubscribe, send mail to 887399-unsubscr...@bugs.debian.org. > >
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
control: tags -1 +security Hi, On Mon, 15 Jan 2018 18:04:59 -0500 Harlan Lieberman-Berg wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Hello Release Team, > > Due to a security issue in the underlying Let's Encrypt protocol, one of the > main methods of getting certificates from Let's Encrypt has been disabled > (the TLS-SNI-01 protocol; > https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 > for more info). It will happen on February 13th, 2019, so I'm afraid that 9.7 point release would be late for it. It's security issue, then security advisory maybe help, IMHO. -- Hideki Yamane
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
I just wanted to make sure this was still on everyone’s radar. The change server side where tens of thousands of Debian users will begin being unable to renew their certificates is in less than a month. > On Jan 8, 2019, at 4:24 PM, Harlan Lieberman-Berg wrote: > > Hello Julien, everyone, > > I've uploaded the relevant packages for your examination. The > packages uploaded are: > > - python-acme_0.28.0-1+deb9u1 > - python-certbot_0.28.0-1+deb9u1 > - python-certbot-nginx_0.28.0-1+deb9u1 > - python-certbot-apache_0.28.0-1+deb9u1 > - python-josepy_1.1.0-2+deb9u1 > - parsedatetime_2.1-3+deb9u1 > > On Sun, Dec 2, 2018 at 7:55 PM Harlan Lieberman-Berg > wrote: >> >> On Sun, Dec 2, 2018 at 10:48 AM Julien Cristau wrote: >>> OK, let's do that then. Sorry for not getting back to this sooner. >> >> Sounds good. I'm preparing the uploads now. >> >> It looks like I will need to rebuild the version of >> python-parsedatetime in stable to also build the python3 version. I >> could also backport a newer version that builds python3. Let me know. >> >> Sincerely, >> -- >> Harlan Lieberman-Berg >> ~hlieberman > > > > -- > Harlan Lieberman-Berg > ~hlieberman > > -- > To unsubscribe, send mail to 887399-unsubscr...@bugs.debian.org. >
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Hello Julien, everyone, I've uploaded the relevant packages for your examination. The packages uploaded are: - python-acme_0.28.0-1+deb9u1 - python-certbot_0.28.0-1+deb9u1 - python-certbot-nginx_0.28.0-1+deb9u1 - python-certbot-apache_0.28.0-1+deb9u1 - python-josepy_1.1.0-2+deb9u1 - parsedatetime_2.1-3+deb9u1 On Sun, Dec 2, 2018 at 7:55 PM Harlan Lieberman-Berg wrote: > > On Sun, Dec 2, 2018 at 10:48 AM Julien Cristau wrote: > > OK, let's do that then. Sorry for not getting back to this sooner. > > Sounds good. I'm preparing the uploads now. > > It looks like I will need to rebuild the version of > python-parsedatetime in stable to also build the python3 version. I > could also backport a newer version that builds python3. Let me know. > > Sincerely, > -- > Harlan Lieberman-Berg > ~hlieberman -- Harlan Lieberman-Berg ~hlieberman
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
On Sun, Dec 2, 2018 at 10:48 AM Julien Cristau wrote: > OK, let's do that then. Sorry for not getting back to this sooner. Sounds good. I'm preparing the uploads now. It looks like I will need to rebuild the version of python-parsedatetime in stable to also build the python3 version. I could also backport a newer version that builds python3. Let me know. Sincerely, -- Harlan Lieberman-Berg ~hlieberman
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Control: tag -1 - moreinfo Control: tag -1 + confirmed On Tue, Nov 13, 2018 at 10:09:06PM -0500, Harlan Lieberman-Berg wrote: > Hello Jeremy, release team, > > Yes, the minimal set of involved source packages is python-acme, > python-certbot, python-certbot-nginx, and python-certbot-apache. This > would also require the new package python-josepy, which is also > maintained by the LE team. > > They should be able to be taken directly out of backports without > breaking anything. > OK, let's do that then. Sorry for not getting back to this sooner. Cheers, Julien
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Hello Jeremy, release team, Yes, the minimal set of involved source packages is python-acme, python-certbot, python-certbot-nginx, and python-certbot-apache. This would also require the new package python-josepy, which is also maintained by the LE team. They should be able to be taken directly out of backports without breaking anything. Sincerely, -- Harlan Lieberman-Berg ~hlieberman
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
What can be done to get this issue resolved? This issue has jumped in priority now that domain validation through the TLS-SNI-01 challenge will be completely unsupported by Let’s Encrypt on February 13th, 2019. See https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209. While the TLS-SNI-01 challenge was initially disabled by Let’s Encrypt over 10 months ago, an exception had been made for people renewing certificates they had previously obtained using the challenge. This exception is going away on the above date. This means that unless users manually intervene or are upgraded to a new version of Certbot, certificate renewal will fail. I pulled some numbers on this from Let’s Encrypt and found that there were nearly 15,000 unique Debian Stretch installations that were currently relying on this exception. This is for over 32,000 certificates covering nearly 50,000 domains. There are even more affected users on jessie-backports. Since the packages in jessie-backports cannot be upgraded to a newer version due to the version in Stretch, they are stuck on an incompatible version as well. This is nearly 20,000 unique installations for over 52,000 certificates covering nearly 85,000 domains. I certainly would like to avoid having all of these renewals fail. Please let me know if there's anything I can do to help make a version of Certbot that is compatible with Let’s Encrypt’s changes available in Debian.
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
I’m another upstream developer of Certbot. Taking 0.21.1 into stable would be the most conservative update that would resolve this issue. The oldest version you could take is 0.21.0, but 0.21.1 was released 8 days later and as a result has been much more widely tested. Since 0.21.1 was released back in January, it has been installed and run on over 500,000 systems and been used to obtain over two million certificates from Let’s Encrypt. Alternatively, you could take 0.22.2 or 0.23.0 which would include other bug fixes (and features), but they both have been released for less than a month. The switch to Python 3 would affect relatively few users, but it will affect some. There are around 200 installations maintaining certificates from Let’s Encrypt using the packages in stretch (or jessie-backports) with third party Certbot plugins. These plugins need to register themselves using Certbot’s Python interface so a change to Python 3 would likely break things for them. There may also be Debian users using Certbot with a private CA or using Certbot’s Python interface in ways other than writing a plugin. We don’t have data on these users and the latter is not supported, however, I have seen a couple instances of both. I’m unsure if the people I’ve seen doing this were using Debian. The certbot, python-acme, python-certbot, python-certbot-apache, and python-certbot-nginx would all need to be updated. Please let me know if there’s anything else I can do to help get this resolved.
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Control: tag -1 moreinfo On Mon, Jan 15, 2018 at 18:04:59 -0500, Harlan Lieberman-Berg wrote: > Due to a security issue in the underlying Let's Encrypt protocol, one of the > main methods of getting certificates from Let's Encrypt has been disabled > (the TLS-SNI-01 protocol; > https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 > for more info). > > This puts us in a bit of an awkward spot. The upstream certbot provider is > preparing to do a new release that has support for HTTP-01 inside the > python-certbot-apache and python-certbot-nginx plugins, as well as the > required work in python-acme and python-certbot (and certbot), but I'm not > sure backporting the patches is realistic. A lot of development has been > done in the interim, both in the certbot packaging and in the upstream > software. Without those patches, users with the apache or nginx plugins will > fail to update their certificates starting 2018-04-09. > > I can talk to the certbot upstream to see if they'd be willing to help > backport the patches (CCed), but initial conversations seem to indicate that > doing so will be difficult. > > The other approach that we can take is to backport the next version that > supports the new challenge through to s-p-u and into stable. I'm guessing > that you will ask me to unwind the work I did to convert to python3 in the > last release (sadface), but I can do that if that's what it needs to get this > fixed in stable. > I'm not sure that'd be wise, if it would mean shipping something untested. To me, the workable alternatives seem to be to either remove those packages from stable, or update them to a current version. At least the 0.21 packages have presumably had some testing in stretch-backports. The switches to python 3 and debhelper 11 are unfortunate, and at least the latter would need to be reverted. I'm worried about local scripts or other integration using python2 and breaking if we were to move certbot to python3; how likely is that? On the other hand, I guess if they're still using the package from stable it's going to break on them soon anyway. What is the minimal set of source packages that we would need to update? Is it python-acme, python-certbot, python-certbot-apache and python-certbot-nginx? Cheers, Julien
Bug#887399: stretch-pu: package python-certbot/0.10.2-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello Release Team, Due to a security issue in the underlying Let's Encrypt protocol, one of the main methods of getting certificates from Let's Encrypt has been disabled (the TLS-SNI-01 protocol; https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 for more info). This puts us in a bit of an awkward spot. The upstream certbot provider is preparing to do a new release that has support for HTTP-01 inside the python-certbot-apache and python-certbot-nginx plugins, as well as the required work in python-acme and python-certbot (and certbot), but I'm not sure backporting the patches is realistic. A lot of development has been done in the interim, both in the certbot packaging and in the upstream software. Without those patches, users with the apache or nginx plugins will fail to update their certificates starting 2018-04-09. I can talk to the certbot upstream to see if they'd be willing to help backport the patches (CCed), but initial conversations seem to indicate that doing so will be difficult. The other approach that we can take is to backport the next version that supports the new challenge through to s-p-u and into stable. I'm guessing that you will ask me to unwind the work I did to convert to python3 in the last release (sadface), but I can do that if that's what it needs to get this fixed in stable. Gurus and Wise Ones, I beseech you for guidance! -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled