Re: Bug#921663: Please add python-certbot update to jessie-backports
On Mon, 11 Feb 2019, Brad Warren wrote: > I agree with the concerns about updating python3-cryptography in jessie. > > If we can’t update jessie, I’d ideally love to see the packages in > jessie-backports updated. Despite the announcement that jessie-backports was > discontinued ~6 months ago, tens of thousands of users and many more domains > continue to rely on these packages as I wrote earlier in this thread. It > would be great if a simple package upgrade was all they needed to do to > prevent their TLS configurations from breaking. Its closed, we won't change it anymore and it will be (hopefully) archived soon, then its even not available on the mirrors anymore. Alex - backports ftpmaster
Re: Bug#921663: Please add python-certbot update to jessie-backports
I agree with the concerns about updating python3-cryptography in jessie. If we can’t update jessie, I’d ideally love to see the packages in jessie-backports updated. Despite the announcement that jessie-backports was discontinued ~6 months ago, tens of thousands of users and many more domains continue to rely on these packages as I wrote earlier in this thread. It would be great if a simple package upgrade was all they needed to do to prevent their TLS configurations from breaking. With that said, I am not deeply familiar with the processes here and I am unsure how painful this would be to do. Brad > On Feb 11, 2019, at 2:28 AM, Ian Campbell wrote: > > On Mon, 2019-02-11 at 12:06 +0200, Adrian Bunk wrote: >> certbot is not in jessie, so nothing to fix/update there. > > Oh, I hadn't realised that bit, thanks for clarifying. > > I have no advice/suggestions then. > > Ian. > >
Re: Bug#921663: Please add python-certbot update to jessie-backports
On Mon, 2019-02-11 at 12:06 +0200, Adrian Bunk wrote: > certbot is not in jessie, so nothing to fix/update there. Oh, I hadn't realised that bit, thanks for clarifying. I have no advice/suggestions then. Ian.
Re: Bug#921663: Please add python-certbot update to jessie-backports
On Sat, Feb 09, 2019 at 08:37:09AM +, Ian Campbell wrote: >... > There is no need for an exception, jessie-backports is not the right > place to be fixing this issue even if it were still open. It should be > fixed by an update to either Jessie itself of the security suite. >... certbot is not in jessie, so nothing to fix/update there. jessie-backports is no longer supported and closed since the non-LTS EOL of jessie in June 2018. It might in theory be possible that the LTS team maintains backports until the LTS EOL of a release, but right now this is not being done. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Yes I have also been thinking that it would be possible to provide them in a separate repository. Best regards // Ola On Sun, 10 Feb 2019 at 15:40, Holger Levsen wrote: > Hi Ola & Brad, > > thank you for your quick feedback! > > On Sat, Feb 09, 2019 at 09:27:53PM +0100, Ola Lundqvist wrote: > > Here is a little more extensive list of dependencies: > > > > python-certbot (of course as it is the one providing certbot) > > python3-acme (>= 0.26.0~) - not in jessie, available in backports > > python3-configargparse - not in jessie, available in backports > > python3-cryptography (>= 1.2) - update needed (affecting something > else?), > > available in backports > > python3-josepy - not in jessie > > python3-rfc3339 - not in jessie, available in backports > > python3-sphinx (>= 1.6) - update needed (affecting something else?) > > python-certbot-nginx > > python-certbot-apache > > > > python-certbot-nginx and python-certbot-apache do not seem to add any > > additional dependencies that are not already in jessie. > > > > I have not checked if any of the above packages require further > > dependencies so the list may grow larger. > > I think this list is too large, also just python3-cryptography has too > many rdepends to make me comfortable updating it (and I havent looked > at the other packages at all), so I think we should stop here (for > jessie LTS). > > What however could be done, is to provide these updates in another repo > outside of jessie LTS... > > > -- > tschau, > Holger > > > --- >holger@(debian|reproducible-builds|layer-acht).org >PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Ola & Brad, thank you for your quick feedback! On Sat, Feb 09, 2019 at 09:27:53PM +0100, Ola Lundqvist wrote: > Here is a little more extensive list of dependencies: > > python-certbot (of course as it is the one providing certbot) > python3-acme (>= 0.26.0~) - not in jessie, available in backports > python3-configargparse - not in jessie, available in backports > python3-cryptography (>= 1.2) - update needed (affecting something else?), > available in backports > python3-josepy - not in jessie > python3-rfc3339 - not in jessie, available in backports > python3-sphinx (>= 1.6) - update needed (affecting something else?) > python-certbot-nginx > python-certbot-apache > > python-certbot-nginx and python-certbot-apache do not seem to add any > additional dependencies that are not already in jessie. > > I have not checked if any of the above packages require further > dependencies so the list may grow larger. I think this list is too large, also just python3-cryptography has too many rdepends to make me comfortable updating it (and I havent looked at the other packages at all), so I think we should stop here (for jessie LTS). What however could be done, is to provide these updates in another repo outside of jessie LTS... -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Here are the reverse dependencies for that. (jessie_chroot)root@tigereye:~/build/certbot/python-certbot-0.28.0# apt-rdepends -r python3-cryptography Reading package lists... Done Building dependency tree Reading state information... Done python3-cryptography Reverse Depends: python3-openssl (0.14-1) python3-openssl Reverse Depends: python3-service-identity (1.0.0-3) python3-service-identity Does not look like much. // Ola On Sat, 9 Feb 2019 at 23:20, Brad Warren wrote: > Thanks for looking into that Ola. > > I think we could work around the python3-sphinx problem. It’s just used > for building the docs and python3-sphinx (>= 1.6) is not in Stretch despite > the Certbot package being updated there. It seems to me like something > similar could be done here. > > python3-cryptography certainly might be a problem though. > > > On Feb 9, 2019, at 12:27 PM, Ola Lundqvist wrote: > > > > Hi Holger and Brad > > > > Here is a little more extensive list of dependencies: > > > > python-certbot (of course as it is the one providing certbot) > > python3-acme (>= 0.26.0~) - not in jessie, available in backports > > python3-configargparse - not in jessie, available in backports > > python3-cryptography (>= 1.2) - update needed (affecting something > else?), available in backports > > python3-josepy - not in jessie > > python3-rfc3339 - not in jessie, available in backports > > python3-sphinx (>= 1.6) - update needed (affecting something else?) > > python-certbot-nginx > > python-certbot-apache > > > > python-certbot-nginx and python-certbot-apache do not seem to add any > additional dependencies that are not already in jessie. > > > > I have not checked if any of the above packages require further > dependencies so the list may grow larger. > > > > Best regards > > > > // Ola > > > > On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen > wrote: > > > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > > >> I can also add that I have looked into this for myself and the number > of > > >> needed dependencies is rather large. So it is not just certbot that > need an > > >> update, we also need to include quite a few other packages too. > > > > > > how large exactly? > > > > > All of: > > > > - python-acme > > - python-certbot > > - python-certbot-apache > > - python-certbot-nginx > > - python-josepy > > > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal > of making situations like this easier. > > > > With that said, these Debian packages have switched from Python 2 to > Python 3 since the last time they were updated in jessie-backports. The > switch to Python 3 would either need to be undone (as we have kept > compatibility with Python 2 upstream) or Python 3 versions of some of our > dependencies would need to be added. I am not sure how many packages would > be affected if the latter approach was taken. > > > > > > > > -- > > > tschau, > > > Holger > > > > > > > --- > > > holger@(debian|reproducible-builds|layer-acht).org > > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A > AA1C > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology > > / o...@inguza.comFolkebogatan 26\ > > | o...@debian.org 654 68 KARLSTAD| > > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --- > > > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
Thanks for looking into that Ola. I think we could work around the python3-sphinx problem. It’s just used for building the docs and python3-sphinx (>= 1.6) is not in Stretch despite the Certbot package being updated there. It seems to me like something similar could be done here. python3-cryptography certainly might be a problem though. > On Feb 9, 2019, at 12:27 PM, Ola Lundqvist wrote: > > Hi Holger and Brad > > Here is a little more extensive list of dependencies: > > python-certbot (of course as it is the one providing certbot) > python3-acme (>= 0.26.0~) - not in jessie, available in backports > python3-configargparse - not in jessie, available in backports > python3-cryptography (>= 1.2) - update needed (affecting something else?), > available in backports > python3-josepy - not in jessie > python3-rfc3339 - not in jessie, available in backports > python3-sphinx (>= 1.6) - update needed (affecting something else?) > python-certbot-nginx > python-certbot-apache > > python-certbot-nginx and python-certbot-apache do not seem to add any > additional dependencies that are not already in jessie. > > I have not checked if any of the above packages require further dependencies > so the list may grow larger. > > Best regards > > // Ola > > On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > >> I can also add that I have looked into this for myself and the number of > >> needed dependencies is rather large. So it is not just certbot that need an > >> update, we also need to include quite a few other packages too. > > > > how large exactly? > > > All of: > > - python-acme > - python-certbot > - python-certbot-apache > - python-certbot-nginx > - python-josepy > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal of > making situations like this easier. > > With that said, these Debian packages have switched from Python 2 to Python 3 > since the last time they were updated in jessie-backports. The switch to > Python 3 would either need to be undone (as we have kept compatibility with > Python 2 upstream) or Python 3 versions of some of our dependencies would > need to be added. I am not sure how many packages would be affected if the > latter approach was taken. > > > > > -- > > tschau, > > Holger > > > > --- > > holger@(debian|reproducible-builds|layer-acht).org > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > > > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- >
Re: Bug#921663: Please add python-certbot update to jessie-backports
> On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: >> I can also add that I have looked into this for myself and the number of >> needed dependencies is rather large. So it is not just certbot that need an >> update, we also need to include quite a few other packages too. > > how large exactly? > All of: - python-acme - python-certbot - python-certbot-apache - python-certbot-nginx - python-josepy would need to be added/updated like they were in Stretch. (The new python-josepy package comes from it being split out of python-acme.) We have spent a lot of time upstream keeping compatibility with older versions of our dependencies and not adding new dependencies with the goal of making situations like this easier. With that said, these Debian packages have switched from Python 2 to Python 3 since the last time they were updated in jessie-backports. The switch to Python 3 would either need to be undone (as we have kept compatibility with Python 2 upstream) or Python 3 versions of some of our dependencies would need to be added. I am not sure how many packages would be affected if the latter approach was taken. > > -- > tschau, > Holger > > --- > holger@(debian|reproducible-builds|layer-acht).org > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Holger and Brad Here is a little more extensive list of dependencies: python-certbot (of course as it is the one providing certbot) python3-acme (>= 0.26.0~) - not in jessie, available in backports python3-configargparse - not in jessie, available in backports python3-cryptography (>= 1.2) - update needed (affecting something else?), available in backports python3-josepy - not in jessie python3-rfc3339 - not in jessie, available in backports python3-sphinx (>= 1.6) - update needed (affecting something else?) python-certbot-nginx python-certbot-apache python-certbot-nginx and python-certbot-apache do not seem to add any additional dependencies that are not already in jessie. I have not checked if any of the above packages require further dependencies so the list may grow larger. Best regards // Ola On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > >> I can also add that I have looked into this for myself and the number of > >> needed dependencies is rather large. So it is not just certbot that > need an > >> update, we also need to include quite a few other packages too. > > > > how large exactly? > > > All of: > > - python-acme > - python-certbot > - python-certbot-apache > - python-certbot-nginx > - python-josepy > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal > of making situations like this easier. > > With that said, these Debian packages have switched from Python 2 to > Python 3 since the last time they were updated in jessie-backports. The > switch to Python 3 would either need to be undone (as we have kept > compatibility with Python 2 upstream) or Python 3 versions of some of our > dependencies would need to be added. I am not sure how many packages would > be affected if the latter approach was taken. > > > > > -- > > tschau, > > Holger > > > > > --- > > holger@(debian|reproducible-builds|layer-acht).org > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > I can also add that I have looked into this for myself and the number of > needed dependencies is rather large. So it is not just certbot that need an > update, we also need to include quite a few other packages too. how large exactly? -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi I can also add that I have looked into this for myself and the number of needed dependencies is rather large. So it is not just certbot that need an update, we also need to include quite a few other packages too. // Ola On Sat, 9 Feb 2019 at 09:37, Ian Campbell wrote: > [[ Resending to correct debian-lts, I forgot the "lists." bit... ]] > > On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote: > > To provide a little more information as an upstream maintainer of > > Certbot, the lack of an upgrade here will affect a lot of Debian > > Jessie users. > > > > Let’s Encrypt started sending out multiple emails telling affected > > users they needed to upgrade their client or they will become unable > > to renew their certificates 3 weeks ago. Looking at server side data > > from the past week on how many Jessie users continue to rely on these > > soon to be broken packages, I estimate it is 20,000 users maintaining > > 37,000 certificates for 64,000 domains. > > > > Is there really nothing that can be done here? Is it possible to make > > an exception to Debian’s normal policy to prevent TLS configurations > > from breaking on tens of thousands of websites? > > There is no need for an exception, jessie-backports is not the right > place to be fixing this issue even if it were still open. It should be > fixed by an update to either Jessie itself of the security suite. > > Jessie(-security) is currently maintained (until June 2020) by the LTS > team[0], who I've cc-d here. > > There was a similar thread on the backports list which ended with [1] > but I don't know if this ever formally came to the LTS team. > > Ian (not involved with LTS nor backports nor letsencrypt team). > > [0] https://wiki.debian.org/LTS/ > [1] https://lists.debian.org/debian-backports/2019/01/msg00052.html > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
[[ Resending to correct debian-lts, I forgot the "lists." bit... ]] On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote: > To provide a little more information as an upstream maintainer of > Certbot, the lack of an upgrade here will affect a lot of Debian > Jessie users. > > Let’s Encrypt started sending out multiple emails telling affected > users they needed to upgrade their client or they will become unable > to renew their certificates 3 weeks ago. Looking at server side data > from the past week on how many Jessie users continue to rely on these > soon to be broken packages, I estimate it is 20,000 users maintaining > 37,000 certificates for 64,000 domains. > > Is there really nothing that can be done here? Is it possible to make > an exception to Debian’s normal policy to prevent TLS configurations > from breaking on tens of thousands of websites? There is no need for an exception, jessie-backports is not the right place to be fixing this issue even if it were still open. It should be fixed by an update to either Jessie itself of the security suite. Jessie(-security) is currently maintained (until June 2020) by the LTS team[0], who I've cc-d here. There was a similar thread on the backports list which ended with [1] but I don't know if this ever formally came to the LTS team. Ian (not involved with LTS nor backports nor letsencrypt team). [0] https://wiki.debian.org/LTS/ [1] https://lists.debian.org/debian-backports/2019/01/msg00052.html