Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Alexander Wirt
On Mon, 11 Feb 2019, Brad Warren wrote:

> I agree with the concerns about updating python3-cryptography in jessie.
> 
> If we can’t update jessie, I’d ideally love to see the packages in 
> jessie-backports updated. Despite the announcement that jessie-backports was 
> discontinued ~6 months ago, tens of thousands of users and many more domains 
> continue to rely on these packages as I wrote earlier in this thread. It 
> would be great if a simple package upgrade was all they needed to do to 
> prevent their TLS configurations from breaking.
Its closed, we won't change it anymore and it will be (hopefully) archived
soon, then its even not available on the mirrors anymore.  

Alex - backports ftpmaster
 



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Brad Warren
I agree with the concerns about updating python3-cryptography in jessie.

If we can’t update jessie, I’d ideally love to see the packages in 
jessie-backports updated. Despite the announcement that jessie-backports was 
discontinued ~6 months ago, tens of thousands of users and many more domains 
continue to rely on these packages as I wrote earlier in this thread. It would 
be great if a simple package upgrade was all they needed to do to prevent their 
TLS configurations from breaking.

With that said, I am not deeply familiar with the processes here and I am 
unsure how painful this would be to do.

Brad

> On Feb 11, 2019, at 2:28 AM, Ian Campbell  wrote:
> 
> On Mon, 2019-02-11 at 12:06 +0200, Adrian Bunk wrote:
>> certbot is not in jessie, so nothing to fix/update there.
> 
> Oh, I hadn't realised that bit, thanks for clarifying.
> 
> I have no advice/suggestions then.
> 
> Ian.
> 
> 



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Ian Campbell
On Mon, 2019-02-11 at 12:06 +0200, Adrian Bunk wrote:
> certbot is not in jessie, so nothing to fix/update there.

Oh, I hadn't realised that bit, thanks for clarifying.

I have no advice/suggestions then.

Ian.



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Adrian Bunk
On Sat, Feb 09, 2019 at 08:37:09AM +, Ian Campbell wrote:
>...
> There is no need for an exception, jessie-backports is not the right
> place to be fixing this issue even if it were still open. It should be
> fixed by an update to either Jessie itself of the security suite.
>...

certbot is not in jessie, so nothing to fix/update there.

jessie-backports is no longer supported and closed since
the non-LTS EOL of jessie in June 2018.

It might in theory be possible that the LTS team maintains backports 
until the LTS EOL of a release, but right now this is not being done.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-10 Thread Ola Lundqvist
Hi

Yes I have also been thinking that it would be possible to provide them in
a separate repository.

Best regards

// Ola

On Sun, 10 Feb 2019 at 15:40, Holger Levsen  wrote:

> Hi Ola & Brad,
>
> thank you for your quick feedback!
>
> On Sat, Feb 09, 2019 at 09:27:53PM +0100, Ola Lundqvist wrote:
> > Here is a little more extensive list of dependencies:
> >
> > python-certbot (of course as it is the one providing certbot)
> > python3-acme (>= 0.26.0~) - not in jessie, available in backports
> > python3-configargparse - not in jessie, available in backports
> > python3-cryptography (>= 1.2) - update needed (affecting something
> else?),
> > available in backports
> > python3-josepy - not in jessie
> > python3-rfc3339 - not in jessie, available in backports
> > python3-sphinx (>= 1.6) - update needed (affecting something else?)
> > python-certbot-nginx
> > python-certbot-apache
> >
> > python-certbot-nginx and python-certbot-apache do not seem to add any
> > additional dependencies that are not already in jessie.
> >
> > I have not checked if any of the above packages require further
> > dependencies so the list may grow larger.
>
> I think this list is too large, also just python3-cryptography has too
> many rdepends to make me comfortable updating it (and I havent looked
> at the other packages at all), so I think we should stop here (for
> jessie LTS).
>
> What however could be done, is to provide these updates in another repo
> outside of jessie LTS...
>
>
> --
> tschau,
> Holger
>
>
> ---
>holger@(debian|reproducible-builds|layer-acht).org
>PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-10 Thread Holger Levsen
Hi Ola & Brad,

thank you for your quick feedback!

On Sat, Feb 09, 2019 at 09:27:53PM +0100, Ola Lundqvist wrote:
> Here is a little more extensive list of dependencies:
> 
> python-certbot (of course as it is the one providing certbot)
> python3-acme (>= 0.26.0~) - not in jessie, available in backports
> python3-configargparse - not in jessie, available in backports
> python3-cryptography (>= 1.2) - update needed (affecting something else?),
> available in backports
> python3-josepy - not in jessie
> python3-rfc3339 - not in jessie, available in backports
> python3-sphinx (>= 1.6) - update needed (affecting something else?)
> python-certbot-nginx
> python-certbot-apache
> 
> python-certbot-nginx and python-certbot-apache do not seem to add any
> additional dependencies that are not already in jessie.
> 
> I have not checked if any of the above packages require further
> dependencies so the list may grow larger.

I think this list is too large, also just python3-cryptography has too
many rdepends to make me comfortable updating it (and I havent looked
at the other packages at all), so I think we should stop here (for
jessie LTS).

What however could be done, is to provide these updates in another repo
outside of jessie LTS...


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Ola Lundqvist
Hi

Here are the reverse dependencies for that.

(jessie_chroot)root@tigereye:~/build/certbot/python-certbot-0.28.0#
apt-rdepends -r python3-cryptography
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3-cryptography
  Reverse Depends: python3-openssl (0.14-1)
python3-openssl
  Reverse Depends: python3-service-identity (1.0.0-3)
python3-service-identity

Does not look like much.

// Ola

On Sat, 9 Feb 2019 at 23:20, Brad Warren  wrote:

> Thanks for looking into that Ola.
>
> I think we could work around the python3-sphinx problem. It’s just used
> for building the docs and python3-sphinx (>= 1.6) is not in Stretch despite
> the Certbot package being updated there. It seems to me like something
> similar could be done here.
>
> python3-cryptography certainly might be a problem though.
>
> > On Feb 9, 2019, at 12:27 PM, Ola Lundqvist  wrote:
> >
> > Hi Holger and Brad
> >
> > Here is a little more extensive list of dependencies:
> >
> > python-certbot (of course as it is the one providing certbot)
> > python3-acme (>= 0.26.0~) - not in jessie, available in backports
> > python3-configargparse - not in jessie, available in backports
> > python3-cryptography (>= 1.2) - update needed (affecting something
> else?), available in backports
> > python3-josepy - not in jessie
> > python3-rfc3339 - not in jessie, available in backports
> > python3-sphinx (>= 1.6) - update needed (affecting something else?)
> > python-certbot-nginx
> > python-certbot-apache
> >
> > python-certbot-nginx and python-certbot-apache do not seem to add any
> additional dependencies that are not already in jessie.
> >
> > I have not checked if any of the above packages require further
> dependencies so the list may grow larger.
> >
> > Best regards
> >
> > // Ola
> >
> > On Sat, 9 Feb 2019 at 20:58, Brad Warren  wrote:
> >
> >
> > > On Feb 9, 2019, at 6:19 AM, Holger Levsen 
> wrote:
> > >
> > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote:
> > >> I can also add that I have looked into this for myself and the number
> of
> > >> needed dependencies is rather large. So it is not just certbot that
> need an
> > >> update, we also need to include quite a few other packages too.
> > >
> > > how large exactly?
> > >
> > All of:
> >
> > - python-acme
> > - python-certbot
> > - python-certbot-apache
> > - python-certbot-nginx
> > - python-josepy
> >
> > would need to be added/updated like they were in Stretch. (The new
> python-josepy package comes from it being split out of python-acme.)
> >
> > We have spent a lot of time upstream keeping compatibility with older
> versions of our dependencies and not adding new dependencies with the goal
> of making situations like this easier.
> >
> > With that said, these Debian packages have switched from Python 2 to
> Python 3 since the last time they were updated in jessie-backports. The
> switch to Python 3 would either need to be undone (as we have kept
> compatibility with Python 2 upstream) or Python 3 versions of some of our
> dependencies would need to be added. I am not sure how many packages would
> be affected if the latter approach was taken.
> >
> > >
> > > --
> > > tschau,
> > >   Holger
> > >
> > >
> ---
> > >   holger@(debian|reproducible-builds|layer-acht).org
> > >   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A
> AA1C
> >
> >
> >
> > --
> >  --- Inguza Technology AB --- MSc in Information Technology 
> > /  o...@inguza.comFolkebogatan 26\
> > |  o...@debian.org   654 68 KARLSTAD|
> > |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
> >  ---
> >
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Brad Warren
Thanks for looking into that Ola.

I think we could work around the python3-sphinx problem. It’s just used for 
building the docs and python3-sphinx (>= 1.6) is not in Stretch despite the 
Certbot package being updated there. It seems to me like something similar 
could be done here.

python3-cryptography certainly might be a problem though.

> On Feb 9, 2019, at 12:27 PM, Ola Lundqvist  wrote:
> 
> Hi Holger and Brad
> 
> Here is a little more extensive list of dependencies:
> 
> python-certbot (of course as it is the one providing certbot)
> python3-acme (>= 0.26.0~) - not in jessie, available in backports
> python3-configargparse - not in jessie, available in backports
> python3-cryptography (>= 1.2) - update needed (affecting something else?), 
> available in backports
> python3-josepy - not in jessie
> python3-rfc3339 - not in jessie, available in backports
> python3-sphinx (>= 1.6) - update needed (affecting something else?)
> python-certbot-nginx
> python-certbot-apache
> 
> python-certbot-nginx and python-certbot-apache do not seem to add any 
> additional dependencies that are not already in jessie.
> 
> I have not checked if any of the above packages require further dependencies 
> so the list may grow larger.
> 
> Best regards
> 
> // Ola
> 
> On Sat, 9 Feb 2019 at 20:58, Brad Warren  wrote:
> 
> 
> > On Feb 9, 2019, at 6:19 AM, Holger Levsen  wrote:
> > 
> > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote:
> >> I can also add that I have looked into this for myself and the number of
> >> needed dependencies is rather large. So it is not just certbot that need an
> >> update, we also need to include quite a few other packages too.
> > 
> > how large exactly?
> > 
> All of:
> 
> - python-acme
> - python-certbot
> - python-certbot-apache
> - python-certbot-nginx
> - python-josepy
> 
> would need to be added/updated like they were in Stretch. (The new 
> python-josepy package comes from it being split out of python-acme.)
> 
> We have spent a lot of time upstream keeping compatibility with older 
> versions of our dependencies and not adding new dependencies with the goal of 
> making situations like this easier.
> 
> With that said, these Debian packages have switched from Python 2 to Python 3 
> since the last time they were updated in jessie-backports. The switch to 
> Python 3 would either need to be undone (as we have kept compatibility with 
> Python 2 upstream) or Python 3 versions of some of our dependencies would 
> need to be added. I am not sure how many packages would be affected if the 
> latter approach was taken.
> 
> > 
> > -- 
> > tschau,
> >   Holger
> > 
> > ---
> >   holger@(debian|reproducible-builds|layer-acht).org
> >   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
> 
> 
> 
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> /  o...@inguza.comFolkebogatan 26\
> |  o...@debian.org   654 68 KARLSTAD|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---
> 



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Brad Warren



> On Feb 9, 2019, at 6:19 AM, Holger Levsen  wrote:
> 
> On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote:
>> I can also add that I have looked into this for myself and the number of
>> needed dependencies is rather large. So it is not just certbot that need an
>> update, we also need to include quite a few other packages too.
> 
> how large exactly?
> 
All of:

- python-acme
- python-certbot
- python-certbot-apache
- python-certbot-nginx
- python-josepy

would need to be added/updated like they were in Stretch. (The new 
python-josepy package comes from it being split out of python-acme.)

We have spent a lot of time upstream keeping compatibility with older versions 
of our dependencies and not adding new dependencies with the goal of making 
situations like this easier.

With that said, these Debian packages have switched from Python 2 to Python 3 
since the last time they were updated in jessie-backports. The switch to Python 
3 would either need to be undone (as we have kept compatibility with Python 2 
upstream) or Python 3 versions of some of our dependencies would need to be 
added. I am not sure how many packages would be affected if the latter approach 
was taken.

> 
> -- 
> tschau,
>   Holger
> 
> ---
>   holger@(debian|reproducible-builds|layer-acht).org
>   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C



Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Ola Lundqvist
Hi Holger and Brad

Here is a little more extensive list of dependencies:

python-certbot (of course as it is the one providing certbot)
python3-acme (>= 0.26.0~) - not in jessie, available in backports
python3-configargparse - not in jessie, available in backports
python3-cryptography (>= 1.2) - update needed (affecting something else?),
available in backports
python3-josepy - not in jessie
python3-rfc3339 - not in jessie, available in backports
python3-sphinx (>= 1.6) - update needed (affecting something else?)
python-certbot-nginx
python-certbot-apache

python-certbot-nginx and python-certbot-apache do not seem to add any
additional dependencies that are not already in jessie.

I have not checked if any of the above packages require further
dependencies so the list may grow larger.

Best regards

// Ola

On Sat, 9 Feb 2019 at 20:58, Brad Warren  wrote:

>
>
> > On Feb 9, 2019, at 6:19 AM, Holger Levsen  wrote:
> >
> > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote:
> >> I can also add that I have looked into this for myself and the number of
> >> needed dependencies is rather large. So it is not just certbot that
> need an
> >> update, we also need to include quite a few other packages too.
> >
> > how large exactly?
> >
> All of:
>
> - python-acme
> - python-certbot
> - python-certbot-apache
> - python-certbot-nginx
> - python-josepy
>
> would need to be added/updated like they were in Stretch. (The new
> python-josepy package comes from it being split out of python-acme.)
>
> We have spent a lot of time upstream keeping compatibility with older
> versions of our dependencies and not adding new dependencies with the goal
> of making situations like this easier.
>
> With that said, these Debian packages have switched from Python 2 to
> Python 3 since the last time they were updated in jessie-backports. The
> switch to Python 3 would either need to be undone (as we have kept
> compatibility with Python 2 upstream) or Python 3 versions of some of our
> dependencies would need to be added. I am not sure how many packages would
> be affected if the latter approach was taken.
>
> >
> > --
> > tschau,
> >   Holger
> >
> >
> ---
> >   holger@(debian|reproducible-builds|layer-acht).org
> >   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Holger Levsen
On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote:
> I can also add that I have looked into this for myself and the number of
> needed dependencies is rather large. So it is not just certbot that need an
> update, we also need to include quite a few other packages too.

how large exactly?


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Ola Lundqvist
Hi

I can also add that I have looked into this for myself and the number of
needed dependencies is rather large. So it is not just certbot that need an
update, we also need to include quite a few other packages too.

// Ola

On Sat, 9 Feb 2019 at 09:37, Ian Campbell  wrote:

> [[ Resending to correct debian-lts, I forgot the "lists." bit... ]]
>
> On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote:
> > To provide a little more information as an upstream maintainer of
> > Certbot, the lack of an upgrade here will affect a lot of Debian
> > Jessie users.
> >
> > Let’s Encrypt started sending out multiple emails telling affected
> > users they needed to upgrade their client or they will become unable
> > to renew their certificates 3 weeks ago. Looking at server side data
> > from the past week on how many Jessie users continue to rely on these
> > soon to be broken packages, I estimate it is 20,000 users maintaining
> > 37,000 certificates for 64,000 domains.
> >
> > Is there really nothing that can be done here? Is it possible to make
> > an exception to Debian’s normal policy to prevent TLS configurations
> > from breaking on tens of thousands of websites?
>
> There is no need for an exception, jessie-backports is not the right
> place to be fixing this issue even if it were still open. It should be
> fixed by an update to either Jessie itself of the security suite.
>
> Jessie(-security) is currently maintained (until June 2020) by the LTS
> team[0], who I've cc-d here.
>
> There was a similar thread on the backports list which ended with [1]
> but I don't know if this ever formally came to the LTS team.
>
> Ian (not involved with LTS nor backports nor letsencrypt team).
>
> [0] https://wiki.debian.org/LTS/
> [1] https://lists.debian.org/debian-backports/2019/01/msg00052.html
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-09 Thread Ian Campbell
[[ Resending to correct debian-lts, I forgot the "lists." bit... ]]

On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote:
> To provide a little more information as an upstream maintainer of
> Certbot, the lack of an upgrade here will affect a lot of Debian
> Jessie users.
> 
> Let’s Encrypt started sending out multiple emails telling affected
> users they needed to upgrade their client or they will become unable
> to renew their certificates 3 weeks ago. Looking at server side data
> from the past week on how many Jessie users continue to rely on these
> soon to be broken packages, I estimate it is 20,000 users maintaining
> 37,000 certificates for 64,000 domains.
> 
> Is there really nothing that can be done here? Is it possible to make
> an exception to Debian’s normal policy to prevent TLS configurations
> from breaking on tens of thousands of websites?

There is no need for an exception, jessie-backports is not the right
place to be fixing this issue even if it were still open. It should be
fixed by an update to either Jessie itself of the security suite.

Jessie(-security) is currently maintained (until June 2020) by the LTS
team[0], who I've cc-d here.

There was a similar thread on the backports list which ended with [1]
but I don't know if this ever formally came to the LTS team.

Ian (not involved with LTS nor backports nor letsencrypt team).

[0] https://wiki.debian.org/LTS/
[1] https://lists.debian.org/debian-backports/2019/01/msg00052.html