Ah, yes - I meant to mention that. With Eoan having 0.36.0-1, this update is not needed on Eoan. And backporting 0.36.0-1 is a bigger job as it incurs other dependencies being updated.
I have added the following branches to the git repository, rather than generating individual debdiffs. There are no changes to build 0.31.0-2 between Xenial, Bionic, Cosmic and Disco. I have also updated the description. Running update-maintainer resulted in no changes, so I might be missing something there. If you take a look at the branches and feel that there needs to be further changes for each branch, please let me know what is required and I'll gladly get the changes made. ** Description changed: + [Impact] + This bug affects the python-acme package in all released versions of - Ubuntu. + Ubuntu, with the exception of Eoan Ermine which uses a newer version of + python-acme. - The python-acme package will no longer work with Let’s Encrypt’s - “ACMEv2” endpoint which is their RFC 8555 compliant endpoint starting - November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled- - deprecation-of-unauthenticated-resource-gets/74380 for more details - about this change. + After November 1, the current python-acme package will no longer work + with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 + compliant endpoint for issuing and renewing TLS certificates. - After November 1st of this year, the python-acme packages will be - unusable with Let's Encrypt's endpoint which will break any software - using the library for this purpose. The primary concern here is that - users of the library will no longer be able to obtain new certificates. - Certificates which are currently being automatically renewed will - suddenly become unable to do so which will likely result in broken TLS - configurations for many users. + See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation- + of-unauthenticated-resource-gets/74380 for more details about this + change. - As one of the upstream maintainers of this library, I think the safest - way to start to resolve this problem would be to backport the python- - acme 0.31.0-2 package from Debian Buster to Disco. The python-acme - package in Disco is version 0.31.0-1 and the only code differences - should be some minor patches that were applied to the package in Buster - to avoid this problem before it was released. I think taking this - package would result in the smallest diff while sticking to a well - tested package. + The primary concern here is that users of the library, most commonly + users of the certbot package, will no longer be able to obtain new + certificates and existing certificates issued via certbot will no longer + be able to renew, resulting in broken TLS configurations for many users + and sites hosted on Ubuntu where certbot is used to request and renew + TLS certificates. - Alternatively, if taking a package from Debian at this point is awkward, - I can either provide info on the changes that were backported to create - 0.31.0-2 in Debian so we could do something similar to the package in - Disco or we could backport python-acme 0.34.0+. + [Test Case] - After the package in Disco is updated to resolve this, I think we should - backport the updated package to every non-EOL'd release of Ubuntu back - to Xenial. + Given the breaking change will not occur until November the first, it is + not easy to reproduce the failure case. However, testing this package + should include verifying that a certificate can be successfully issued + from the current live letsencrypt endpoints via the certbot command line + utility, installable via the certbot package. - There are no breaking API changes between python-acme 0.31.0-2 and the - version of python-acme in any Ubuntu release and no dependencies need to - be updated. + [Regression Potential] + + As opposed to upgrading to the newer version of python-acme (0.36.0-1) + from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to + Xenial, Bionic, Cosmic and Disco, is that there are no breaking API + changes between python-acme 0.31.0-2 and the version of python-acme + currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the + least risk of regression while enabling the library to function + correctly after November 1st. + + The regression potential of backporting 0.36.0-1 and associated newer + dependencies would be higher, as more packages would need to be + backported and the risk of introducing breaking API changes to dependant + applications would therefore be increased. + + [Other Information] + + * The package being tested is being introduced from Debian Buster and is currently in use + * The package being SRU'd has minimal changes required to allow building the package on older versions of Ubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836823 Title: python-acme will break on November 1st To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
