Your message dated Sun, 1 Jun 2025 12:43:36 +0200
with message-id <adwu2ksbcgrw5...@ramacher.at>
and subject line Re: Bug#1106585: unblock: python-certbot-dns-google/4.0.0-1
has caused the Debian Bug report #1106585,
regarding unblock: python-certbot-dns-google/4.0.0-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106585: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106585
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: python-certbot-dns-goo...@packages.debian.org,
hlieber...@debian.org
Control: affects -1 + src:python-certbot-dns-google
User: release.debian....@packages.debian.org
Usertags: unblock
User: hlieber...@debian.org
Usertags: trixie-certbot
Please unblock package python-certbot-dns-google
[ Reason ]
The certbot 2.x series is end of life and will not receive further updates
or
backports of changes.
(
https://github.com/certbot/certbot/wiki/Architectural-Decision-Records-2025#-update-to-certbots-version-policy-and-end-of-life-support-on-previous-major-versions
)
By far and away, the primary purpose of certbot is to receive certificates
from
Let's Encrypt, and the Let's Encrypt team are planning API changes in 2025
which
will break the issuance of TLS certificates for people using the Certbot 2.x
series.
[ Impact ]
If the unblock is not granted, certbot will suddenly stop working at
some point in the future and users' TLS certificates will expire. Because
certbot tends to be used as a set-it-and-forget-it system, and Let's
Encrypt has
recently disabled their email notifications, users' websites and
applications
may suddenly be unavailable to users and/or vulnerable to MitM.
[ Tests ]
Certbot's two primary plugins (python-certbot-apache, python-certbot-nginx)
and
the main utility (python-certbot) have a test harness which exercises the
entire
process of getting a certificate against a test environment. This provides
very
high confidence that those packages are still working, and that the
libraries
which they depend on (python-josepy, python-acme) are in good health. These
tests pass cleanly on ci.d.n for all three invocations.
The dns plugin packages (python-certbot-dns-*) are substantially less
complicated than the other certbot packages and primarily handle
communication
with various companies' API layers. Those are unlikely to have broken
because of
the changes to certbot's internals; the primary way in which those packages
break are due to API changes on the providers' ends.
[ Risks ]
Upgrading the packages across major versions comes with risks, certainly,
but
there is little in the way of alternative. The changes are too complex for
me to
be willing to attempt to backport, and in a security critical application,
I am
even more reticent than I normally would be. I recognize the late
application
introduces even more risk --- and rightfully, I'm sure no small amount of
annoyance --- but it is where we've ended up.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
This is one of a series of identical unblock requests with only
package names and debdiffs differing.
unblock python-certbot-dns-google/4.0.0-1
dns-google.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
On 2025-05-31 20:38:10 +0200, Paul Gevers wrote:
> Control: tags -1 confirmed - moreinfo
>
> Hi.
>
> On 31-05-2025 20:24, Harlan Lieberman-Berg wrote:
> > I've pushed up a -2 that simply drops the bad B-D into sid; debdiff
> > attached.
>
>
> Ack, thanks. Looks a bit weird though, that you can just drop a build
> dependency like that. But as it wasn't there before, it is what I suspected.
Upaded my hints for the new version.
Cheers
--
Sebastian Ramacher
--- End Message ---
