Hi, intrigeri: > I'd like to propose this mitigation:
> Use only outgoing HTTPS connections if the remote peer can be > correctly authenticated using a certificate signed by Let's Encrypt Here's a first proof-of-concept on the 932570-pin-LetsEncrypt-CA branch on https://salsa.debian.org/intrigeri/dgit. This assumes we ship the Let's Encrypt CA in the dgit package until #932590 is fixed; once that CA is shipped by ca-certificates, we can point dgit-distro.debian.archive-query-tls-cacert to it and stop shipping the CA ourselves. It "works for me" as in: - "dgit clone" succeeds with the default configuration. - But if I point dgit-distro.debian.archive-query-tls-cacert to a different CA, "dgit clone" fails with a CURL/TLS error message. What I did not do: - I did not find how to run the full test suite so this might break stuff. - I did not write tests :/ Is the test suite operating fully offline or is it already mocking remote services? - I'm no good with Makefile's so my (untested) attempt at installing the CA in the expected directory is probably buggy. What do you think? Cheers, -- intrigeri
