Hi Dmitry/Marc, thanks for working on this and the related openssl bug, very appreciated trying avoiding the rapidly upcoming problem.
I think this gnutls could get be extra annoying (or very noisy for support) as bionic is both still active LTS and also apt itself uses gnutls backend. ESM maybe even worse (see end of this comment). While Ubuntu repos itself seems to not have Let's Encrypt certificates a couple of 3rd party repos have and some maybe quite common for developers. 2 examples using Let's encrypt a.) apt.postgresql.org To get any still postgresql version for various ubuntu,debian releases Note: They don't specifically use https:// url in their docs b.) deb.nodesource.com To get update node.js via an apt repo. Their setup instructions specifically use https:// url's While not having fix should not prevent apt from installing it (giving canonical repos seems to not be using Let's Encrypt) but: - Lots of support question - Not sure about unattended-upgrades, custom automation for package updates etc.. On top for ESM (i.e. xenial)) https://esm.ubuntu.com seems to be using Let's Encrypt I did not check it specifically if it has the Android compatible chain triggering the openssl/gnutls bug or you are using the alternative chain. If ESM is affected here that could be bigger issue as it prevents people from installing the fix (if they don't get it before 2021-10-01) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928648 Title: expiring trust anchor compatibility issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
