Hi Dmitry/Marc,
thanks for working on this and the related openssl bug, very appreciated trying 
avoiding the rapidly upcoming problem.

I think this gnutls could get be extra annoying (or very noisy for
support) as bionic is both still active LTS and also apt itself uses
gnutls backend. ESM maybe even worse (see end of this comment).

While Ubuntu repos itself seems to not have Let's Encrypt certificates a
couple of 3rd party repos have and some maybe quite common for
developers.

2 examples using Let's encrypt
a.) apt.postgresql.org
To get any still postgresql version for various ubuntu,debian releases
Note: They don't specifically use https:// url in their docs
b.) deb.nodesource.com
To get update node.js via an apt repo.
Their setup instructions specifically use https:// url's

While not having fix should not prevent apt from installing it (giving 
canonical repos seems to not be using Let's Encrypt) but:
- Lots of support question
- Not sure about unattended-upgrades, custom automation for package updates 
etc..

On top for ESM (i.e. xenial))
https://esm.ubuntu.com seems to be using Let's Encrypt
I did not check it specifically if it has the Android compatible chain 
triggering the openssl/gnutls bug or you are using the alternative chain.

If ESM is affected here that could be bigger issue as it prevents people
from installing the fix (if they don't get it before 2021-10-01)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to