Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: riseup-...@packages.debian.org, nil...@debian.org
Control: affects -1 + src:riseup-vpn
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
The bug got introduced due to a change in the external services that riseup-vpn
interacts with (riseup's servers) and failing to identify their letsencrypt
certs.
Full details at Bug#1070270
[ Impact ]
The package is rendered unusable and the user will not be able to use riseup-vpn
and connect to the vpn.
[ Tests ]
Tried this on a fresh stable VM with multiple different angles.
This has also been tried on a stable user's machine and the problem is verified
to have been fixed.
[ Risks ]
This is a leaf package and the changes are fairly minimal. Very low risk to
stable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add patch to fixup client verification problems with
riseup-vpn which renders the package useless otherwise.
At the moment, the current code is unable to identify the
letsencrypt certs. Used a systempool for the same and create
a newcertpool as a fallback. Also added a Depends in d/control
for ca-certificates for the same reason.
[ Other info ]
Since this is a leaf package and the breakage is due to external services, this
may be a
candidate for stable-updates suite as per
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-the-stable-updates-suite
> Examples of circumstances in which the upload may qualify for such treatment
> are:
> ...
> Uploads to stable-updates should target their suite name in the changelog as
> usual, e.g. bookworm.
Since I was confident that this should be accepted, I did a (source-only)
dput/upload.
diff -Nru riseup-vpn-0.21.11+ds1/debian/changelog
riseup-vpn-0.21.11+ds1/debian/changelog
--- riseup-vpn-0.21.11+ds1/debian/changelog 2023-03-09 09:51:22.000000000
+0530
+++ riseup-vpn-0.21.11+ds1/debian/changelog 2024-05-10 20:13:39.000000000
+0530
@@ -1,3 +1,15 @@
+riseup-vpn (0.21.11+ds1-5+deb12u1) bookworm; urgency=medium
+
+ * Add patch to fixup client verification problems with
+ riseup-vpn which renders the package useless otherwise.
+ At the moment, the current code is unable to identify the
+ letsencrypt certs. Used a systempool for the same and create
+ a newcertpool as a fallback. Also added a Depends in d/control
+ for ca-certificates for the same reason.
+ (Closes: #1070270)
+
+ -- Nilesh Patra <nil...@debian.org> Fri, 10 May 2024 20:13:39 +0530
+
riseup-vpn (0.21.11+ds1-5) unstable; urgency=medium
* Add procps, iproute2 and iptables to Depends (Closes: #1031905)
diff -Nru riseup-vpn-0.21.11+ds1/debian/control
riseup-vpn-0.21.11+ds1/debian/control
--- riseup-vpn-0.21.11+ds1/debian/control 2023-03-09 09:51:22.000000000
+0530
+++ riseup-vpn-0.21.11+ds1/debian/control 2024-05-10 20:13:39.000000000
+0530
@@ -52,6 +52,7 @@
Architecture: any
Depends: ${shlibs:Depends},
${misc:Depends},
+ ca-certificates,
iproute2,
iptables,
pkexec,
diff -Nru riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch
riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch
--- riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch
1970-01-01 05:30:00.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/patches/add-system-certs.patch
2024-05-10 20:13:39.000000000 +0530
@@ -0,0 +1,27 @@
+From 14cf64b10a97c29688f252a7d9d3481c8484aa1d Mon Sep 17 00:00:00 2001
+From: max b <bittman...@gmail.com>
+Date: Wed, 8 Mar 2023 12:41:45 -0800
+Subject: [PATCH] Add system certs to bonafide
+
+lilypad/float is now using letsencrypt certs for vpnweb so instead of
+instantiating an empty cert pool, we can just use the system pool and
+then add the manually configured cert for backwards compatibility.
+---
+ pkg/vpn/bonafide/bonafide.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/pkg/vpn/bonafide/bonafide.go
++++ b/pkg/vpn/bonafide/bonafide.go
+@@ -94,7 +94,11 @@
+
+ // New Bonafide: Initializes a Bonafide object. By default, no Credentials
are passed.
+ func New() *Bonafide {
+- certs := x509.NewCertPool()
++ certs, err := x509.SystemCertPool()
++ if err != nil {
++ log.Println("Error loading SystemCertPool, falling back to
empty pool")
++ certs = x509.NewCertPool()
++ }
+ certs.AppendCertsFromPEM(config.CaCert)
+ client := &http.Client{
+ Transport: &http.Transport{
diff -Nru riseup-vpn-0.21.11+ds1/debian/patches/series
riseup-vpn-0.21.11+ds1/debian/patches/series
--- riseup-vpn-0.21.11+ds1/debian/patches/series 2023-02-26
02:39:10.000000000 +0530
+++ riseup-vpn-0.21.11+ds1/debian/patches/series 2024-05-10
20:13:39.000000000 +0530
@@ -3,3 +3,4 @@
skip-tests-with-postreq.patch
fix-non-eng-locales.patch
more-polkit-proc.patch
+add-system-certs.patch
