Hi, On Tue, May 30, 2017 at 08:45:26AM -0400, Peter Colberg wrote: > Control: tag -1 - moreinfo > > On Mon, May 29, 2017 at 01:11:47PM +0100, Jonathan Wiltshire wrote: > > None of these issues seem to have corresponding BTS bugs. If they did, > > which severity would you choose? (hint: if they're not at least > > 'serious'...) > > I would assign the following severities: > > * Validate hostnames in 'acmetool want' [1] > > Severity: normal > > This improves the error handling when the user passes an invalid host > name. > > https://github.com/hlandau/acme/issues/204 > > * Allow environment variables to be passed to challenge hooks [2] > > Severity: normal > > https://github.com/hlandau/acme/issues/166
These would be nice in the long term, but I don't really think they're critical right now. > * Allow acmeapi to obtain new nonces if nonce pool is depleted [3] > > Severity: important > > This fixes a potential failure to acquire certificates. > > https://github.com/hlandau/acme/issues/214 Let's assume that if the Let's Encrypt responder is giving you 503s, it's game over anyway. > * Don't attempt fdb permission tests on non-cgo builds [4] > > Severity: serious > > This fixes an FTBFS on architectures using gcc-go. Does this actually affect stretch builds, or just architectures outside those? > https://github.com/hlandau/acme/issues/219 > > * Add read/write timeouts to redirector server [5] > > Severity: serious > > This fixes a denial-of-service in the HTTP-to-HTTPS redirector. Is this likely, given there is only really one set of (proabably well-behaved) clients in the real world? Possibly I've misunderstood the purpose of this redirector. > * Allow hidden files within the state directory [6] > > Severity: important > > This ignores dot files in /var/lib/acme, e.g., .git/. > > https://github.com/hlandau/acme/issues/153 This might be a bit noisy, but it's not a show-stopper is it? I'm erring on the side of deferring all of these and cherry-picking them if real-world issues get reported for stable. It's an awful lot of changes for this late in the process and not really suitable. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51