[Group.of.nepali.translators] [Bug 1836823] Re: python-acme will break on November 1st
This bug was fixed in the package python-acme - 0.31.0-2~ubuntu19.04.1 --- python-acme (0.31.0-2~ubuntu19.04.1) disco; urgency=medium [ James Hebden ] * Backport packaging to build on Ubuntu Disco (LP: #1836823) [ Andreas Hasenack ] * d/p/series: drop unused -p1 python-acme (0.31.0-2) unstable; urgency=medium * Backport POST-as-GET support (Closes: #928452) -- James Hebden Sat, 07 Sep 2019 16:15:04 +1000 ** Changed in: python-acme (Ubuntu Disco) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1836823 Title: python-acme will break on November 1st Status in python-acme package in Ubuntu: Fix Released Status in python-acme source package in Xenial: Fix Released Status in python-acme source package in Bionic: Fix Released Status in python-acme source package in Cosmic: Won't Fix Status in python-acme source package in Disco: Fix Released Bug description: [Impact] This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme. The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2 -scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change. The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates. For further reference, see https://wiki.ubuntu.com/StableReleaseUpdates/Certbot [Major Changes] There are no backwards incompatible API changes being introduced by the backported changes to this library, as such interoperability with existing packages should not be impacted. All changes being introduced are either new features or fixes to ensure the library's behaviour remains compatible with the ACME protocol, which was only finalised in March of this year. These changes are required to maintain compatibility with the ACMEv2 servers operated by LetsEncrypt per the Impact section. Key changes being introduced by this backport: The changelog entries for the update from 0.31.0-1 to 0.31.0-2 are: * The acme module uses now a POST-as-GET request to retrieve the registration from an ACMEv2 server. * The acme module now avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received. * The Content-Type in the POST-as-GET request to retrieve a certificate was corrected from "application/pkix-cert" to "application/jose+json". In addition to those changes, the relevant changelog entries when updating from 0.23.0 are: * Added support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module. * Added External Account Binding support. * Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory. * Warn when using deprecated acme.challenges.TLSSNI01 * When using acme.client.ClientV2 (or acme.client.BackwardsCompatibleClientV2 with an ACME server that supports a newer version of the ACME protocol), an acme.errors.ConflictError will be raised if you try to create an ACME account with a key that has already been used. Previously, a JSON parsing error was raised in this scenario when using the library with Let's Encrypt's ACMEv2 endpoint. * You can now call query_registration without having to first call new_account on acme.client.ClientV2 objects. * Support for the ready status type was added to acme. Without this change, Certbot and acme users will begin encountering errors when using Let's Encrypt's ACMEv2 API starting on June 19th for the staging environment and July 5th for production. See https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more information. * acme now supports specifying the source address to bind to when sending outgoing connections. * acme now parses the wildcard field included in authorisations so it can be used by users of the librar
[Group.of.nepali.translators] [Bug 1836823] Re: python-acme will break on November 1st
This bug was fixed in the package python-acme - 0.31.0-2~ubuntu18.04.1 --- python-acme (0.31.0-2~ubuntu18.04.1) bionic; urgency=medium * Backport packaging to build on Ubuntu Bionic (LP: #1836823) python-acme (0.31.0-2) unstable; urgency=medium * Backport POST-as-GET support (Closes: #928452) python-acme (0.31.0-1) unstable; urgency=medium * Bump dependency on josepy to >= 1.1.0 * Add Breaks on python-acme against certbot << 0.20 * New upstream version 0.31.0 * Add dep on python-idna required by security extra. * Bump S-V; no changes needed. python-acme (0.28.0-1) unstable; urgency=medium * New upstream version 0.28.0 python-acme (0.27.0-1) unstable; urgency=medium * New upstream release. * Bump S-V; no changes needed. python-acme (0.26.0-1) unstable; urgency=medium * New upstream version 0.26.0 * Bump S-V; add Rules-Require-Root: no python-acme (0.25.1-1) unstable; urgency=medium * New upstream version 0.25.1 python-acme (0.25.0-1) unstable; urgency=medium * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. python-acme (0.24.0-2) unstable; urgency=medium * Update team email address. (Closes: #895863) python-acme (0.24.0-1) unstable; urgency=medium * New upstream release. * Bump S-V; no changes needed. -- James Hebden Sat, 07 Sep 2019 16:15:04 +1000 ** Changed in: python-acme (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: python-acme (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1836823 Title: python-acme will break on November 1st Status in python-acme package in Ubuntu: Fix Released Status in python-acme source package in Xenial: Fix Released Status in python-acme source package in Bionic: Fix Released Status in python-acme source package in Cosmic: Won't Fix Status in python-acme source package in Disco: Fix Released Bug description: [Impact] This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme. The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2 -scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change. The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates. For further reference, see https://wiki.ubuntu.com/StableReleaseUpdates/Certbot [Major Changes] There are no backwards incompatible API changes being introduced by the backported changes to this library, as such interoperability with existing packages should not be impacted. All changes being introduced are either new features or fixes to ensure the library's behaviour remains compatible with the ACME protocol, which was only finalised in March of this year. These changes are required to maintain compatibility with the ACMEv2 servers operated by LetsEncrypt per the Impact section. Key changes being introduced by this backport: The changelog entries for the update from 0.31.0-1 to 0.31.0-2 are: * The acme module uses now a POST-as-GET request to retrieve the registration from an ACMEv2 server. * The acme module now avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received. * The Content-Type in the POST-as-GET request to retrieve a certificate was corrected from "application/pkix-cert" to "application/jose+json". In addition to those changes, the relevant changelog entries when updating from 0.23.0 are: * Added support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module. * Added External Account Binding support. * Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory. * Warn when using deprecat
[Group.of.nepali.translators] [Bug 1836823] Re: python-acme will break on November 1st
Cosmic is now EOL, so there is no need to work on the Cosmic update any longer. ** Changed in: python-acme (Ubuntu Cosmic) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1836823 Title: python-acme will break on November 1st Status in python-acme package in Ubuntu: Fix Released Status in python-acme source package in Xenial: Triaged Status in python-acme source package in Bionic: Triaged Status in python-acme source package in Cosmic: Won't Fix Status in python-acme source package in Disco: Triaged Bug description: [Impact] Not directly applicable; see the exception policy document: https://wiki.ubuntu.com/StableReleaseUpdates/Certbot [Major Changes] This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme. The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2 -scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change. The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates. [Test Plan] See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process [Regression Potential] Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st. The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1836823] Re: python-acme will break on November 1st
** Changed in: python-acme (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1836823 Title: python-acme will break on November 1st Status in python-acme package in Ubuntu: Fix Released Status in python-acme source package in Xenial: Triaged Status in python-acme source package in Bionic: Triaged Status in python-acme source package in Cosmic: Triaged Status in python-acme source package in Disco: Triaged Bug description: This bug affects the python-acme package in all released versions of Ubuntu. The python-acme package will no longer work with Let’s Encrypt’s “ACMEv2” endpoint which is their RFC 8555 compliant endpoint starting November 1st. See https://community.letsencrypt.org/t/acme-v2 -scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change. After November 1st of this year, the python-acme packages will be unusable with Let's Encrypt's endpoint which will break any software using the library for this purpose. The primary concern here is that users of the library will no longer be able to obtain new certificates. Certificates which are currently being automatically renewed will suddenly become unable to do so which will likely result in broken TLS configurations for many users. As one of the upstream maintainers of this library, I think the safest way to start to resolve this problem would be to backport the python- acme 0.31.0-2 package from Debian Buster to Disco. The python-acme package in Disco is version 0.31.0-1 and the only code differences should be some minor patches that were applied to the package in Buster to avoid this problem before it was released. I think taking this package would result in the smallest diff while sticking to a well tested package. Alternatively, if taking a package from Debian at this point is awkward, I can either provide info on the changes that were backported to create 0.31.0-2 in Debian so we could do something similar to the package in Disco or we could backport python-acme 0.34.0+. After the package in Disco is updated to resolve this, I think we should backport the updated package to every non-EOL'd release of Ubuntu back to Xenial. There are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme in any Ubuntu release and no dependencies need to be updated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
