From chris+google at qwirx.com  Thu Jun  6 00:45:42 2019
From: chris+google at qwirx.com (Chris Wilson)
Date: Thu, 6 Jun 2019 00:45:42 +0100
Subject: [Box Backup] Debian now requires 2048bit RSA keys
In-Reply-To: <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>
References: <CAJ0cceZeyTQchRgmuD_+oT4bAXxawGJwYfTcXF3fgtUdauK0Zg@mail.gmail.com>
 <CAOg7f83Kx7CzaHQeOfebQm_CgYn9pncbtF7GJrZiXnMR1QnMKQ@mail.gmail.com>
 <CAJ0cceZT+bO=eocQBz3w9jKiH9mzFF6=9nVV1hH111zZD0A3Jg@mail.gmail.com>
 <CAOg7f82=L4roj72-5h_MX8v5ek3emT2H08f3V0q7cag19XPXJg@mail.gmail.com>
 <CAJ0cceZinrGBwKcqJjjorN_yaRNg2MJUW0u69gEzsvQH0-JUwA@mail.gmail.com>
 <CAOg7f80ECWfpHGm6Rau1-9SLZ2vOZyEJnCKGFD8+bZLEXrmdqw@mail.gmail.com>
 <CAJ0cceZPdn-DNrzAwKttN-z+rymOa7bbqk_9hMPtq-ixP5nfSw@mail.gmail.com>
 <CAOg7f82fx8_Z7uXxRW8RowJfecu24asksHNHG4-KXj6qYOVnPQ@mail.gmail.com>
 <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>
Message-ID: <CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>

Hi Reinhard,

Could you have a look at this patch
<https://github.com/boxbackup/boxbackup/compare/debian_10_fix_ssl> (documented
here
<https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#workaround-2>)
to see if it's something like what you were hoping for?

Thanks, Chris.

On Fri, 31 May 2019 at 22:55, Reinhard Tartler <siretart at gmail.com> wrote:

>
>
> On Fri, May 31, 2019 at 5:03 PM Chris Wilson <chris+google at qwirx.com>
> wrote:
>
>> Hi Reinhard,
>>
>> Presumably the many other affected packages have had similar difficulty
>> in developing a comprehensive solution? I also wasn't aware of a time
>> constraint. Not that it would have helped me much, as I was moving house,
>> but it would have been good to know that there was a risk of not making
>> Debian 10.
>>
>
> I'm sorry, I should have communicated that point earlier. I've been bitten
> by this with other packages as well.
> The release schedule is documented here:
> https://wiki.debian.org/DebianBuster
> The most recent update from the release team is
> https://lists.debian.org/debian-devel-announce/2019/04/msg00003.html -
> and newer updates will be linked from https://release.debian.org/.
>
> In short: The team is minimizing changes as much as possible, and getting
> updates in becomes more and more a similar big deal as updating something
> in stable.
>
> I could create a special branch with a cut-down version of the solution,
>> e.g. forcing the SecurityLevel to -1 (compatibility and warn) for the time
>> being, in order to get the fix out in time for Debian 10, and then put the
>> full version into backports?
>>
>
> That would be amazing, if the patch is easy to review, I'd be happy to
> upload it as a distro patch based on the current package and try to get
> this approved by the release team. It might even be accepted as a stable
> update, depending on how invasive it is.
>
>
> Thanks,
> -rt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20190606/c103e2f9/attachment-0001.html>

From siretart at gmail.com  Fri Jun  7 22:26:31 2019
From: siretart at gmail.com (Reinhard Tartler)
Date: Fri, 7 Jun 2019 17:26:31 -0400
Subject: [Box Backup] Debian now requires 2048bit RSA keys
In-Reply-To: <CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>
References: <CAJ0cceZeyTQchRgmuD_+oT4bAXxawGJwYfTcXF3fgtUdauK0Zg@mail.gmail.com>
 <CAOg7f83Kx7CzaHQeOfebQm_CgYn9pncbtF7GJrZiXnMR1QnMKQ@mail.gmail.com>
 <CAJ0cceZT+bO=eocQBz3w9jKiH9mzFF6=9nVV1hH111zZD0A3Jg@mail.gmail.com>
 <CAOg7f82=L4roj72-5h_MX8v5ek3emT2H08f3V0q7cag19XPXJg@mail.gmail.com>
 <CAJ0cceZinrGBwKcqJjjorN_yaRNg2MJUW0u69gEzsvQH0-JUwA@mail.gmail.com>
 <CAOg7f80ECWfpHGm6Rau1-9SLZ2vOZyEJnCKGFD8+bZLEXrmdqw@mail.gmail.com>
 <CAJ0cceZPdn-DNrzAwKttN-z+rymOa7bbqk_9hMPtq-ixP5nfSw@mail.gmail.com>
 <CAOg7f82fx8_Z7uXxRW8RowJfecu24asksHNHG4-KXj6qYOVnPQ@mail.gmail.com>
 <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>
 <CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>
Message-ID: <CAJ0cceYj=ywUHA1RZHfNTxR2oSc=Jfzde9-rPc9O_YJufNt-UQ@mail.gmail.com>

On Wed, Jun 5, 2019 at 7:46 PM Chris Wilson <chris+google at qwirx.com> wrote:

> Hi Reinhard,
>
> Could you have a look at this patch
> <https://github.com/boxbackup/boxbackup/compare/debian_10_fix_ssl> (documented
> here
> <https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#workaround-2>)
> to see if it's something like what you were hoping for?
>
>
Hi Chris,

I've uploaded this patch now to unstable, looks good, thanks for the patch.
It is still about 80k big, thoguh :-( - quite a lot to review manually.
Most of it is actually test code though!

Unfortunately, I have bad news. I totally missed that boxbackup has already
been removed on 23 Sep 2018:
https://tracker.debian.org/news/989096/boxbackup-removed-from-testing/
That's a bummer, because the freeze guidelines rule out migration of
packages that aren't part of testing since beginning of February (cf.
https://release.debian.org/buster/freeze_policy.html).

Sorry about that, that's totally on me, I should have been more vocal about
this end of last year and totally dropped the ball here.

I guess we'll have to go the backports route then.

Best,
-rt
-- 
regards,
    Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20190607/8a29a44f/attachment.html>

From siretart at gmail.com  Sun Jun  9 23:26:40 2019
From: siretart at gmail.com (Reinhard Tartler)
Date: Sun, 9 Jun 2019 18:26:40 -0400
Subject: [Box Backup] Debian now requires 2048bit RSA keys
In-Reply-To: <35C20C31-B2B9-4F6C-BE46-8592F7AFCABB@simply-italian.co.uk>
References: <CAJ0cceZeyTQchRgmuD_+oT4bAXxawGJwYfTcXF3fgtUdauK0Zg@mail.gmail.com>
 <CAOg7f83Kx7CzaHQeOfebQm_CgYn9pncbtF7GJrZiXnMR1QnMKQ@mail.gmail.com>
 <CAJ0cceZT+bO=eocQBz3w9jKiH9mzFF6=9nVV1hH111zZD0A3Jg@mail.gmail.com>
 <CAOg7f82=L4roj72-5h_MX8v5ek3emT2H08f3V0q7cag19XPXJg@mail.gmail.com>
 <CAJ0cceZinrGBwKcqJjjorN_yaRNg2MJUW0u69gEzsvQH0-JUwA@mail.gmail.com>
 <CAOg7f80ECWfpHGm6Rau1-9SLZ2vOZyEJnCKGFD8+bZLEXrmdqw@mail.gmail.com>
 <CAJ0cceZPdn-DNrzAwKttN-z+rymOa7bbqk_9hMPtq-ixP5nfSw@mail.gmail.com>
 <CAOg7f82fx8_Z7uXxRW8RowJfecu24asksHNHG4-KXj6qYOVnPQ@mail.gmail.com>
 <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>
 <CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>
 <CAJ0cceYj=ywUHA1RZHfNTxR2oSc=Jfzde9-rPc9O_YJufNt-UQ@mail.gmail.com>
 <35C20C31-B2B9-4F6C-BE46-8592F7AFCABB@simply-italian.co.uk>
Message-ID: <CAJ0ccebvLcA=WobsP5u8PmR+7eUYjhdbDD1R3iZcKH7pUpuuOg@mail.gmail.com>

Agreed!

In this case, the bug was reported on Aug 24 2018 by Adrian Bunk. It was
removed about a months later, namely on September 23, for failing to build
from source. Four weeks is arguably quite fast. Or quite slow, depending on
whom you talk to.

I probably could have reacted by disabling the test suite. Or by prodding
you in those four weeks harder. Or at last have the bug fixed by end of
last year, which would have left enough time to re-migrate to testing. In
the future, I'll know better.

Again, sorry. I'm happy to help with getting the package to
buster-backports once it opens.

-rt

On Sun, Jun 9, 2019 at 5:29 PM Chris Wilson <chris at simply-italian.co.uk>
wrote:

> Hi all,
>
> It seems a bit egregious to kick out packages that were broken by a minor
> version upgrade in one of their dependencies (which after all is not
> supposed to break anything), without any warning, let alone time to fix
> such a complex issue properly.
>
> I hope that Debian will consider carefully whether this course of action
> was really in the best interests of its users.
>
> Thanks, Chris.
>

-- 
regards,
    Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20190609/c195ed3b/attachment.html>

From chris+google at qwirx.com  Mon Jun 10 08:52:49 2019
From: chris+google at qwirx.com (Chris Wilson)
Date: Mon, 10 Jun 2019 08:52:49 +0100
Subject: [Box Backup] Debian now requires 2048bit RSA keys
In-Reply-To: <CAJ0ccebvLcA=WobsP5u8PmR+7eUYjhdbDD1R3iZcKH7pUpuuOg@mail.gmail.com>
References: <CAJ0cceZeyTQchRgmuD_+oT4bAXxawGJwYfTcXF3fgtUdauK0Zg@mail.gmail.com>
 <CAOg7f83Kx7CzaHQeOfebQm_CgYn9pncbtF7GJrZiXnMR1QnMKQ@mail.gmail.com>
 <CAJ0cceZT+bO=eocQBz3w9jKiH9mzFF6=9nVV1hH111zZD0A3Jg@mail.gmail.com>
 <CAOg7f82=L4roj72-5h_MX8v5ek3emT2H08f3V0q7cag19XPXJg@mail.gmail.com>
 <CAJ0cceZinrGBwKcqJjjorN_yaRNg2MJUW0u69gEzsvQH0-JUwA@mail.gmail.com>
 <CAOg7f80ECWfpHGm6Rau1-9SLZ2vOZyEJnCKGFD8+bZLEXrmdqw@mail.gmail.com>
 <CAJ0cceZPdn-DNrzAwKttN-z+rymOa7bbqk_9hMPtq-ixP5nfSw@mail.gmail.com>
 <CAOg7f82fx8_Z7uXxRW8RowJfecu24asksHNHG4-KXj6qYOVnPQ@mail.gmail.com>
 <CAJ0ccea9brbK+dExkCr-aDDLAhVN9VXzgp9UM-KzcFEfAvLqCQ@mail.gmail.com>
 <CAOg7f80Qwwv74w5LdodK9R9cf=mdSogTgB7b+9PM2WF+tOujiQ@mail.gmail.com>
 <CAJ0cceYj=ywUHA1RZHfNTxR2oSc=Jfzde9-rPc9O_YJufNt-UQ@mail.gmail.com>
 <35C20C31-B2B9-4F6C-BE46-8592F7AFCABB@simply-italian.co.uk>
 <CAJ0ccebvLcA=WobsP5u8PmR+7eUYjhdbDD1R3iZcKH7pUpuuOg@mail.gmail.com>
Message-ID: <CAOg7f81eAJoo=2byHzOyGuaVADXWJrdLg0zBxtcJJ649_5dP4w@mail.gmail.com>

Hi Reinhard,

I don't blame you. I think that for Debian to upgrade a package, changing a
global setting, break some of its dependencies, and then kick out the
resulting broken packages a month later (nearly a year before the expected
release date) seems pretty harsh. In this case it took me 4.5 months to fix
the issue from when you reported it to me, so unless a package has at least
one full-time developer, a month simply isn't enough to fix this issue. Not
even close for a hobbyist like myself.

Thanks, Chris.

On Sun, 9 Jun 2019 at 23:26, Reinhard Tartler <siretart at gmail.com> wrote:

> Agreed!
>
> In this case, the bug was reported on Aug 24 2018 by Adrian Bunk. It was
> removed about a months later, namely on September 23, for failing to build
> from source. Four weeks is arguably quite fast. Or quite slow, depending on
> whom you talk to.
>
> I probably could have reacted by disabling the test suite. Or by prodding
> you in those four weeks harder. Or at last have the bug fixed by end of
> last year, which would have left enough time to re-migrate to testing. In
> the future, I'll know better.
>
> Again, sorry. I'm happy to help with getting the package to
> buster-backports once it opens.
>
> -rt
>
> On Sun, Jun 9, 2019 at 5:29 PM Chris Wilson <chris at simply-italian.co.uk>
> wrote:
>
>> Hi all,
>>
>> It seems a bit egregious to kick out packages that were broken by a minor
>> version upgrade in one of their dependencies (which after all is not
>> supposed to break anything), without any warning, let alone time to fix
>> such a complex issue properly.
>>
>> I hope that Debian will consider carefully whether this course of action
>> was really in the best interests of its users.
>>
>> Thanks, Chris.
>>
>
> --
> regards,
>     Reinhard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20190610/7d4bb44e/attachment.html>