[Box Backup] Debian now requires 2048bit RSA keys

[Reinhard Tartler]

Hi Chris,

On Sun, May 19, 2019 at 12:21 PM Chris Wilson <chris+google at qwirx.com>
wrote:

> Hi Reinhard and all,
>
> Good news, I have just finished fixing this problem, and merged it into
> master with https://github.com/boxbackup/boxbackup/pull/36. Please could
> you cut a new Debian package release and see if the tests pass for you? Or
> if not, point me to the failure logs?
>
> If anyone wants to know more, the issue is quite complex, and there are no
> easy answers, which is why it took so long to fix. I've done my best to
> describe it at
> https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates. Please
> feel free to correct any mistakes that I've made.
>

Thanks a lot for your assistance!

I've now (finally) uploaded the package to debian/experimental, the build
logs will be available at
https://buildd.debian.org/status/package.php?p=boxbackup&suite=experimental
 soon.

Unfortunately, the changes are quite invasive and do not qualify for
inclusion into "Debian testing" this late in the Debian release cycle (cf.
https://salsa.debian.org/debian/boxbackup/commit/6017757bc079f4446aa77bc5c0855c52741280f4?w=1
- all of which would need to be reviewed and approved by the Release Team).
That's very unfortunate, because it very likely means that boxbackup will
not be part of Debian 10 (buster).

I am also sympathetic -- the nature of the issue seems to require such
invasive changes and coming up with a simple, focused and reviewable fix is
super hard.

The best that we can do at this point is to get it included into
"buster-backports" as soon as that suite opens, probably shortly after
buster is released, which should be within (hopefully) a small number of
weeks.


Best,
-rt

-- 
regards,
    Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20190531/36595629/attachment.html>