[Letsencrypt-devel] Bug#817091: Acmetool Review

[Peter Colberg]

Hi Harlan,

On Sun, Apr 17, 2016 at 08:48:09PM -0400, Harlan Lieberman-Berg wrote:
> Took a look at the acmetool package, and it looks pretty good.

Thank you for taking the time to review the package!

Please pull from the git repository for commit 771996d, which adds a
patch for a security vulnerability reported upstream. This mitigates a
DOS by a malicious ACME server or intermediary sending a huge response
to exhaust the client’s memory. (This may affect other Let’s Encrypt
clients, too.)

> You might want to suppress the lintian warnings for some of the
> hardening flags; it's my understanding (please correct me if I'm wrong
> -- I'm far from a Golang expert) that Golang simply doesn't support many
> kinds of hardening flags on its output -- PIE just doesn't work, and
> since it produces statically linked binaries, some of the other stuff
> doesn't work either.

The Go compiler supports a -buildmode=pie since version 1.6, but
currently dh_golang triggers a bug that prevents its use in Debian.

https://bugs.debian.org/821454

I would like to keep the lintian warnings both for PIE and BINDNOW,
since these should be taken seriously and fixed rather than muted.

> There's also a newer version that's been released since you first
> packaged acmetool; it should be updated prior to upload.

Could you upload the package as of commit 771996d?

The newer versions (0.0.50 and 0.0.51) switched to versioned import
paths for some of the dependencies, which was in fact triggered by
Dmitry's and my requests to properly tag versions.

Go imports packages by URL, but does not support versioning natively.
The Go community set up a redirector service http://gopkg.in as a
work-around that allows importing packages by major version using

gopkg.in/user/pkg.v3 → github.com/user/pkg   (branch/tag v3, v3.N, or v3.N.M)

Unfortunately that means the corresponding Debian packages have
to be re-uploaded with new source and binary package names, e.g.,
golang-github-user-pkg becomes golang-gopkg-user-pkg.v3.

I have included all security and bug fixes from versions 0.0.50 and
0.0.51 as patches to avoid needing to upload further Go packages,
which is a painful process when depending only on sponsorship.

Getting to this stage at all was possible only thanks to the tireless
work of Dmitry Smirnov. I hope to get my first GnuPG signatures from
two Debian developers passing through the city in May, and apply to
become Debian maintainer to at least be able to upload new versions.

Regards,
Peter