Ubuntu
python-letsencrypt package

Please remove python-letsencrypt and python-letsencrypt-apache from the archive.

Bug #1535101 reported by Thomas Ward
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-letsencrypt (Ubuntu)
Invalid
Wishlist
Unassigned
python-letsencrypt-apache (Ubuntu)
Invalid
Wishlist
Unassigned

Bug Description

Hello.

The Lets Encrypt project is still in Public Beta, and its programs, libraries, utilities, and other components are under constant and rapid development and as such has a rapidly-changing code base, which ultimately requires the code to remain fairly up to date to continue working with the system as it progresses. Therefore, as time progresses, the package here and upstream (https://github.com/letsencrypt/letsencrypt) functionality will diverge more and more. Maintaining this program in the repositories may lead to issues, INCLUDING the loss of upstream support going forward.

I propose removing the Lets Encrypt client and libraries from the repositories until such time they have a stable, not-rapidly-changing release.

Therefore, I request the removal of the python-letsencrypt package and the corresponding python-letsencrypt-apache plugin which depends on this library, and all binary AND source packages of both packages from the Xenial repositories, and imposing of a sync blacklist at this time.

See original description
Thomas Ward (teward)
description: updated
description: updated
Revision history for this message
Thomas Ward (teward) wrote :

I've added python-letsencrypt-apache here as well, because it depends on python-letsencrypt but falls under the same type of removal as it's the same library and such.

summary: - Please remove python-letsencrypt from the archive.
+ Please remove python-letsencrypt and python-letsencrypt-apache from the
+ archive.
Changed in python-letsencrypt-apache (Ubuntu):
importance: Undecided → Wishlist
description: updated
Thomas Ward (teward)
description: updated
Revision history for this message
Thomas Ward (teward) wrote :

Cancelling this, after discussion with Steve Langasek

Changed in python-letsencrypt (Ubuntu):
status: New → Invalid
Changed in python-letsencrypt-apache (Ubuntu):
status: New → Invalid
Revision history for this message
Peter Eckersley (pde-lists) wrote :

Hi Thomas,

I'm the upstream lead dev on the python client. We have been working closely with the Debian developers who are packaging our releases. Our current view is that it would be appropriate to package version 0.4.0 or higher of the let's encrypt python client for a LTS release, and a mistake to remove it from xenial.

Although it's true that rapid development is continuing, the client has reached a point of solid beta stability and has in fact already issued around 150,000 certs to Ubuntu 14.04 users in particular (!) We believe that the experience those users would get from native OS packages is much, much better than the one available from the "letsencrypt-auto" script which we have deployed as a crude stand-in for native packages.

There will certainly be many updates to the client through the course of the xenial support window, and our preference would therefore be for Ubuntu to occasionally ship our releases as xenial updates (after an appropriate amount of field testing, of course). But if we had to live with providing security fixes to 0.4.0 or a similar release for the long term, we could even do that too.

Revision history for this message
Thomas Ward (teward) wrote :

Peter,

Thanks for the message, but note I also made this an Invalid bug - i.e. it is not being pursued any longer.

I would like to point out, however, that the 14.04 users likely have to either use a PPA, or pull directly from the Git repository, which means they have the capacity to get continued updates; this does not apply for Xenial if it is directly available in the repository. My longer term concern is the five-year support period - if you release 0.5.x and that has breaking changes of which render 0.4.0 unusable, there would need to be an SRU review prior to getting any 'fixable' release in, and it's entirely possible that it may or may not be included.

Given that there may be the potential for that, whether you're in stable beta or not, is the basis for this request - if Beta software is accepted and forced to have five years of support, and people use this three years from now and it's not working, it's a case of the software being 'poor' and there will then be unfixable bugs and such. That was the basis of the initial request. (You would also have to make reverse-compatibility changes on the LE side - that is, if mechanisms in 0.4.0 are retired, you would potentially still have to support them).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.