On Wed, Jun 19, 2019 at 01:57:39PM +0100, Ian Jackson wrote: > FTAOD: I have a memory that in response to Hector Oron's message #20 > in that bug, I did try to have a conversation on debian-admin, but > that I found that conversation very frustrating. I did not feel that > the DSA members I was talking to were listening very well. Probably, > they felt I was rude. I gave up. [1]
Is it at all likely that the ftpmaster api service might migrate away from Let's Encrypt at this point? I would assume probably not. In that case, you could at least make the situation substantially better with no further DSA work required by pinning the appropriate LE root certificate in dgit. While that still means that LE could subvert the service, it would prevent anyone else who operates one of the many CAs in ca-certificates from doing the same. Does that help? -- Colin Watson [cjwat...@debian.org]
