#3124 Permanent Update Policy Exception for certbot
Closed: Accepted 3 months ago by tstellar. Opened 4 months ago by jonathanspw.

This ticket asks FESCo to consider whether the certbot package should be granted a permanent exception under the Updates Policy.

The certbot package is a Python package published by EFF to manage free SSL certs mostly from Let's Encrypt but others are supported as well. It has integrations for various DNS providers as well as Apache and Nginx web servers.

No package depends on the certbot package.

This request is mostly so EPEL can inherit the exception as the short lifecycle of Fedora makes it less relevant to Fedora specifically. Given EPEL's long life cycle, many things can change cert-wise over a 10-year period along with APIs of the DNS providers with which certbot integrates. This leads to folks being unable to get the most ideal (secure) certs and/or completely broken integrations which can break or otherwise leave websites vulnerable if server admins don't take action.

certbot does have breaking changes in the traditional sense of changed functionality, it generally does not require user intervention and the value of updating far outweighs the very minute chance of an obscure breakage from said update.

I think this is reasonable as a Fedora-wide exception.


Metadata Update from @ngompa:
- Issue tagged with: updates policy exception

4 months ago

+1 from me

Keeping certbot up to date is "critical infrastructure" in 2024.

We've passed the seven day mark (adjusted for the end-of-year absences) but we don't yet have +3, so voting will extend for another week,

This is APPROVED (+7, 0, 0)

Metadata Update from @ngompa:
- Issue tagged with: pending announcement

3 months ago

Metadata Update from @tstellar:
- Issue untagged with: pending announcement
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.