On Mon, 1 Feb 2021 at 11:46, Matthew Miller <mattdm(a)fedoraproject.org>
wrote:
See
https://pagure.io/fesco/issue/2570 -- in short, Let's Encrypt is
recommending installing certbot via snap. While it's good that snap works
on
Fedora systems, it's not the best experience.
The CertBot website
https://certbot.eff.org/docs/install.html#operating-system-packages
has this kind of nasty warning:
"While the Certbot team tries to keep the Certbot packages offered by
various operating systems working in the most basic sense, due to
distribution policies and/or the limited resources of distribution
maintainers, Certbot OS packages often have problems that other
distribution mechanisms do not. The packages are often old resulting in
a lack of bug fixes and features and a worse TLS configuration than is
generated by newer versions of Certbot. They also may not configure
certificate renewal for you or have all of Certbot’s plugins available.
For reasons like these, we recommend most users follow the instructions
at
https://certbot.eff.org/instructions and OS packages are only
documented here as an alternative."
I'd like to see three things here:
1. Ensure that the scary things that they suggest are never true on Fedora
systems. I think this *should* be the case because of Fedora is
generally
on the leading edge in crypto policies and keeps packages up to date
rather than stagnating.
2. Convince EFF/Certbot to not FUD our packages and instead recommend them.
Maybe harder, because there's not the appeal of "one size fits all"
3. Promote slick, out-of-the-box certbot as a Fedora Server feature. And do
whatever it takes to make it really easy. Because that's actually really
valuable.
Is this of interest to anyone?
I think that the fact they are recommending snap is because
1) they (and most systems I run into) are mostly Ubuntu based
2) It is not about being leading edge on this. It is about being the exact
things the Certbot team have tested and know to work. That is harder to
manage because we may be ahead/behind/around the bend for anything from
python/perl versions to not having some particular XYZ package.
The first thing would be to listen to what problems they have been having
with Fedora and see if it is something we can solve. It may be that this is
not something that RPM can solve one way or another.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
_______________________________________________
server mailing list -- server(a)lists.fedoraproject.org
To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org