Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1mOJFb-0003W3-EU
	for pgsql-pkg-debian@arkaria.postgresql.org; Thu, 09 Sep 2021 12:33:55 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1mOJFa-0006m7-Ct
	for pgsql-pkg-debian@arkaria.postgresql.org; Thu, 09 Sep 2021 12:33:54 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <cb@df7cb.de>)
	id 1mOJFa-0006lz-89
	for pgsql-pkg-debian@lists.postgresql.org; Thu, 09 Sep 2021 12:33:54 +0000
Received: from feynman.df7cb.de ([195.49.152.168])
	by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <cb@df7cb.de>)
	id 1mOJFX-0001NP-Js
	for pgsql-pkg-debian@postgresql.org; Thu, 09 Sep 2021 12:33:53 +0000
Received: from msg.df7cb.de (unknown
 [IPv6:2003:5b:203b:100:7627:eaff:fe52:8e03])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest
 SHA384)
	(Client did not present a certificate)
	by feynman.df7cb.de (Postfix) with ESMTPSA id 4H4z2P5Mghz3Dx6;
	Thu,  9 Sep 2021 14:33:49 +0200 (CEST)
Date: Thu, 9 Sep 2021 14:33:49 +0200
From: Christoph Berg <myon@debian.org>
To: Stefan Huehner <stefan@huehner.org>
Cc: pgsql-pkg-debian@postgresql.org
Subject: Re: apt.postgresql.org repo via https will fail will some users
 starting 2021-10-01
Message-ID: <YTn/LRZEtVi38f5G@msg.df7cb.de>
Mail-Followup-To: Christoph Berg <myon@debian.org>,
	Stefan Huehner <stefan@huehner.org>,
	pgsql-pkg-debian@postgresql.org
References: <20210908164806.GC6114@huehner.biz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210908164806.GC6114@huehner.biz>
List-Id: <pgsql-pkg-debian.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-debian@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-debian-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-debian>
Archived-At: 
 <https://www.postgresql.org/message-id/YTn/LRZEtVi38f5G%40msg.df7cb.de>
Precedence: bulk

Re: Stefan Huehner
> sending this here as looks like https://apt.postgresql.org is affected by this so this could trigger some support/user questions.
> 
> Note this only (!) happens when using https:// in sources.list for the pgdg repo.

Hi,

thanks for sharing this.

We aren't advertising https:// for apt.postgresql.org anywhere, but
the download instructions tell users to "wget" the repository key from
https://www.postgresql.org, so we are at least somewhat affected.
(wget is using gnutls at least in unstable.)

> Ideas:
> - Do nothing apt.postgresql suggest http:// in the instructions
> - Some on the website
> - Think on reconfiguring certbot/Let's Encrypt on the server to switch to the alternative chain (avoiding this bug but breaking compatibility with old Android

That's probably rather the ca-certificates package?

> - Raise as bug to debian also (against openssl/gnutls) to maybe patch both in stable also to avoid this ?
>   - Not sure if that is a interesting/acceptable material for stable/old-stable?

If stretch/buster/bullseye are affected, these should be fixed, yes.

Though none of this is material for the PostgreSQL packages, can you
raise the issue with the LTS team?

Christoph