| 21 Feb 2025 |
 emily | wonder if we should consider moving to 2×/day | 16:04:52 |
| emily | (https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/) | 16:04:57 |
| 22 Feb 2025 |
 m1cr0man | I mean we only ever had it > 1 day for LE's sake (DDOS) 😅 I don't see why we couldn't do 2x/day.
Sorry just catching up on this all now. Was on holidays. | 00:26:31 |
 hexa | ideally we could configure the intervals relative to the total certificate lifetime | 14:50:52 |
| hexa | * ideally we could configure the intervals relative to the total certificate lifetime provided by the profile | 14:51:01 |
| hexa | but in the end it probably doesn't matter too much | 14:51:41 |
| hexa | I still worry a bit about shortlived certs and CT logs | 14:52:13 |
| hexa | https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/_335unOyteQ | 14:52:38 |
 Arian | As in. CT log performance? | 14:52:44 |
| hexa | * I still worry a bit about shortlived certs and the impact on CT logs | 14:52:46 |
| hexa | yeah, they are these very big and slow platforms already | 14:52:54 |
| hexa | and now we effectively allow people to recreate their certificates 15 times as much | 14:53:19 |
| hexa | * and now we effectively allow people to recreate their certificates 15 times as often | 14:53:22 |
| emily | the sunlight effort is making ct scale much better | 14:54:48 |
| emily | https://sunlight.dev/ | 14:55:04 |
| emily | and has buy in from CT operators / Chrome / etc. | 14:55:15 |
| emily | shouldn't be an issue | 14:55:24 |
| emily | shorter lifetimes and better scalability are being coordinated across the entire ecosystem | 14:55:53 |
| emily | actually it was internal LE systems that were considered the bottleneck to shorter issuance times for a long while, so I think the most recent development is just them starting to work on scaling their own issuance up | 14:56:43 |
| m1cr0man | Are the channel blocker tests defined in nixpkgs or somewhere else? | 19:47:11 |
 K900 | In nixpkgs, yes | 19:48:05 |
| K900 | What are you looking for? | 19:48:30 |
| m1cr0man | I want to replace the ACME test with two of the new individual tests in this PR https://github.com/NixOS/nixpkgs/pull/355087 (the http01-builtin and dns test) | 19:48:53 |
| K900 | Oh so all channels | 19:49:22 |
| K900 | https://github.com/NixOS/nixpkgs/blob/master/nixos/release-small.nix#L52
https://github.com/NixOS/nixpkgs/blob/master/nixos/release-small.nix#L138
https://github.com/NixOS/nixpkgs/blob/master/nixos/release-combined.nix#L78 | 19:50:10 |
| m1cr0man | perrrfect. Will replace all those | 19:50:32 |
| Arian | Thanks so much for working on this btw | 21:08:23 |
| m1cr0man | Well thank you all for being patient with me 😅 it's been a long time coming, and I've had a lot of stuff going on IRL. It's pained me every time I have heard that the builds have been failing. | 21:23:32 |
| m1cr0man | This is fully ready now I believe https://github.com/NixOS/nixpkgs/pull/355087
And the test suite PR should be fully ready once the ofborg tests pass (I want to validate it can still be run on demand). | 21:36:45 |
| Arian | This is the life of open source. Everything you write comes with NO WARRANTY WHATSOEVER. Happy we have a way forward. But no pressure | 21:59:27 |
