| 3 Jun 2024 |
 Arian | ah awesome | 09:36:19 |
| Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
| Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
| Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
 Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here Copy means you have old, potentially ran out certs | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
(and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) I know of the one case that went on Hackernews.
DNS challenge works against that, does it? | 09:52:47 |
| Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
| Arian | Yeh no blame on you at all. | 09:53:22 |
| Sandro 🐧 | Going back to null is also not that great because then we rely on the lego defaults which could change in the future | 09:56:08 |
| Sandro 🐧 | If you have a change I could test, throw it over the fence | 10:00:00 |
| Arian | yeh I think the only solution is to do some state mangling.
Or just put in the release notes that the hash changed and call it a day
| 10:00:10 |
