Tero Marttila

The automatic rotation is a little crazy because it also happens when testing code via rspec... specs might pass on your dev machine, but fail if they're run by a...

acme-client 0.5.0 has breaking changes for our implementation: * Drop Acme::Client#challenge_from_hash and Acme::Client::Resources::Challenges::Base#to_h in favor of the new API. Fixing these will require mongo schema changes (store the challenge URL...

> I wonder how that vulnerability affects the master CVE-2018-1000539 looks like it affects JWT token validation: https://github.com/nov/json-jwt/pull/62 I would assume that acme-client only uses json-jwt to to build authentication...

acme-client 0.3.4 only uses `JWT` to sign tokens: https://github.com/unixcharles/acme-client/blob/1b231de016a8df1ba2f4745f5bee612f73e7b2e4/lib/acme/client/crypto.rb ``` $ rgrep -i jwt vendor/bundle/ruby/2.3.0/gems/acme-client-0.3.4 vendor/bundle/ruby/2.3.0/gems/acme-client-0.3.4/acme-client.gemspec: spec.add_runtime_dependency 'json-jwt', '~> 1.2', '>= 1.2.3' vendor/bundle/ruby/2.3.0/gems/acme-client-0.3.4/lib/acme-client.rb:require 'json/jwt' vendor/bundle/ruby/2.3.0/gems/acme-client-0.3.4/lib/acme/client/crypto.rb: jwt = JSON::JWT.new(payload || {})...

> Ignoring though means that we need to disable the vulnerability check in specs or it can't do the release. That would be `bundle audit check --ignore CVE-2018-1000539`

:+1: in principle, the current implementation doesn't make sense: some things like `data['hooks'] = options['hooks'] || {}` will get cleared from the service if you remove the `hooks:` block from...

CoreOS stable 1688.4.0 was promoted with the Linux 4.14.30 kernel containing the problematic commit without the fix, triggering this regression: https://github.com/coreos/bugs/issues/2382#issuecomment-376793548 This means that CoreOS stable 1632.3.0 => 1688.4.0 upgrades...

To be clear, this is :+1: from a design point of view, it makes plenty of sense to have pluggable pubsub backends. The actual implementation could just be a little...

Workaround for Ubuntu: the relevant package to remove is `libnss-mdns`; removing that should clear the `hosts: mdns*` entry from `/etc/nsswitch.conf`. ``` $ grep hosts /etc/nsswitch.conf hosts: files mdns4_minimal [NOTFOUND=return] dns...

> Agree, but I think you can parametrize the ${GRID} away...? In the stack files, yes, but harder in external configuration files. If you're generating the configs inside service containers,...