Migrate the CT log list dependency from v2 to v3

[alexandru-lachimov]

[alexandru-lachimov]

I am also using this repo for work and since google is planning to stop publishing both the v1 and v2 CT log lists on 17 October 2022, anything I can contribute to get it merge in?

Hi @perwyl . Unfortunately only @mattmook can merge this PR. There is a solution here -> https://github.com/appmattus/certificatetransparency/issues/44 how to solve this issue without merging this PR.

[roger2hk]

@perwyl @alexandru-lachimov We'll delay the v2 log list turndown by another month to 2022-11-17. https://groups.google.com/g/certificate-transparency/c/otRk_9FZTEA/m/6UiTRgjsAwAJ

[barnhill]

@mattmook Any update on this as the V2 turndown date is getting closer

[roger2hk]

We are pleased to announce that the v2 log list endpoints will serve the v3 log list, which is backward compatible with v2, for another 90 days starting on 2022-11-17. The v2 log list endpoints will start returning 404 on 2023-02-15.

https://groups.google.com/a/chromium.org/g/ct-policy/c/zejEtWAJtEA/m/qOfK8Bk_AgAJ

[nicolasSchirmer]

Any updates?

[kaidotarma]

@mattmook @mreichelt Any updates? When are you planning to get the PR merged? In 15 days v2 endpoints will start returning 404, so it seems that most projects using this library would have to use the workaround mentioned in https://github.com/appmattus/certificatetransparency/issues/44 instead of updating the library.

[mreichelt]

@kaidotarma I wish there was a better answer, but it seems this project is not maintained anymore. There were no responses by @mattmook, who seems to be the only one able to do something about that.

It seems the workaround currently is the only way, unless someone forks this library and publishes it (and makes sure that multiple maintainers are able to handle critical updates like this one).

[antondudakov]

Can someone ask Googlers to give us some more time?

[pavlospt]

Hello everyone, we are considering forking this library under Blueground LTD organization. We have done that in the past in a personal level but the author did not accept a relevant PR, because it was changing the publishing ID, in order to unblock us from an issue back then #21 !

@alexandru-lachimov would you be open/willing to submit the same PR in the forked repo and let us publish the new version 😄 ?

[mattmook]

Apologies not being looking at this project in quite some time.

[mreichelt]

@mattmook Thank you so much for maintaining this project and for updating the CT log list source! 👏

Is there any way the community / companies could help you in maintaining this project? I see you have a Sponsoring Page, but maybe there is additional support that would help you more :)

[mattmook]

@mreichelt Time of course is always the killer... full time job and 2 young kids don't help with that. Sure sponsoring does always help with the motivation side of things, its certainly harder to prioritise things that don't make any income!

That being said PRs and bug reports of any nature are always welcome and helpful too (so of course thanks really go to @alexandru-lachimov here). For example there are some follow up tasks that can be done with v3 - using the timestamp as part of the enforcement policy is one of the main ones... when threat modelling previously I'd certainly highlighted potential replay issues around the log-list-json files which that single field helps solve; I'd highlighted it to Google previously but of course it fell on deaf ears at the time until now because their needs changed with the log-list.json file.

Didn't help much that I'd stepped away from code for about 8 months while playing around with some other things so hadn't quite realised I'd dropped the ball here!