I'd started talking about this a little in another thread, and then @tlrenkensebastian wanted more information on my perspective. I thought I wouldn't have time to write this all up, but apparently I wanted to procrastinate on other tasks more. So, here comes what I hope is some constructive criticism that might be a starting point for trying to make Let's Encrypt even better.
The core thing that made me start thinking of this over recent weeks is that sometimes I want to post a link to something "official" as a reply to a discussion here. And I'll know that I saw something once, and it must be around, but it sometimes takes a while to find it. And part of what makes it take a while to find is that there are several places to look:
- The documentation
- The blog
- The API Announcements category.
- Occasionally there are "official"-ish statements posted in other categories here too, sometimes just offhand as a reply to what somebody asked, but also as a separate post when it's important enough to mention but not deemed important enough to be an "announcement" (as in this recent case where new DDoS protection blocking was added), particularly if it's expected to be temporary and not affect many people.
So as some examples, if I want to answer somebody about why they can only get 90-day certificates that's in an old blog post, the plan for removing ACME v1 support is in API Announcements, and there's a list of upcoming and completed features in the documentation.
There was a little discussion of this in the recent discussion of rebooting the FAQ, that it might serve as a better "index" to the various resources in some way.
For a more concrete example of a recent major change that I think could have gone better, I'll bring up the replacement of the intermediates at the end of last year. The official Integration Guide says that the way to get updates about important changes is to sign up for a forum account and subscribe to the API Announcements category. [Aside: This is the reason why I got a forum account, and ever since I've spent much more time on here than I ever thought I would.] But the actual announcement of the new intermediates was posted only on the blog Sept. 17, 2020. The post to the API Announcements category was on Nov. 24, 2020, and it said that the new intermediate might be issuing as soon as that day. (Though actual issuance didn't start until Dec. 1.) From being on the forums around that time, it sure seems that the new intermediate took quite a few people off-guard (even if they "should" been expecting it as the old intermediate was expiring), and I think for some of them the API Announcement was their first indication that something was changing.
Now, the expiration of DST Root X3 is clearly a big deal integrators need to understand, and they've worked hard to get information out. The plan has changed many times, though, which I think has caused more confusion. There are many posts in API Announcements about switching to serving the ISRG Root by default, and moving out that date, and there were blog posts about what would happen too, and then the blog post got updated with a new plan of the expired-long-term-cross-sign, and while some of the blog posts and updates I think were posted to API Announcements I don't think all of them were. (For instance, this post mentioning the blog post was posted in Issuance Tech, but I can't find a link to that blog post from the API Announcements category though maybe I just missed it looking through just now.) More recently there is a new post in API Announcements with the latest status, but I think it's been a confusing road to get to this point, particularly for people who just get the emails from subscribing to API Announcements (like the Integration Guide tells them to) and don't otherwise keep up with the forum or blog.
So now to answer the questions that prompted me to actually finally write all this up,
It's a mixed bag, I think. I do hate to complain, as I know it's a small staff and if I were supreme benevolent dictator of all things Let's Encrypt I don't know as I would do any better. Certainly the Integration Guide is pretty good and its main flaw is that not everybody who needs to know about it has read it. But it does imply that subscribing to the API Announcements category is all one needs to do in order to get updates, but I'm not sure that there's always a focus on ensuring that everything of note gets posted there. (And of course, if you post too much there then people get annoyed that they get messages too often, so it's a tough balance.)
This is a tricky one that I'm not really sure of. (Of course when you start thinking about your own "default" behavior you end up second-guessing yourself on everything.) I get notified on all the API Announcements, so I'm certainly aware of them when they happen. When I was trying to find info on the ACME v1 shutdown plan to post in some topic in recent days it took me more time to find than I expected, though, since I was looking in the documentation and blog but it was only in the API Announcements.
I don't know as I really care, as long as it was all in one spot, and I could get email notifications of it. (I don't see a way to get emailed new blog posts, for instance, but I'm more email-centric than other people probably are.) I think the API Announcements category actually works fine as a "place", but perhaps needs to be referenced more from the documentation somehow, and Let's Encrypt should be sure to also post there when a blog is posted that also impacts users? And other ways of getting the API Announcements for people who don't want to sign up for a forum account and get emails (RSS? Social media? I don't know what the cool people are using these days) should probably be prominently available as well.
Again, I'm hoping that this is constructive, and probably other people have better ideas for improving things here than I might. (I'm a software engineer, not a communications expert. )