Merge ~ahasenack/ubuntu/+source/squid:squid-4-merge into ubuntu/+source/squid:debian/sid

## Drop/Remaining Changes ##

I went through the old and new Delta one by one and side by side, I'll only mention the ones worth to talk about (Thanks for the changelog entries explaining drops/adds).

#1 on the "refresh patterns" I wonder, this carried over as it was.
But it also adds a pattern for (Release|Packages(.gz)*) - probably worth to improve the changelog wording at least.
I'd have expected this to be commented out as well - do we want to change that?

#2 The "Correct attribution and add explanatory note in d/NEWS.debian" also is nor more relevant due to no related upgrade path being left. This can be Dropped IMHO.
Would you agree?

#3 "Set pidfile for systemd's sysv-generator" is no more needed. We have a native service which will be used (not the generator). This was from early Xenial and back then we had no service, so it made sense in the past, but no more.

#4 "short-circuiting"
It is important to note that this is in the maintscripts of the squid3 transitional package.
That transition already happened.
There is nothing generated after the removed short-circuit
The package is empty transitional now.
While in theory there could be something, there is in real life nothing in there.
The combination of "nothing is there" and "transition already happened" and "empty" makes me think we can drop this Delta - it isn't perfect in Debian, but also has no effect.
Turn it around, how would you explain Debian they need this Delta - see, there is no compelling reason I can think of.

Ack to all other Drops/Keep entries

## Added Changes ##
I checked debian/master - ack on the new changes themselve AND that are already in Debian and later to be dropped.

On the others:

#5 "d/t/0003-installed-binary-for-debian-ci.patch: use the squid binary from the system"
I see what you are doing, why are we doing that?
Bug or minimal in changelog reasoning would be nice

#6 "Workaround gcc's maybe-unitialized" I know since I remember our discussion, but maybe add "ppc64el build issue" to the changelog for this?

I was confused why Debian has taken "fix apparmor profile filename" if we are the only ones adding the disabled profile?! I found there is an upstream profile in tools/apparmor/usr.sbin.squid but it is not installed.
Maybe as you said, just submit the disabled profile to Debian as well and be good with it.
Maybe OTOH a merge of our profile with the one from upstream would be better (submit our things upstream).
And finally I think best would be
a) bring our apparmor Delta to upstream
b) change Debian packaging to install that profile
That way we can actually benefit from what upstream is maintaining there - we can always add pacthes that extend it if needed.
This won't stall the upload, but being curious, is there more background to it already?

Ack on the other new changes.

## Fin ##
From a testing POV I haven't found anything that breaks - so good to go from that as well.
I tested manual upgrades, start/stop and the qa-regression tests.
The qa tests showed one issue, but I'll debug first if it is an issue in the test due to the rename.

Already great work and if you follow my reasoning even more cleanup will happen.
Eager to hear your opini...

Yeah, the test Fail was an artifact of squid4 behaving slightly different - i'll submit an MP to the tests and set you to CC there.

MP for the test: https://code.launchpad.net/~paelzer/qa-regression-testing/+git/qa-regression-testing/+merge/353164

1) I updated the refresh patterns, taking the more complete config from the squid-deb-proxy package. I left the caching of debs as a commented example, though, like it was before. I could be convinced otherwise. It would help to know why it was a comment in the first place, instead of enabled by default.

2) The attribution in d/NEWS.debian was added to a specific section in that file, namely under version "quid3 (3.5.6-1)". In that context, I think it's like a changelog entry, describing what happened at or around that version, so it makes sense to keep it. What do you think?

3) dropped

4) dropped

5) That patch is from the upcoming debian squid package (4.2) and is committed in salsa already. It's the reason we were able to drop two bits of delta: a) enable autoreconf; b) "Adjust seddery (...)". I added respective notes under each individual delta drop message that the drop was possible because of this patch. So essentially we are replacing two bits of delta we have with an upcoming debian patch, and this "new" delta will be dropped with the next debian release. I added a proper DEP3 header to this patch.

6) updated d/changelog entry. Note that the DEP3 headers in that patch explain the situation in much more detail.

I added one more change, which can be dropped in the next merge since Debian adopted it:
    - d/t/upstream-test-suite: drop the sed line, since patch
      0003-installed-binary-for-debian-ci.patch is doing this work now.
      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)

I'm looking at apparmor now, this might be a bit of work.

I don't know of any history regarding the apparmor profile.

What I found out so far is that our profile has 4 additions that don't make sense for upstream, but might make sense for debian:
 - squid-langpack entries
 - maas-proxy entries
 - squid-deb-proxy entries
 - squidguard entries

The MAAS one probably wouldn't be taken, since there is no MAAS for debian. The others might make sense for debian.

In the meantime, I pushed another build to https://bileto.ubuntu.com/#/ticket/3351 with the changes done so far addressing review comments, just to be sure.

We can postpone the apparmor unification in this project until after this merge.
Thanks for working on all the other concerns I had.

Assuming that we split the apparmor work in a delayed extra task I think we are good with all but #2 now.

On #2 - yes it is like a changelog, but with the bonus that if you are switching "through" this particular set of versions you will get it prompted on the update screen.
See: https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-news-debian
These were important NEWS somewhen in the past, but lacking a upgrade path that hits it we can drop this.
The alternative would be to keep it forever without ever showing it to a user, that feels wrong and useless maintenance effort to me.

My call would be drop, if we need a more high level discussion and qorum on this lets discuss in the standup.

Again - thanks for all the other changes.
If tests are good and we have decided on #2 you'll have my +1 on this Merge.

I added a card (https://trello.com/c/u07CzGb1) about pushing the apparmor delta to debian, thanks.

2) Dropped, thanks for the explanation.

Yesterday I also did some additional testing:
- enabled our (disabled by default) apparmor profile, confirming it still works
- with the apparmor profile enabled, I also confirmed squid-deb-proxy still works
- pinged the #maas team about this new upcoming release, since maas relies on squid as its proxy/cache. roaksoax said he would test it with the packages from the bileto ppa.

I still want to test these, should be done momentarily:
- squidguard
- apparmor profile with squid as an ssl accelerator (new feature in this squid package)

squidguard fails with apparmor enabled:
[ 477.494576] audit: type=1400 audit(1534426533.919:2436): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid" pid=8122 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid//squidguard"

This happens with both squid-3 that is currently in cosmic, and squid-4 from this MP, therefore an already existing bug.

I filed this to be fixed later: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1787409

Thanks for breaking those out into other bugs.
And for integrating my suggestion with the NEWS file, I think we are good here.

Under the constraint that your and maas further testing does not reveal anything broken, from a packaging POV +1 on this.

I pushed a change to the apparmor profile to cope with the snakeoil certificates, as discussed in #ubuntu-hardened.

Testing with maas on cosmic, looks fine so far:

access log while a new machine is enlisting:

==> /var/log/maas/proxy/access.log <==
1534448951.246 232 192.168.100.190 TCP_MISS/200 89048 GET http://br.archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease - HIER_DIRECT/200.236.31.4 -

packages:

root@maas-squid4:~# apt-cache policy maas squid
maas:
  Installed: 2.4.1-7032-g11e4fa330-0ubuntu1
  Candidate: 2.4.1-7032-g11e4fa330-0ubuntu1
  Version table:
 *** 2.4.1-7032-g11e4fa330-0ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
squid:
  Installed: 4.1-1ubuntu1~ppa8
  Candidate: 4.1-1ubuntu1~ppa8
  Version table:
 *** 4.1-1ubuntu1~ppa8 500
        500 http://ppa.launchpad.net/ci-train-ppa-service/3351/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     3.5.27-1ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages

roaksoax will take a while to test this I think, I pinged him today and he hasn't gotten to it yet. Would you mind sponsoring it anyway, so maybe I can get an AA to look at it soon since it's a new package? If not that's fine too.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/squid
 * [new tag] upload/4.1-1ubuntu1 -> upload/4.1-1ubuntu1

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_4.1-1ubuntu1.dsc: done.
  Uploading squid_4.1.orig.tar.gz: done.
  Uploading squid_4.1-1ubuntu1.debian.tar.xz: done.
  Uploading squid_4.1-1ubuntu1_source.buildinfo: done.
  Uploading squid_4.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.