Merge ~bryce/ubuntu/+source/ssl-cert:ssl-cert-sru-lp1853021-hirsute into ubuntu/+source/ssl-cert:ubuntu/devel

The PPA seems not to carry the new version?
root@h:~# vim /usr/sbin/make-ssl-cert
root@h:~# /usr/sbin/make-ssl-cert -h
Usage: /usr/sbin/make-ssl-cert template output [--force-overwrite]
Usage: /usr/sbin/make-ssl-cert generate-default-snakeoil [--force-overwrite]

I like adding proper arg handling, but IMHO this is one of the cases were we will end up with a lot of pain doing it as Ubuntu delta.

How about - after gettign it reviewed and tested here - filing it against https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=ssl-cert and proposing it against https://salsa.debian.org/apache-team/ssl-cert which is the salsa repo.

P.S. might be also worth to mention salsa in d/control

Some more inline comments added

Also this has whitespace damage in line 40 (the original has that, but you could fix it in your proposal)

   39 done
   40 ····
   41 db_get make-ssl-cert/hostname

There are more - worth to clean up and unify when proposing to Debian IMHO.

In general some shellcheck treatment could raise the quality while we are at it.

BTW - my reasoning for proposing this to Debian once cleaned - Plenty of other things packages but also guides/howtos on the net use this command. Going together with changed options will ensure they are usable as-is on both sides.

The parsing right now is very bash'y e.g.

--expiration-days=5 OK

--expiration-days 5 FAILS
  Unrecognized option --expiration-days

--expiration-days= 5
 opt_expiration_days=
 template=5

Package: util-linux
Essential: yes
and has /usr/bin/getopt, so should we just use that to improve on it (up for discussion)

PPA is updated at https://launchpad.net/~bryce/+archive/ubuntu/ssl-cert-sru-lp1853021-snakeoil now

> I like adding proper arg handling, but IMHO this is one of the cases were we will end up with a lot of pain doing it as Ubuntu delta.

Completely agreed, same thought occurred to me, and yes I do keep a TODO to forward to Debian once the MP is acceptable.

> P.S. might be also worth to mention salsa in d/control

Good idea, the existing links are obsolete. I've updated them.

> The parsing right now is very bash'y e.g.
> --expiration-days=5 OK
> --expiration-days 5 FAILS
> Unrecognized option --expiration-days

I know, and I'm not happy about this as I strongly prefer the latter getopts-style format personally. However, I thought adding getopts might be a bridge too far for this package. I figure this was a less invasive change, but would be more than happy to move to getopts if Debian is ok with it. If you feel strongly that getopts *should* be used I'll update to use that.

Regarding shellcheck, yes I noticed there are numerous issues as well. I opted, however, to only fix shellcheck issues involved with the exact code lines I changed, to keep the patch minimal. I noticed the whitespace was handled irregularly elsewhere in the script so didn't worry about that, but I'll go and make sure all my touched lines are consistently using spaces instead of tabs. Followup patches to address both shellcheck and whitespace may make sense to consider doing when upstreaming the patch to Debian.

> If you feel strongly that getopts *should* be used I'll update to use that.

I'd personally prefer, but my opinions are not strong enough to
force/convince you.
Since we go through Debian it depends on their preference more than on mine.

> ... upstreaming the patch to Debian.

Thanks, that is the right way. If they are slow or denying even if we
are kind and responsive we can still think about adding it as delta
then.

Should we also lower the default validity of the certificate to something like 800 days as part of this change? This would address the specific issue raised by LP: #1853021, and I think it makes sense to have defaults that produce certificates that are compatible with browsers.

(Should we *only* lower the cert validity if Debian is slow/unresponsive, instead of adding --expiration-days in a delta? The risk I see is Debian implementing the same in a different way, and ending up with two different interfaces that are difficult to reconcile and that could require even more deltas in other packages.)

@Paride given the new standard is 825 days, I also wondered if that might be a more sensible value to set as the default. One drawback is that doing so would certainly be a behavioral change, and may make the changes non-SRU-able. But going forward that might be a good change; another thing to discuss with Debian I suppose.

Regardless, I do think that adding --expiration-days is worthwhile. From the referenced links, I see there was a lot of debate, with some CA's preferring longer expiration times, and others shorter. So I think from the distro POV having this as a settable option gives our users flexibility that they need.

@Christian, one of the considerations I made with skipping getopts is that getopts only handles single-letter options, but this script's one parameter is a long option. The other usage mode of permitting "<template> <output>" arguments also needs a bit of special handling to use cleanly with getopts. It ends up being a number of lines for argument parsing to handle just a couple options.

I notice this is not marked Approved yet; do I interpret this correctly to mean you prefer this work be done only in Debian rather than Ubuntu, or are you ok with the branch as-is to land as temporary delta for Ubuntu while we wait on Debian?

I've gathered the review feedback for suggested changes to forward to debian into this branch:

https://code.launchpad.net/~bryce/ubuntu/+source/ssl-cert/+git/ssl-cert/+ref/ssl-cert-sru-lp1853021-debian

I split up the diff into discrete changes, ordered in (I think) likelihood of their acceptance. This includes fixing whitespace and shellcheck issues (except one) as Christian suggested. I changed the default expiration period to 825 as Paride suggested. I finished with a conversion to using getopts, although as mentioned above I think it gets a bit too much for this script; I left it as the final patch so if Debian doesn't care for it, it can be popped off the stack easy.

Please look this over and +1 or give any other feedback before I send off to Debian.

Also, I'd appreciate clarification if I should proceed with landing the Ubuntu MP as (temporary) delta, or wait until this is taken by Debian.

Thanks for wrapping all that up Bryce.
I'm +1 on the current content and state of the discussion.

For the uploads I'm strongly voting for "try to convince Debian first". I mentioned it and also Paride nicely put it as "ending up with two different interfaces that are difficult to reconcile and that could require even more deltas in other package".

I'd only consider an Ubuntu only upload for this if Debian really fails to participate in the discussion at all.
Both Distributions have feature freezes early on in 2021 so proposing and pushing for this change now is the right time.

In terms of SRUability e.g. of the default time - I'd not bother about that now. Let us make 21.04 great (as proposed) and later decide on the SRUs if we can include those changes or not (I assume we can't).

Thanks for the clarification. I've proposed a MP to debian here:

https://salsa.debian.org/apache-team/ssl-cert/-/merge_requests/2

Debian accepted the changes discussed above, and we've sync'd the same in via the new 1.1.0. The changes not taken (e.g. altering the default validity time) are technically not strictly necessary for resolving the original bug report so I don't think that needs followed up on.

Per Christian's last comment above will hold on SRUing until there is a specific request for it, and decide at that time.