[Bug 2098879] Re: [needs-packaging] crypto-config in universe

Dave Jones 2098879 at bugs.launchpad.net
Mon Feb 24 17:46:35 UTC 2025 

Nicely packaged! As discussed on MM there are a few nitpicks, but I'm
happy to fix these up and sponsor this. The changes I've made (which
I'll push separately as a PR to your upstream):

* d/changelog -- cut down to just the version sponsored. This should
reflect the versions actually uploaded to the archive (and their
corresponding releases)

* d/crypto-config-docs.* -- removed as there is no crypto-config-docs
section in d/control (yet)

* d/crypto-config.manpages -- added to include the man-page in the built
package

* d/crypto-config.lintian-overrides -- added to override warnings about
crypto-config-hijack.sh noting this is an interim measure

* d/watch -- minor tidy-up to remove the ton of escapes

* d/crypto-config.postinst is using /bin/bash. The "set -eu" in that
script is fine under dash (/bin/sh) but not the "shopt -s
inherit_errexit". Removed the latter and changed shebang to /bin/sh

* d/crypto-config.triggers is using interest-await (the default) rather
than interest-noawait. This *may* be intentional, but "interest-noawait"
is generally preferred (per deb-triggers (5)) where the package is not
"crucial" (in the sense of: failure of its triggers should prevent
configuration of triggering packages)

Sponsored for plucky with the aforementioned changes, unsubscribing
ubuntu-sponsors, and subscribing ubuntu-archive as this will require AA
review for new packages.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2098879

Title:
  [needs-packaging] crypto-config in universe

Status in Ubuntu:
  In Progress

Bug description:
  This is a new package for which Canonical is the upstream. The purpose
  is to create profiles of cryptography configuration that will be used
  across software in the distribution.

  I'd like to have it uploaded to universe.

  URL: https://github.com/canonical/crypto-config
  License: GPL-3

  There is a pretty complete specification is at
  https://discourse.ubuntu.com/t/spec-crypto-config-a-framework-to-
  manage-crypto-related-configurations-system-wide/54265

  Since crypto-config implies a link with many different packages, the
  system has been designed to avoid hard dependencies in order to ease
  integration and eliminate SPOFs. This means the upload is particularly
  low-risk. There is no Depends nor Recommends and the package isn't
  seeded. This should change in the future but only after it moves to
  main.

  Some of the interesting use cases of crypto-config can only be properly achieved if the package is in Ubuntu. For instance, the system allows selecting the cryptography profile very early during setup, either through cloud-init, or container creation. Adding a PPA is an additional step that is a burden, and which is problematic when combined with cloud-init (see
  https://github.com/canonical/cloud-init/issues/3218 ).

  Moreover, main and recommends/seeding are ultimately a target:
  universe is a step in that direction.

  Crypto-config uses a dpkg postinst trigger and as such could wreak havoc but:
  1- the shell script code is shellcheck-clean and even with every warning enabled, there is nothing important
  2- the worst that should happen is that the settings are not used, not that the system does not work or is nuked
  3- I've started rewriting that in Rust
  4- let's face, this package is not going to see world-wide usage during plucky

  There is a PPA at
  https://launchpad.net/~adrien/+archive/ubuntu/crypto-config/+packages

  Sources are at https://github.com/canonical/crypto-config

  I've set up debian/watch and published signed releases. I've checked
  that uscan is happy.

  Documentation should be rather good. There's a small catch-22 though
  because some examples and demos make more sense with a package that is
  in the archive rather than in a PPA and I'll expand these after the
  upload.

  Lintian only reports pedantic issues. I recently added a d/watch file
  and it currently does not verify the signature but it should do so
  soon.

  Piuparts also looks happy.

  I don't have automated tests at the moment sadly (in part due to the
  issue with cloud-init which complicates things somewhat). This is
  something I want to work on however and I am aware it is a requirement
  for inclusion in main.

  I think the packaging looks good overall but please forgive me if I've
  missed something as there are so many different things to pay
  attention to with new packages. :)

  PS: I keep forgetting to add LP: #2098879 in the changelog. I'm going
  ahead with this report anyway since realistically, there will be at
  least one thing to change and I'll add the bug reference while fixing
  that thing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2098879/+subscriptions

More information about the Ubuntu-sponsors mailing list