Introduce install_data_to_pki() - Copy data-files to PKI #510
Conversation
The purpose here is to force EasyRSA find the required data-files: * 'openssl-easyrsa.cnf' MUST be found. * 'x509-types' MUST be found. * 'vars.example' should be found. * 'vars' The 'vars' file is more complicated due to user expectations. This patch does not copy 'vars', the code is included but DISABED. The reasons are: * Allow running 'easyrsa' from PATH. * Make standard packaging work correctly. Bug fixes: * #499 and associated issues with missing files. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
added
feedback welcome
Priority
|
NOTE: Fix multiple typos and structure in commit message! This is the final version of #508. Please, tear it to pieces with me My version: https://github.com/TinCanTech/easy-rsa/blob/master/easyrsa3/easyrsa |
| "$area_prog" \ | ||
| "$area_etc" \ | ||
| "$area_ubuntu" \ | ||
| # EOL - # Add more distros here |
There was a problem hiding this comment.
Is there any advantage to the area_* style variables?
Writing the Paths directly in the for loop seems alright.
And adding another directory for example /usr/local/share would just be more convenient in the future.
There was a problem hiding this comment.
Excellent observation, thanks!
There was a problem hiding this comment.
However, there does not seem to be a better way to present maintainable code. This code is clear, alternatives are less clear.
There was a problem hiding this comment.
I think adding a string in a for loop is more clear, than declaring your own unique area_* variable with said string and also add that area_* variable into the for loop.
In any case the loop is altered.
That's two changes to support another directory as opposed to one:
for area in \
"$PWD" \
"${0%/*}" \
'/etc/easy-rsa' \
'/usr/share/easy-rsa' \
# EOL - # Add more distros here
do
Now that I've written it, I kind of see what you mean.
I am still convinced that this solution is preferable.
There was a problem hiding this comment.
It's a style choice, I prefer my way because it has good comments.
May be swing back to this another day?
There was a problem hiding this comment.
I have decided; Your way is better, thanks !
| # Currently, *if* 'vars' is copied to the PKI then the PKI 'vars' will take | ||
| # priority over './vars'. But it will not be updated if './vars' is changed. | ||
| # | ||
| # Copying 'vars' to the PKI is complicated, code is included but DISABLED. |
There was a problem hiding this comment.
After some consideration, I would not touch vars at all for some reasons:
- Providing the user with
vars.examplewhen they just have to rename it tovarsfor it to work is fine - Users who already rely on the functionality of a shared
./varsfile will find it annoying that afterinit-pkithey have to remove$EASYRSA_PKI/varsbecause of priorities - Fewer files in
$EASYRSA_PKI - We wouldn't have to implement it
There was a problem hiding this comment.
I do agree ..
However, moving all PKI related files into said PKI is where EasyRSA is trying to get. It is just vars is going to be tricky.
There was a problem hiding this comment.
Isn't vars optional?
If it's not found the default values are loaded from within easyrsa, or am I wrong?
There was a problem hiding this comment.
I would be in favour of removing ./vars altogether and moving vars into the PKI at init-pki, so there is never any external-to-PKI vars, at all.
There was a problem hiding this comment.
Isn't
varsoptional? If it's not found the default values are loaded from withineasyrsa, or am I wrong?
You are absolutely correct.
EasyRSA wants to change this default, to enable PATH and fix some bugs.
There was a problem hiding this comment.
The problem is, old PKIs will have either nothing or fixed ./vars.
There was a problem hiding this comment.
The real problem is: Once pki/vars exists it will take priority and that is a breaking change.
easyrsa would have to remove ./vars and present a severe warning to the user.
There was a problem hiding this comment.
This patch-set gets things in place so that a more invasive change is less objectionable, in time.
There was a problem hiding this comment.
There may be a way to infiltrate all new PKIs so that ./vars can be copied to the PKI but only if it does not grep for a specific string.
@Prouflon you are to blame ;-)
There was a problem hiding this comment.
I absolutely support the notion of a warning, that appears if a ./vars file ist detected, that tells the user that this file is not read and that this default behaviour has changed.
We can expect users to move old vars files into the /pki on their own when the time comes, right?
|
@Prouflon I would like to credit you for your effort on this but I'm not sure that you would agree .. Let me know your thoughts, thanks. |
|
Credit me as much as you |
|
@Prouflon I give my thanks to you here All feedback is invaluable. |
|
@Prouflon shall we throw this to the wolves ? LGTM. |
|
This sounds crazy:
pfffft .. as if .. |
|
I think this patch needs one more change:
|
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
|
+1 |
As in merge? Sorry, not sure what you mean exactly ... |
|
LGTM -> Looks good to me. |
Thanks to excellent community feedback, this patch forces a single, reliable list of sources for EasyRSA data-files. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This is a deliberate misuse of shellcheck: Reminder to fix PKI/vars. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
|
I have looked for typos and the like and come up empty. |
|
@Prouflon When the trifle hits the fan, I am going to blame all of this on you! Genuinely: Thank you very much. Your participation has been invaluable. 🍰 🍺 |
The purpose here is to force EasyRSA find the required data-files:
The 'vars' file is more complicated due to user expectations.
This patch does not copy 'vars', the code is included but DISABED.
The reasons are:
Bug fixes:
Signed-off-by: Richard T Bonhomme tincantech@protonmail.com