Package: libnss3-tools
Version: 2:3.109-1
Severity: minor
Tags: patch
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z < "man
page"
[Use "grep -e ' $' -e '\\~$' <file>" to find obvious trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
troff:<stdin>:464: warning: trailing space in the line
troff:<stdin>:465: warning: trailing space in the line
troff:<stdin>:466: warning: trailing space in the line
troff:<stdin>:488: warning: trailing space in the line
troff:<stdin>:489: warning: trailing space in the line
troff:<stdin>:513: warning: trailing space in the line
troff:<stdin>:550: warning: trailing space in the line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.17-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libnss3-tools depends on:
ii libc6 2.41-6
ii libnspr4 2:4.36-1
ii libnss3 2:3.109-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
libnss3-tools recommends no packages.
libnss3-tools suggests no packages.
-- no debconf information
Input file is pk12util.1
Output from "mandoc -T lint pk12util.1": (shortened list)
1 input text line longer than 80 bytes: Authors: Elio Maldon...
1 input text line longer than 80 bytes: BerkeleyDB has perfo...
1 input text line longer than 80 bytes: Dumps all of the dat...
1 input text line longer than 80 bytes: For an engineering d...
1 input text line longer than 80 bytes: For information abou...
1 input text line longer than 80 bytes: In 2009, NSS introdu...
1 input text line longer than 80 bytes: Licensed under the M...
1 input text line longer than 80 bytes: NSS originally used ...
1 input text line longer than 80 bytes: PKCS #12 provides fo...
1 input text line longer than 80 bytes: SHA\-1 and 3\-key tr...
1 input text line longer than 80 bytes: SHA\-1 and 40\-bit R...
1 input text line longer than 80 bytes: Specify the database...
2 input text line longer than 80 bytes: Specify the desired ...
1 input text line longer than 80 bytes: Specify the hash alg...
1 input text line longer than 80 bytes: Specify the prefix u...
1 input text line longer than 80 bytes: The NSS tools were w...
1 input text line longer than 80 bytes: The NSS wiki has inf...
1 input text line longer than 80 bytes: The nickname can als...
1 input text line longer than 80 bytes: This documentation i...
1 input text line longer than 80 bytes: With PKCS #12, the c...
1 input text line longer than 80 bytes: accepts password\-ba...
1 input text line longer than 80 bytes: command to export ce...
1 input text line longer than 80 bytes: database type\&. The...
1 input text line longer than 80 bytes: file are not human\-...
1 input text line longer than 80 bytes: files\&. Each certif...
1 input text line longer than 80 bytes: for importing a cert...
1 input text line longer than 80 bytes: has changed over tim...
1 input text line longer than 80 bytes: is not used, then th...
1 input text line longer than 80 bytes: pk12util \- Export a...
1 input text line longer than 80 bytes: pk12util \-i p12File...
1 input text line longer than 80 bytes: pk12util \-l p12File...
1 input text line longer than 80 bytes: pk12util \-o p12File...
1 input text line longer than 80 bytes: pkcs11\&.txt, which ...
1 input text line longer than 80 bytes: prints the certifica...
1 input text line longer than 80 bytes: used the UTF\-16 enc...
11 skipping paragraph macro: PP after SH
1 skipping paragraph macro: sp after PP
1 skipping paragraph macro: sp after SH
-.-.
Output from "test-nroff -mandoc -t -ww -z pk12util.1": (shortened list)
7 trailing space in the line
Remove trailing space with: sed -e 's/ *$//'
-.-.
Show if docman-to-man created this.
Who is actually creating this man page? Debian or upstream?
Is the generating software out of date?
4:.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.-.
Remove space characters (whitespace) at the end of lines.
Use "git apply ... --whitespace=fix" to fix extra space issues, or use
global configuration "core.whitespace".
Number of lines affected is
9
-.-.
Strings longer than 3/4 of a standard line length (80).
Use "\:" to split the string at the end of an output line, for example a
long URL (web address)
122 The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
854 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&.
The NSS site relates directly to NSS code changes and releases\&.
-.-.
Wrong distance (not two spaces) between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
Some sentences (etc.) do not begin on a new line.
Split (sometimes) lines after a punctuation mark; before a conjunction.
Lines with only one (or two) space(s) between sentences could be split,
so latter sentences begin on a new line.
Use
#!/usr/bin/sh
sed -e '/^\./n' \
-e 's/\([[:alpha:]]\)\. */\1.\n/g' $1
to split lines after a sentence period.
Check result with the difference between the formatted outputs.
See also the attachment "general.bugs"
37:This documentation is still work in progress\&. Please contribute to the
initial review in
42:\fBpk12util\fR, enables sharing certificates among any server that supports
PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into
security databases, export certificates, and list certificates and keys\&.
83:pkcs11\&.txt)\&. If the prefix
110:Specify the hash algorithm used in the pkcs #12 mac\&. This algorithm also
specifies the HMAC used in the prf when using pkcs #5 v2\&.
122:The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
127:Specify the prefix used on the certificate and key databases\&. This option
is provided as a special case\&. Changing the names of the certificate and key
databases is not recommended\&.
132:Dumps all of the data in raw (binary) form\&. This must be saved as a DER
file\&. The default is to return information in a pretty\-print ASCII format,
which displays the information about the certificates and public keys in the
p12 file\&.
477:command to export certificates and keys requires both the name of the
certificate to extract from the database (\fB\-n\fR) and the PKCS
#12\-formatted output file to write to\&. There are optional parameters that
can be used to encrypt the file to protect the certificate material\&.
499:file are not human\-readable\&. The certificates and keys in the file can
be printed (listed) in a human\-readable pretty\-print format that shows
information for every certificate and any public keys in the
515: Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty)
Ltd\&. ID
538:prints the certificates and then exports them into separate DER binary
files\&. This allows the certificates to be fed to another application that
supports
540:files\&. Each certificate is written to a sequentially\-number file,
beginning with
552: Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty)
Ltd\&. ID
561:Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte
Consulting (Pty) Ltd\&. ID
569:PKCS #12 provides for not only the protection of the private keys but also
the certificate and meta\-data associated with the keys\&. Password\-based
encryption is used to protect private keys on export to a PKCS #12 file and,
optionally, the associated certificates\&. If no algorithm is specified, the
tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key
encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used
for certificate encryption\&. When in FIPS mode, there is no certificate
encryption\&. If certificate encryption is not wanted, specify
661:With PKCS #12, the crypto provider may be the soft token module or an
external hardware module\&. If the cryptographic module does not support the
requested algorithm, then the next best fit will be selected (usually the
default)\&. If no suitable replacement for the desired algorithm can be found,
the tool returns the error
665:NSS originally used BerkeleyDB databases to store security information\&.
The last versions of these
702:BerkeleyDB has performance limitations, though, which prevent it from being
easily used by multiple applications simultaneously\&. NSS has some flexibility
that allows applications to use their own, independent database engine while
keeping a shared database and working around the access issues\&. Still, NSS
requires more flexibility to provide a truly shared security database\&.
704:In 2009, NSS introduced a new set of databases that are SQLite databases
rather than BerkleyDB\&. These new databases provide more accessibility and
performance:
741:database type\&. The shared database type is preferred; the legacy format
is included for backward compatibility\&.
747:prefix with the given security directory\&. For example:
821:accepts password\-based encryption schemes not listed in this document\&.
However, those schemes are not officially supported and may have issues in
interoperability with other tools\&.
854:\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&.
The NSS site relates directly to NSS code changes and releases\&.
866:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&.
-.-.
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Add "\:" to split the string for the output, "\<newline>" in the source.
[List of affected lines removed.]
Longest line is number 569 with 593 characters
PKCS #12 provides for not only the protection of the private keys but also the
certificate and meta\-data associated with the keys\&. Password\-based
encryption is used to protect private keys on export to a PKCS #12 file and,
optionally, the associated certificates\&. If no algorithm is specified, the
tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key
encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used
for certificate encryption\&. When in FIPS mode, there is no certificate
encryption\&. If certificate encryption is not wanted, specify
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
pk12util.1:620:SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40
Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode)
pk12util.1:657:SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40
Bit RC2 CBC"\fR)
pk12util.1:661:With PKCS #12, the crypto provider may be the soft token module
or an external hardware module\&. If the cryptographic module does not support
the requested algorithm, then the next best fit will be selected (usually the
default)\&. If no suitable replacement for the desired algorithm can be found,
the tool returns the error
pk12util.1:853:For information about NSS and other tools related to NSS (like
JSS), check out the NSS project wiki at
-.-.
No need for '\&' to be in front of a period (.),
if there is a character in front of it.
Remove with "sed -e 's/\\&\././g'".
[List of affected lines removed.]
-.-
Only one space character after a possible end of sentence
(after a punctuation, that can end a sentence).
[List of affected lines removed.]
-.-
Put a subordinate sentence (after a comma) on a new line.
[List of affected lines removed.]
-.-
Remove quotes when there is a printable
but no space character between them
and the quotes are not for emphasis (markup),
for example as an argument to a macro.
pk12util.1:10:.TH "PK12UTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools"
pk12util.1:30:.SH "NAME"
pk12util.1:32:.SH "SYNOPSIS"
pk12util.1:35:.SH "STATUS"
pk12util.1:39:.SH "DESCRIPTION"
pk12util.1:436:.SH "EXAMPLES"
pk12util.1:859:.SH "AUTHORS"
pk12util.1:864:.SH "LICENSE"
pk12util.1:867:.SH "NOTES"
-.-.
Use ".na" (no adjustment) instead of ".ad l" (and ".ad" to begin the
same adjustment again as before).
26:.ad l
-.-.
Section headings (.SH and .SS) do not need quoting their arguments.
30:.SH "NAME"
32:.SH "SYNOPSIS"
35:.SH "STATUS"
39:.SH "DESCRIPTION"
43:.SH "OPTIONS AND ARGUMENTS"
149:.SH "RETURN CODES"
436:.SH "EXAMPLES"
567:.SH "PASSWORD ENCRYPTION"
663:.SH "NSS DATABASE TYPES"
801:.SH "COMPATIBILITY NOTES"
822:.SH "SEE ALSO"
851:.SH "ADDITIONAL RESOURCES"
859:.SH "AUTHORS"
864:.SH "LICENSE"
867:.SH "NOTES"
-.-.
Remove excessive "\&" when it has no functional purpose.
38:\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
-.-.
Use "\-" instead of "-" in web addresses.
16:.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.-.
Put a (long) web address on a new line to reduce the posibility of
splitting the address between two output lines.
Or inhibit hyphenation with "\%" in front of the name.
786:https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
799:https://wiki\&.mozilla\&.org/NSS_Shared_DB
838:https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
849:https://wiki\&.mozilla\&.org/NSS_Shared_DB
854:\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&.
The NSS site relates directly to NSS code changes and releases\&.
856:Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
866:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&.
871:\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z
":
troff:<stdin>:464: warning: trailing space in the line
troff:<stdin>:465: warning: trailing space in the line
troff:<stdin>:466: warning: trailing space in the line
troff:<stdin>:488: warning: trailing space in the line
troff:<stdin>:489: warning: trailing space in the line
troff:<stdin>:513: warning: trailing space in the line
troff:<stdin>:550: warning: trailing space in the line
-.-.
Spelling (codespell):
certiticate ==> certificate
itegrity ==> integrity
-.-
Generally:
Split (sometimes) lines after a punctuation mark; before a conjunction.
--- pk12util.1 2025-03-24 01:27:09.006744876 +0000
+++ pk12util.1.new 2025-03-26 15:33:50.182477768 +0000
@@ -68,7 +68,7 @@ Specify the key encryption algorithm\&.
.PP
\-C certCipher
.RS 4
-Specify the certiticate encryption algorithm\&.
+Specify the certificate encryption algorithm\&.
.RE
.PP
\-d directory
@@ -398,7 +398,7 @@ Specify the pkcs #12 file password\&.
.sp -1
.IP \(bu 2.3
.\}
-26 \- PKCS12 add password itegrity error
+26 \- PKCS12 add password integrity error
.RE
.sp
.RS 4
@@ -461,9 +461,9 @@ Enter a password which will be used to e
The password should be at least 8 characters long,
and should contain at least one non\-alphabetic character\&.
-Enter new password:
-Re\-enter password:
-Enter password for PKCS12 file:
+Enter new password:
+Re\-enter password:
+Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
.fi
.if n \{\
@@ -485,8 +485,8 @@ For example:
.\}
.nf
# pk12util \-o certs\&.p12 \-n Server\-Cert \-d /home/my/sharednssdb
-Enter password for PKCS12 file:
-Re\-enter password:
+Enter password for PKCS12 file:
+Re\-enter password:
.fi
.if n \{\
.RE
@@ -510,7 +510,7 @@ For example, this prints the default ASC
.nf
# pk12util \-l certs\&.p12
-Enter password for PKCS12 file:
+Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&.
ID
@@ -547,7 +547,7 @@ file000N\&.der, incrementing the number
.\}
.nf
pk12util \-l test\&.p12 \-r
-Enter password for PKCS12 file:
+Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&.
ID
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
"git" has a "tool" to point out whitespace,
see for example "git-apply(1)" and git-config(1)")
Not beginning each input sentence on a new line.
Line length and patch size should thus be reduced.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -d -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -d -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option \"-warnings=w\"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT=\"-ww -b -z\"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-