It's painful to read the help output of NSS tools, because by default it's printed to "stderr". This means, certutil -H | less doesn't work. Instead, one has to type (and know about) the more complicated syntax certutil -H 2>&1 | less I propose to change all NSS tools and have their usage/help output being printed to stdout. Of course, error message shall continue to be printed to stderr.
Does anyone object?
We should follow the convention in Unix. The usage message is printed in two cases. 1. When explicitly requested with the --help option. 2. When there is a command line error. GNU make prints the usage message to stdout in the first case and to stderr in the second case: wtc@fips:~/tmp$ make --help > temp wtc@fips:~/tmp$ make --no-such-flag 2> temp wtc@fips:~/tmp$ We should do the same. I believe this is what you proposed. I just wanted to confirm that in the second case we continue to print the usage message to stderr.
(triage) +1 for this. I also want to note that the return code should be 0 instead of 1 (when called with --help): "The standard --help option should output brief documentation for how to invoke the program, on standard output, then exit successfully." - https://www.gnu.org/prep/standards/html_node/_002d_002dhelp.html Printing the help output to stderr instead of stdout can be really frustrating and annoying for a user as it isn't possible to do a normal "certutil --help | less". And I agree with Wan-Teh Chang that the output should go to stderr in the second case (this is especially important when the output is piped to other scripts).