/etc key location auto-migration
Warren Togami
wtogami at redhat.com
Sun Apr 24 11:14:53 UTC 2005
Now that we have moved a bunch of packages keys or certs from somewhere
in /usr to somewhere in /etc, shouldn't we also modify those packages
%post to conditionally auto-migrate those keys/certs? Without
auto-migration there will undoubtedly be many complaints and bug reports
from people who upgrade like "FC4 broke SSL foo!"
Conditional auto-migration would need to be carefully implemented and
tested because it can be complicated. For example in some cases it
would need to perform string-replacement in config files to point at the
new key/cert location.
In other cases it would *copy* keys/certs to new locations, but only if
old location contains custom (non-packaged) keys/certs, and the new
location does NOT contain custom files (files deposited prior to %post
by the package update). How the heck would this be implemented (you may
NOT run rpm during %post)? Is there any simpler algorithm that does the
right thing?
After things are copied, it would need to check/correct file permissions
to make sure things are safe.
In any case I'm convinced that auto-migration needs to happen, it will
just be painful to implement correctly. First step is listing which
packages need to be modified in this way?
Warren Togami
wtogami at redhat.com
More information about the Fedora-maintainers
mailing list