/etc key location auto-migration

John Dennis jdennis at redhat.com
Sun Apr 24 13:43:13 UTC 2005 

On Sun, 2005-04-24 at 01:14 -1000, Warren Togami wrote:
> Now that we have moved a bunch of packages keys or certs from somewhere 
> in /usr to somewhere in /etc, shouldn't we also modify those packages 
> %post to conditionally auto-migrate those keys/certs?  Without 
> auto-migration there will undoubtedly be many complaints and bug reports 
> from people who upgrade like "FC4 broke SSL foo!"
> 
> Conditional auto-migration would need to be carefully implemented and 
> tested because it can be complicated.  For example in some cases it 
> would need to perform string-replacement in config files to point at the 
> new key/cert location.
> 
> In other cases it would *copy* keys/certs to new locations, but only if 
> old location contains custom (non-packaged) keys/certs, and the new 
> location does NOT contain custom files (files deposited prior to %post 
> by the package update).  How the heck would this be implemented (you may 
> NOT run rpm during %post)?  Is there any simpler algorithm that does the 
> right thing?

This is effectively what I implemented in the two packages (cyrus-imapd,
dovecot) I updated, albeit a bit simplier. The %post checks if a key
file exists in the old location but not the new location. If so it moves
the key file(s) to the new location. Then %post continues to do what it
always did, check for a key file in the cannonical location, if it does
not exist it generates a generic key.

This does not attempt to identify if the key was a custom key, however I
don't that matters, we only care if a key was in use in the old
location.

However, what can screw up, and I'm not really sure if there is a
solution to this or not, is the %config(noreplace) file attribute on the
the config file that has the key location in it. When the new rpm
installs it comes with a config file that has been updated with the new
location. However, if that file has been modified its not going to be
replaced and there is going to be a mismatch. If the file has not been
modified then everything works. I did test the key migration in the
packages I own and modulo prior editing of the config file by the user
it seems to do what you want.

Other than release notes or adding something to /usr/doc/<package> I'm
not sure how to handle the modified config file case. Suggestions? We
could edit the config file that was preserved but I think that might be
considered evil.


> After things are copied, it would need to check/correct file permissions 
> to make sure things are safe.
> 
> In any case I'm convinced that auto-migration needs to happen, it will 
> just be painful to implement correctly.  First step is listing which 
> packages need to be modified in this way?

I believe:

cyrus-imapd
dovecot
httpd
postfix (maybe?)
-- 
John Dennis <jdennis at redhat.com>

More information about the Fedora-maintainers mailing list