Now that we have moved a bunch of packages keys or certs from somewhere
in /usr to somewhere in /etc, shouldn't we also modify those packages
%post to conditionally auto-migrate those keys/certs? Without
auto-migration there will undoubtedly be many complaints and bug reports
from people who upgrade like "FC4 broke SSL foo!"
Conditional auto-migration would need to be carefully implemented and
tested because it can be complicated. For example in some cases it
would need to perform string-replacement in config files to point at the
new key/cert location.
In other cases it would *copy* keys/certs to new locations, but only if
old location contains custom (non-packaged) keys/certs, and the new
location does NOT contain custom files (files deposited prior to %post
by the package update). How the heck would this be implemented (you may
NOT run rpm during %post)? Is there any simpler algorithm that does the
right thing?
After things are copied, it would need to check/correct file permissions
to make sure things are safe.
In any case I'm convinced that auto-migration needs to happen, it will
just be painful to implement correctly. First step is listing which
packages need to be modified in this way?
Warren Togami
wtogami@xxxxxxxxxx
