On Thu, Apr 24, 2014 at 10:10:15AM -0400, Adam Jackson wrote: > On Thu, 2014-04-24 at 15:47 +0200, Florian Weimer wrote: > > I'm working on advice on automated X.509 certificate generation during > > package installation. > > > > One aspect is that these files obviously have to be generated on the > > system during installation (or first service start) and cannot be > > shipped in the package. Some existing RPMs just drop files into > > /etc/pki/certs and /etc/pki/tls/private, without marking them as ghost > > files or configuration files. (I'm not even sure if you can mark > > something for which no content is provided in the RPM as a configuration > > file.) > > > > I wonder what an ideal RPM package would do in this case? > > If you know what service is going to require the cert, you might copy > the pattern from openssh, where sshd-keygen.service runs as a prereq for > sshd itself. This, or first service start, are good ideas. Remember that your package may not be getting installed on the system where it eventually runs -- livecd's, cloud images, etc. can be created in situations where the build host is totally different from the final target. eg. creating an image inside a mock running on a RHEL6 system. -- Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
