[Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd)

Paul Wouters paul at nohats.ca
Mon Jul 9 20:23:18 UTC 2012

(this seems stuck in a moderator queue, using my other email address to

---------- Forwarded message ----------
Date: Sun, 8 Jul 2012 18:59:55
From: Paul Wouters <pwouters at redhat.com>
Cc: opendnssec-user at lists.opendnssec.org
To: Jerry Lundström <jerry at opendnssec.org>
Subject: Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora /
     CentOS etc)

On Sun, 8 Jul 2012, Jerry Lundström wrote:

> Unfortunately an alpha release of 1.4.0 (1.4.0a1) has been pushed to
> Fedora 16 / 17 and EPEL 6 stable repositories [1].

Note these were pushed months ago.

> An upgrade can be devastating to your system, wipe configurations, so
> I would advise against it until this matter is resolved.

As rpm never wipes config files, I looked into this and found that
there is a bug in the opendnssec.spec.in file shipped in trunk:

%config %{_sysconfdir}/opendnssec/*

Since the config files were not marked with %config(noreplace) they
will be overwritten by ANY update. So even if you configured your
zones in zonelist.xml, and installed a new package from YOUR spec file,
for instance for 1.3.10, it would wipe your configuration. This is a
serious bug in the spec file shipped with opendnssec and in violation
of the Fedora/EPEL/RHEL packages guidelines.

If you check your built rpm packages with "rpmlint", it would have
returned this as a fatal error.

Note that you now have a new problem to fix in your spec file. Even
if you fix this in the new version, you have people that have installed
the config files marked with "replace". You will need to add a new
trigger section (Probably in %triggerin but verify and test!) that
will copy the config files to a save name, and then in %post of the
you can test for these files and move them back in.


More information about the Opendnssec-user mailing list