[Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd)

Paul Wouters paul at nohats.ca
Tue Jul 17 01:56:27 UTC 2012

On Mon, 9 Jul 2012, I wrote:

> As rpm never wipes config files, I looked into this and found that
> there is a bug in the opendnssec.spec.in file shipped in trunk:
> %files
> %defattr(-,opendnssec,opendnssec)
> %config %{_sysconfdir}/opendnssec/*
> Since the config files were not marked with %config(noreplace) they
> will be overwritten by ANY update.

This turned out not to be true. rpm will adhere to the newer package
that has to "noreplace" flag. Testing the opendnssec team based spec
file and building 1.3.9 and then running yum update gave me:

   Updating   : opendnssec-1.4.0-0.a1.fc16.4.x86_64 1/2 
warning: /etc/opendnssec/conf.xml created as /etc/opendnssec/conf.xml.rpmnew
warning: /etc/opendnssec/kasp.xml created as /etc/opendnssec/kasp.xml.rpmnew
warning: /etc/opendnssec/zonelist.xml created as /etc/opendnssec/zonelist.xml.rpmnew
   Cleanup    : opendnssec-1.3.9-1.x86_64 2/2 
Unable to connect to engine: connect() failed: No such file or directory
   Verifying  : opendnssec-1.4.0-0.a1.fc16.4.x86_64 1/2
   Verifying  : opendnssec-1.3.9-1.x86_64 2/2

   opendnssec.x86_64 0:1.4.0-0.a1.fc16.4

While this would still leave an unusable system, it did not as was
previously reported "wipe the configuration". Re-installing the old
opendnssec rpm should have resulted in a workable system without
editing any config files. Obviously, this is still not a good outcome.

Such upgrade also does not take into account if a package had been
compiled to use sqlite or mysql. Ideally this would be a runtime option,
even more ideally via seperate sub-packages that people could install
or leave out.


More information about the Opendnssec-user mailing list