Andreas Hasenack <andr...@canonical.com> writes: > Presumably yes, but we have to indeed think about it. Normal dpkg conf > prompts will apply here, unless we do something (smart?) in postinst. > update: just saw the krb5-config postinst, it indeed tries to handle > many cases, and this would be another one.
Yeah, krb5-config is quite complicated and doesn't treat /etc/krb5.conf as a typical Debian configuration file. It would be really nice to find a way to get more typical configuration semantics for /etc/krb5.conf, since the level of complexity makes krb5-config changes fragile and hard to test, but I don't have any great ideas for how to do that. > There are two breakage possibliities here: > a) It's quite possible some users already have a > /etc/krb5.conf.d/foo.conf file that has been ignored so far, and will > now be included. That could lead to unexpected behavior, yes. I think this we can probably say is okay to handle via NEWS.Debian. > We could grep for include/includedir in krb5.conf, be it a symlink or > not? What is the scenario where /etc/krb5.conf is a symlink, are some > sites doing that? I suspect there's at least one site somewhere that makes /etc/krb5.conf a symlink to some file in AFS, but I have no idea how common this sort of thing is. Given that the local administrator can just replace the file with one that doesn't have the includedir, I suppose that at some level it's just another case of "the local administrator can break their own system" and we mostly need to try to make people aware of it during upgrades. > I see, so for example you will want to create a configuration snippet to > address #756880, but aren't sure if that file will even be included > because krb5.conf might not have the includedir directive. Yes, exactly. > Note we can now also include specific files, without it having to be a > whole directory, if this helps. I don't think that it does. The file may or may not be there (lots of people use Kerberos without using libpam-krb5), and there's still the basic problem that we can't guarantee that the include directive is present. > I was thinking about a breaks, as in, new krb5-config would break old > heimdal. Ah, yes, that makes sense. And then packages that need configuration snippets can depend on the new version of krb5-config and that probably makes all the right things happen. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
