Re: bin/23212 (openssh /etc/moduli copied by postinstall should be etcupdate)

[Valery Ushakov <uwe%stderr.spb.ru@localhost>]

The following reply was made to PR bin/23212; it has been noted by GNATS.

From: Valery Ushakov <uwe%stderr.spb.ru@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/23212 (openssh /etc/moduli copied by postinstall should be
 etcupdate)
Date: Wed, 19 Jun 2019 19:37:22 +0300

 I have no clue about moduli(5) and why would you want to make local
 changes to it (I guess for most uses people are just ok with the
 defaults, but people who actually know their crypto might have valid
 reasons to change it), but this seems like exactly the kind of problem
 why I never use postinstall for anything but "obsolete" and
 "catpages", which are, arguably, completely orthogonal to the rest of
 the postinstall checks.
 
 Note that etcupdate should do the right thing here, asking to merge
 changes if there are any (new), so the solution is simple: do not run
 postinstall fix before etcupdate and when etcupdate runs postinstall
 check evaluate (and ignore :) its suggestions.  After successful
 etcupdate you should only need "postinstall fix obsolete catpages"
 anyway.
 
 Since postinstall doesn't have any means to do an interactive merge,
 I'd probably restrict the moduli check to only "check" and "diff" and
 skip it for "fix".
 
 -uwe