(In reply to Marketa Calabkova from comment #5) > (In reply to Thorsten Kukuk from comment #4) > > So the %post will never be executed again and can be removed, including the > > PreReq line. > > With the fix from 2016g it should at least be never executed twice :) . > Removing the %post phase could cause some problems only to the systems where > these files are not symlinks, so (according to you) systems which were last > updated 10 years ago. Yes, there should be no such running system. SLES 11 SP4, SLES12 and SLES15 have this code, so everybody updating from them has in every case a "fixed" system. An upgrade from an older version (like SLES 11 SP3) is not supported. > Regarding the "PreReq: filesystem, coreutils": I see why it can be removed. > Just by curiosity: Is it even possible that a system does not have these > packages later than at the very beginning? filesystem is always installed due to other dependencies, but in the end not really required, as RPM will create the directories you need. coreutils is not necessary installed, there are alternate implementations possible like busybox-coreutils. If the %post is removed, the timezone package does not need them anyways. But if %post stays, the "PreReq: coreutils" has to be replaced with "Requires(post): /usr/bin/rm /usr/bin/ln", as this is what the package needs. > > Another question is the "%verify(not link md5 size mtime) > > %{_datadir}/zoneinfo/posixrules" line. > > This prevents our tools to find out if somebody tampered with /usr. Which is > > already bad. As this file is coming from the package itself, I don't see a > > need for it. > > What does this %verify actually do, please? The %verify tells rpm what it should do if you call "rpm -V". So this case, rpm -V timezone will not verify, if the content of the link, the md5 checksum, size or mtime has changed compared what got installed from the package. > Yes, it could relink the symlink. And I wonder why this "obsolete" notice > isn't in an installed man page... More of this, we actually use this feature > in our spec file to generate posixrules. The usage of "zic" in the build section is correct, and in the %install section we have: ln -sf /etc/localtime %{buildroot}%{_prefix}/share/zoneinfo/posixrules So removing the %verify from %{_prefix}/share/zoneinfo/posixrules should be Ok, don't see why it should be needed with the current package.