http://bugzilla.suse.com/show_bug.cgi?id=1081947 http://bugzilla.suse.com/show_bug.cgi?id=1081947#c68 --- Comment #68 from Stanislav Brabec --- Important note to all package maintainers who use %config(noreplace) /etc/pam.d/foo If you use this, pam_keyinit will not be integrated on upgrade of systems with custom modifications of the PAM file. I recommend to use: %config /etc/pam.d/foo Note: Most RPM documentation doesn't say true about "%config". Following is correct: %config(noreplace) If the old and new packaged config files have the same MD5: Installed file is left as it is, update is completely skipped. If the old and new packaged config files have different MD5: Installed file is left as it is and .rpmnew file with a new packaged contents is created. %config If the old and new packaged config files have the same MD5: Installed file is left as it is, update is completely skipped. If the old and new packaged config files have different MD5: Installed file is replaced and .rpmorig file with the previous installed file is created. It implies: 1) %config /etc/pam.d/foo is what most maintainers want: - If the package maintainer does not change the pam file, custom modifications are kept forever. - If the package maintainer changes the pam file, custom modification are removed (and backed up) in favor of the new contents. 2) If you integrate pam_keyinit first and later remove "(noreplace)", and these changes are installed by two steps on a system with custom modifications, then the custom modifications are kept forever, and pam_keyinit is not integrated. A simple work around: Together with removal of "(noreplace)", do pam files modification (e. g. use "expand" command, change number of spaces or so). -- You are receiving this mail because: You are on the CC list for the bug.