On 11/7/22 23:43, Jim Henderson wrote:
*nobody* should be making changes to my systems' configurations without my consent. *NOBODY*, period. If I upgrade packages, I expect the binary code to be updated and the config files to be left alone unless the upgraded files somehow are incompatible with the configuration
Then you should simply not use mainstream distros at all because all of them deal with configs. A Linux distribution has conflicting goals to be solved by packagers: 1. Provide a default configuration for unexperienced users/admins to have a working system with some services running which also means introducing new config parameters during updates. 2. Keep everything working also after updates for every system on the planet, e.g. by not applying "new" configs. I presume nobody has a silver bullet to solve this conflict. When developing Æ-DIR's ansible roles for various the mainstream distros I kept constantly fighting against too much pseudo config management in the distro's packages. But I have to admit that I can somewhat understand why the packagers are adding config stuff to make things work directly. My solution for critical stuff is 1. to use completely separate config files whereever possible. 2. to install separate systemd service units referencing these separate config files. 3. to use config management so issues can be fixed simply by re-applying the config in a idempotent way. 4. to create custom packages for some rare cases. As said everything related to login/sudo or anything else needed to run your config management procedures can get tricky. You should have fallback options prepared on your critical systems. Ciao, Michael.