On 02/19/2016 03:14 PM, Alexander Bokovoy wrote: > On Fri, 19 Feb 2016, Martin Kosek wrote: >>>> Why trust-add? >>>> >>>> I'm not a big fan of cluttering existing commands(find, show, mod) with >>>> logic >>>> to fix one upgrade bug. But I understand a need to communicate it somehow. >>>> >>>> Would it make sense to move such logic to a separate command, e.g. >>>> trust-check/trust-verify? The command can do additional check in a future. >>> No. What is the value of trust-add if it says you 'Trust established and >>> verified' while in reality it didn't? This specific issue is very easy >>> to catch. >> >> I think the point was that we are proposing and doing a non-trivial >> engineering >> effort to do warning for one-off bug that will be fixed in next bugfix >> release. >> I would agree if the check is more systematic, but doing a special LDAP >> search >> (for example) from now on because of this one-off bug does not seem to me as >> ideal path. > I don't want to have a separate LDAP search. We do LDAP search *already* > in trust_add because the object is actually created by Samba code as > result of our interactions with local smbd, so we anyway are reading it.
Ok. > The problem here is in the fact that somebody may restore a backup done > before the package upgrade which means whole data in LDAP will be back > to the old state even though we ran the upgrade before. I think that is a highly unlikely situation to warrant any non-trivial development effort. After such restore, when the admin notice that trust is not working, they would start redoing trust-add anyway. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
