Currently, dpkg is aware of which files in a package are conffiles, the conffiles checksums and where those conffiles live on the system once the package is installed.

However, there are problems:

(1) What if the user modifies a conffile incorrectly such that the service no longer starts or behaves erratically? (2) What if the user modifies an Upstart job conffile such that the system no longer boots?       (This is the same problem as (1) but results in a significantly worse outcome!) (3) What if the user cannot remember what changes they made to invalidate the conffile (and forgot to backup the unmodified conffile)?

There are many facilities available to help with (3) including version-control systems and configuration management systems. However, the default Ubuntu system should have a simple way to mitigate some of the problem scenarios.

The proposal is to modify dpkg either directly or by way of triggers such that every conffile is installed as normal but an additional copy of the conffile is placed in /etc/pristine/ (or some sub-directory). The files will all be given the same owner+group as the corresponding original conffile but permissions will be set to 0440 to discourage inadvertent modification.

This gives the following benefits:

(a) Problem (1) can be solved easily since the user can use diff(1) to compare their modified conffile with the pristine version      in /etc/pristine/.

(b) Problem (2) can be solved in the same way as Problem (1), but there is some extra magic available to help the user:

If they have modified /etc/init/.conf directly, or even created /etc/init/.override files to modify the .conf file indirectly, we could add a new boot option that would invoke Upstart like this:

init --confdir /etc/pristine/init/ --startup-event=emergency-boot --no-log --no-sessions --debug

Doing this would ensure that the system will boot using the pristine conffiles installed in /etc/pristine/init/ rather than the potentially corrupted /etc/init/*.conf files. We could then start a job based on the 'emergency-boot' event that would guide the user to restoring their system to a normally booting one. We could just show the user which job files/override files they have changed by date and offer to revert the changes but there are a few possibilities. We could even warn the user if they leave /etc/init/ in a condition different from /etc/pristine/init/ but the expectation is that at the end of the recovery process, all future boots will behave as expected.

(c) By having a pristine copy of each conffile of the system, it would also be possible to provide 3-way merge facilities in the future when dpkg could show the user the following on package upgrade:

• the locally modified conffile
• the local pristine version of the conffile
• the new about-to-be-installed pristine conffile

The costs of creating /etc/pristine/:

• Extra disk space consumed

Taking two 12.04 systems as examples:

package count: 1751 size of conffiles: 11M

package count: 4041 size of conffiles: 16M

A basic desktop install would show slightly lower figures, but these numbers are significant enough that we might want to audit the conffiles in a default install to consider a strategy.

For example, for the first system above, of the top 15 largest conffiles, 8 come from the 'brltty' package and those 8 files account for 20% of the total conffile size (2.2M).

Additional information/thoughts:

• FreeBSD already retains pristine copies of key system configuration files in /etc/defaults/. Using this name though could be confusing to Ubuntu users where /etc/default/ is used to store files that are intended to be modified.

• What about the 'ucf' ("Update Configuration File") and 'etckeeper' packages?

• Might be helpful to create /etc/pristine/README with a couple of lines of description?