Hello Lars!
I shall try to anwser them according to my (small) experience as a
webapp package maintainer. I am not a Debian developper, though, and I
am just a newbie packager, so take my advice with care. :-)
The Debian webapp packages I saw (PhpMyAdmin, RoundCube, DokuWiki) do
not add a custom virtual host, but rather an alias /webapp_name
/usr/share/webapp, installed in a conf.d/webapp.conf.
No need if it is in conf.d, I think.
I do not think this is necessary for installing an alias. However, some
packages (DokuWiki) ask for the alias name.
Is that really needed or just optional to beautify some URLs?
I think force-reload is enough: this is what I do for DokuWiki.
I suggest that you:
* enable an alias in /etc/apache2/conf.d;
* do not enable the URL rewrite stuff unless it is really needed;
* keep the code for enabling it commented in the Apache HTTPD
configuration file;
* document how to:
+ enable a virtual host,
+ enable the URL rewrite process
in your README.Debian.

hi lars,
i don't know of too many other apps that install a vhost, but i guess
if you're gonna do it i'd ship the vhost file in sites-available, and
run a2ensite in the postinst and a2dissite in the postrm. throwing some
debconf never hurts but ultimately you have to pick a default behavior
that is taken if debconf is never seen, so it's more of an additional
feature than a requirement i'd say. the only thing that i think is important
is that everything behaves sanely when the package is unconfigured as well
as when it is removed but not purged (i.e. no broken symlinks or other
buggy behavior when the conffiles are present but not the app files).
throw an a2enmod in the postinst? a2enmod should be idempotent, and i
think it's fair to leave it enabled when uninstalling the pkg.
invoke-rc.d apache2 reload/restart in the postinst/postrm (installation,
upgrade, and removal paths), depending on whether the new config
directives require a full restart or just a reload. don't remember off
the top of my head whether vhost configs or rewrite configs require a
full restart, i'm kinda thinking they do.
honestly, i don't think a conservative approach is all that bad, especially
if there's anything complicated in the process. but that also might bring
a point for concern: that users of versions prior to any new "automatic foo"
version have probably already configured their system, and you don't want
to configure/reconfigure the installation on top of it. so maybe put in
a check in the config/postinst maintainer scripts for versions << the new
version and disable any of the behavior if it's an upgrade from such a
prior release.
i guess someone might have already pointed you at dbconfig-common?
there really isn't a good way to get around this unless you are running your
own app server which is proxied by the web server. i think a number of apps
just do it as www-data, leaving it as an exercise for the local admin for
how to strap it down. if the server supports being run via something like
fcgi or wsgi, then it's much easier and i'd recommend trying to run it as
a seperate user, but otherwise i think it might be a bit out of scope of
the packaging, or at least highly dependant on the application/platform.
i think providing some information in that regard would be a good idea,
like mentioning that the app's configuration/db credentials can be read
by other applications, and if any kind of cgi/scripting support (i.e. php) is
enabled for userdirs then any user could effectively get the info too. but
at the same time i kinda think of this as common sense...


sean

--