Object specificity

One of the things I've been struggling with is how to handle conflicts within Puppet. Some conflicts should generate an error:

class base {
file { "/etc/apache": owner => root }
}
class webserver {
file { "/etc/apache": owner => httpd }
}

include base, webserver

There's no way to resolve this conflict, since the system can't decide which is more important. Other times, it's very clear how to handle conflicts:

file { "/etc": mode => 644, recurse => true }
file { "/etc/shadow": mode => 440 }

In this case, the first statement affects /etc/shadow implicitly but the second one does so explicitly, so it's pretty clear who should win.

It can get a bit sketchier, though:

class base {
file { "/etc/apache": owner => root }
}
class solaris inherits base {
file { "/etc/apache": owner => httpd }
}

include solaris

In this case, it seems somewhat clear that the solaris specification should override the base specification, but, well, we don't really have any way to know whether that's acceptable or not -- it could be that the base specification was a security requirement and any deviations would break policy.

At this point, I'm implementing an 'implicit?' method to objects, which will test whether they were explicitly specified (by testing what their parent object is) or whether they were specified through some kind of recursion process.