> So I'd like to have a scheme where after a package upgrade,
> some callback script is run (either only for packages in some local
> list of pax-sensitive packages, or for all packages but with an
> argument mentioning the package name).
>
> Any ideas? (or tips where to ask?)
how about chpax.{sh,cfg} on the PaX site?