this strikes me as the sort of thing a lot of packages deal with and at least from my experience if you factored out the cipher list into a configuration option it gives you some options, like a prompt when you update the package about switching or not, where it doesn’t conflict with any distribution guidelines I would probably prefer it see to default to changing the setting if you just click through (well, actually enter/return through given you are likely on the cli) but that way a user who knows what they are doing and knows those prompts should be looked at a bit more carefully can take the time to decide if it’s right for them and there is a notification that must be looked at and acted on prior to changing any configuration, while keeping the basic user that’s still root (perhaps a vps, etc) up to date by default. I also hesitate to like any move where new and old sites are treated differently by default, if I do a testing site dev.example.com I don’t want it to do something different when I later deploy it at www.example.com . It also creates differences across site’s configurations and that makes it harder to keep track of things or figure out why one site is fine and another isn’t or why the new site you just added doesn’t work when the one you did the exact same way a month ago does.
This sounds like it mostly fits your disclose and opt out belief though I’d like it to not be about retroactive changes but about changing the cipher suite on managed sites (the factoring out into a configuration option also would allow for a system wide override by the user of the list if they have special needs I guess as well). I’d want to make sure that any notify and opt out required an affirmative action prior to doing it as well, like the screen during package update so zero action (like not applying updates or only automatic updates which the system can do unattended) won’t change things.
I’m not sure about the nitty gritty details of packaging but it may be you would need it to be a special file for the cipher list rather than a configuration line to reliably change that in an update without overwriting the rest of the configuration.