%triggerpostun is way too late at least with rpm4.
suppose packageA in version 2 requires group G during installation and G
is provided by setup version 2. packageA has R: setup >= 2. user has old
versions of packageA 1 and setup 1 installed and upgrades packageA
pulling new version of setup. both are part of same transaction. rpm4
first installs setup 2 (until %post), than packageA 2 (until %post) and
only then starts cleanup seemingly in reverse dependency order so first
packageA and then setup. that makes %triggerpostun of setup package to
be one of the very last operation while the group G was required at the
very beginning during packageA installation. new group needs to be added
at the point of %post.
joinpasswd used to be part of %post, but moved to %triggerpostun back in
2003 without explanation in commit message. perhaps binary was not
static back then?