On 07/17/2013 05:57 PM, John Johansen wrote: > On 07/11/2013 12:55 PM, Christian Boltz wrote: >>> v2 policies can stay >>> as v2 until we test them under v3 and then have them in both. I think >>> we need to do it this way since people might reboot into different >>> kernels and while policy should load and I don't think we guarantee >>> that v3 policy compiled with a v3 parser loaded into a v2 kernel will >>> work as expected (ie, just like v2 policy, v2 policy and a v2 >>> kernel). As such, when both exist, use the one that is appropriate >>> for the kernel. >> >> Exactly this is the reason why I don't like to have a separate directory >> with a duplicated set of the profiles. I have more than enough >> experience with code duplication[2], and learned to avoid the "cp" >> command at any price. >> > yes this can be a problem > >> With an additional copy of the profiles, we'll end up in a maintenance >> hell - and users will kill us because they have to update two profiles >> instead of one if they want to switch kernels. >> > we end up with maintenance hell either way, its just deciding between > which one is the 8th or 9th plane there of > It feels much cleaner and easier to manage with separate directories. I acknowledge there is a maintenance cost, but we have a review process that should keep us honest. I don't think the added cost of maintaining in two places is nearly as risky or burdensome as trying to get all the corner cases handled correctly.
-- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
