On 07/18/2013 01:02 PM, Jamie Strandboge wrote: > On 07/17/2013 05:57 PM, John Johansen wrote: >> On 07/11/2013 12:55 PM, Christian Boltz wrote: >>>> v2 policies can stay >>>> as v2 until we test them under v3 and then have them in both. I think >>>> we need to do it this way since people might reboot into different >>>> kernels and while policy should load and I don't think we guarantee >>>> that v3 policy compiled with a v3 parser loaded into a v2 kernel will >>>> work as expected (ie, just like v2 policy, v2 policy and a v2 >>>> kernel). As such, when both exist, use the one that is appropriate >>>> for the kernel. >>> >>> Exactly this is the reason why I don't like to have a separate directory >>> with a duplicated set of the profiles. I have more than enough >>> experience with code duplication[2], and learned to avoid the "cp" >>> command at any price. >>> >> yes this can be a problem >> >>> With an additional copy of the profiles, we'll end up in a maintenance >>> hell - and users will kill us because they have to update two profiles >>> instead of one if they want to switch kernels. >>> >> we end up with maintenance hell either way, its just deciding between >> which one is the 8th or 9th plane there of >> > It feels much cleaner and easier to manage with separate directories. I > acknowledge there is a maintenance cost, but we have a review process that > should keep us honest. I don't think the added cost of maintaining in two > places > is nearly as risky or burdensome as trying to get all the corner cases handled > correctly. > of course to play the devils advocate the problem with directories is we don't just have 2, as we get new versions we have more and more directories
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
