On 07/28/2014 02:16 PM, Christian Boltz wrote: > Hello, > > Am Montag, 28. Juli 2014 schrieb Jamie Strandboge: >> On 07/27/2014 12:47 PM, Christian Boltz wrote: >>> I discussed a bit with intrigeri about a profile repo for >>> cross-distribution usage and profile sharing. Here's the log - >>> feedback welcome ;-) > >>> [19:08:47] <cboltz> just as a quick idea: >>> http://paste.opensuse.org/96760488 >>> >>> + apparmor-profiles >>> |-- debian >>> | |-- Wheezy >>> | '-- Jessie >>> |-- openSUSE >>> | |-- 12.3 >>> | '-- 13.1 >>> '-- Ubuntu >>> |-- Trusty_Tahr >>> '-- Utopic_Unicorn >> >> This is the intent for apparmor-profiles, but so far only Ubuntu has >> put profiles there. I think it would be great to have other distro >> profiles in there. You've probably seen this, but in case you >> haven't: >> >> http://wiki.apparmor.net/index.php/Profiles > > Yes, I know this page and the apparmor-profiles repo. > >> Now, the way Ubuntu handles profiles is that we ship production >> distro-profiles in the packages themselves and the apparmor-profiles >> repository is a place for in progress profiles or profiles that for >> some reason don't fit with the distro. We ship the profiles in the >> packages themselves so that package maintainers (ie, the people who >> know the software being confined best) are able to update the >> profiles and also to avoid a central profiles package that is gated >> on a handful of developers (or fewer). As such, the apparmor-profiles >> bzr repo doesn't have the profiles that Ubuntu actually ships (but we >> do leave the profile file in place with a note on where to find the >> official profile (see ubuntu/14.10/usr.bin.evince as an example). > > I think we had this discussion in the past already ;-) > > Shipping profiles in the respective package is nice if it works (and the > package maintainers take care for the profile), and horrible if the > maintainers don't care. > > For openSUSE, bugreports about AppArmor profiles tend to be assigned to > me first (not a big surprise), and there are also a few packagers who > include profiles in their package and care for the profiles. > > However, that's not the point of the cross-distribution repo ;-) > > > The point is to > a) have a place where _all profiles_ of _all distributions_ are > available (no, I do not want the "this profile is maintained in > $package" placeholders - instead, I'd like to have them automatically > pulled from the packages regularly so that I don't have to hunt > through the packages of 5 distributions - maybe do this in a > subdirectory "maintained-in-package" (or "maintained-in- > package/$package") to make clear where they come from) > b) merge the profiles "upwards", for example from "openSUSE 13.1" to > "openSUSE" (which ideally means "all supported releases" or at least > "the next release") and finally to the global level for all > distributions. > > The big goal is b), a) is just a way to make it easier ;-) > > > I'm quite sure it's possible to create cross-distribution profiles > (hint: we already do that with the profiles we ship in the AppArmor > tarball ;-) > > The permissions and paths required for accessing binaries, libraries > etc. are (nearly) the same everywhere, so that can easily be merged, > even if we need some /{usr/,}bin/foo magic in some cases. > > Paths for data directories might differ, but it's easy to separate them > out to tunables/ so that the main profile can be shared. > That means a 99% win, with 1% distro-specific tunables/ remaining. > > > Abstractions should be the same everywhere IMHO, so we should enforce > that changed and new abstractions are always pushed to the apparmor > repo. > This also means to disallow abstractions in the apparmor-profiles repo. > > > And finally - why should we do this? > > Easy answer: because programmers and packagers are lazy - it's easier to > copy the cross-distro profile into your package (and maybe patch the > tunables/ part) than maintaining a profile that is specific for your > distro ;-) > > As a side effect ;-) we get profiles for more applications that > (hopefully) work everywhere. > > Yes, I know merging profiles causes some work, but on the long term I > hope it makes it easier for everybody. >
I think you misunderstood my email. I was not advocating the status quo, I was merely stating what it is and what Ubuntu is currently doing. I am all for getting more people profing and making the repo more usable for people and welcome the discussion. As for what Ubuntu is currently doing with apparmor-profiles, we actively took the decision to have placeholders if we ship them in our distro since we don't want to have to maintain them in two places. I think what you are suggesting would suffer from the same issue, unless I am missing something? How do people see avoiding this with the new way? -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
