Hi, Christian Boltz wrote (28 Jul 2014 20:14:04 GMT) : > Am Montag, 28. Juli 2014 schrieb Jamie Strandboge: >> As for what Ubuntu is currently doing with apparmor-profiles, we >> actively took the decision to have placeholders if we ship them in >> our distro since we don't want to have to maintain them in two >> places. I think what you are suggesting would suffer from the same >> issue, unless I am missing something? How do people see avoiding this >> with the new way?
> I know the placeholders make sense for Ubuntu (to avoid duplication), > but they make it hard for other distributions to pick up the profiles. Agreed. > I'd propose to automatically "collect" the profiles from all packages > and store them in a subdirectory of apparmor-profiles/$distro/$release. > Something like "maintained-in-package/" (or "maintained-in- > package/$package/"). Agreed. As a bonus, this would make it easier for Debian AppArmor people to address situations like when a Debian package suddenly starts shipping an AppArmor profile coming from upstream (lxc, lightdm), that relies on out-of-tree kernel features. If we had a central place where we could monitor this, then we would be in a better position to promptly fix things up. Same when Ubuntu updates a profile, and we have to pull it into apparmor-profiles-extra or into the corresponding individual package in Debian. > Collecting the profiles should be fully automated, so that we just need > a cronjob that pulls all packages containing profiles regularly, > extracts the profiles and pushes them to the apparmor-profiles repo. Yes, that's what I've had in mind for a while, without having time to write it down unfortunately. Here we go. Identifying packages that ship profiles should be easy, e.g. on Debian and derivatives, one should look for packages that "Suggests: apparmor". This would be the first iteration. Once we have this list for major distros, retrieving the profiles themselves is pretty easy when they can be found in expected places. E.g. I've been using this script to pull profiles from individual Ubuntu packages: http://anonscm.debian.org/gitweb/?p=collab-maint/apparmor-profiles-extra.git;a=blob;f=debian/scripts/pull-profile-from-ubuntu Dealing with the easy cases in an automated way would be the second iteration. Now, assuming this covers the easy/general case, what to do with the remaining exceptions? I think we could work towards unifying how where we put profiles in source packages, so that more packages fall into the easy/general case. But there'll always be situations that don't fit into the general scheme (e.g. profile shipped in the upstream tarball, and upstream doesn't want to rename/move it), so we'll also probably need some place to put information about the remaining exceptions, e.g. package name -> profile(s) location in the source package or VCS, with optional per-{distro,distro release,package version} overrides or similar to handle differences. This would be the third iteration. Maintaining profiles in two places should not be a problem for distros (particularly, Ubuntu), if the collecting process is automated, right? Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
