Hi! Jamie Strandboge: > I read the entire draft. It reads well and covers a lot.
:) > I did want to mention > that it may be worth pointing out that because of AppArmor upstream's efforts > to > push up the entire Ubuntu delta to the upstream kernel, Buster's kernel will > hopefully/likely have everything and no out-of-tree patches. Many, many > patches > have already gone up and been accepted, with more already submitted/under > review > with a final batch being prepared. Indeed, so I've added "and Buster's kernel will support tons of new AppArmor mediation types compared to Stretch". (The value Debian gets out the upstreaming of the Ubuntu delta is more features, not reducing our delta: Stretch's kernel has no out-of-tree AppArmor patch.) If I got your suggestion wrong, please let me know. > I might also mention that the while the major LSM stacking work has been slow, > it has picked up recently and there is a lot of interest to have, say, > AppArmor > and SELinux stackable or AppArmor and SMACK stackable. We aren't there yet of > course, but since you mentioned stacking, I thought I'd point this out. Good idea, done (shamelessly stealing your wording, I'll credit all reviewers and contributors to the text when I'll send it to debian-devel@.) > As someone who has dealt with a lot of AppArmor policy in Ubuntu, I can say > that > you are right on many counts: having it enabled by default will reveal issues > sooner than later and people tend to not turn off AppArmor. The AppArmor > project > (and I'll speak for Ubuntu too) are very concerned about usability and not > breaking people so you can be sure we'll continue to want to collaborate on > policy […] > Finally, I'll point out that for the Debian packages that > carry AppArmor profiles, these are the profiles in use in Ubuntu and have been > in use by millions of Ubuntu installs, so they are relatively proven in that > regard (not claiming there won't be any bugs of course :). All this counted a lot when I picked AppArmor years ago :) Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
