Christian Boltz: > your mail looks great, Thanks :)
> ... secret__ keys ... Right, fixed. >> A proposal >> ========== > ... >> Note that the best way to address them quickly enough is sometimes >> to simply disable the problematic AppArmor profile: it's cheap, >> doesn't require advanced AppArmor skills, and IMO a smaller >> AppArmor policy enabled by default is more useful than a broader >> but less robust one that only a couple thousand users benefit from. > I understand why you wrote this, but I'd still prefer to recommend > aa-complain + collecting logs here ;-) Yeah, I would love to, but deny rules are enforced even in "complain" mode. This behavior has already confused at least two Debian package maintainers and a few users that I know of personally, so I'd rather not recommend maintainers to ship profiles in a "almost disabled but not quite" state unless they really know what they're doing. Anyway, that's an implementation detail at this stage of the (Debian) discussion: "disable" in this context is not well defined; it can mean "disable" (as in aa-disable) or "complain" (as in aa-complain), depending on what we think is best :) > I apply the same strategy to openSUSE, so feel free to change this to > ... like Ubuntu _and openSUSE_, we're shipping ... Sure; done. > Enjoy DebCamp and DebConf, and good luck in getting AppArmor enabled by > default! Thanks! -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
