Source: apparmor Severity: normal [I'll piggy-back on the BTS and pretend it's an appropriate TODO list management system.]
In order to build a case for enabling AppArmor by default in Buster, we need to gather some data: * usage: - in Debian: popcon - elsewhere: Tails, Ubuntu and others * usability cost: how often did AppArmor break stuff in sid? in testing? in stable? how fast were such issues fixed? * maintenance cost: how much work did we (and other maintainers affected by AppArmor) have to do to keep the policy up-to-date, since we started this effort? Let's focus on policy, and ignore the userspace tools packaging — that's a given. * security benefits: find CVEs / DSAs that were mitigated by the AppArmor policy we ship (not only it's useful for _us_ to check if our work had a measurable impact, but it also helps building the case in favor of enabling AppArmor by default, for example if having it would allow the security team to flag some issues no-dsa and focus on other matters) I'll try to work on that shortly after the Stretch release to the latest, so that we can raise this topic in the broader Debian community as early as possible in the Buster development cycle. Help is welcome! Cheers, -- intrigeri