Hi, Gabriel Filion: > intrigeri: > thanks for the super clear explanation for changing the status :)
:) >> If you came across instructions that told you to enforce such profiles >> and that did not point you to the aforementioned warning, then I'm >> very sorry! I'll treat this as a RC bug. Please point me to that doc >> and I'll fix it ASAP. Thanks in advance! > fwiw I was following mainly the debian wiki pages about apparmor. I > remember reading the advisory, but for some reason I didn't keep the > information that "the profiles might not work with default > configurations" when reading. probably some level of confusion on my part. I see, I guess this is: https://wiki.debian.org/AppArmor/HowToUse#Enable_.2F_install_more_profiles IIRC I recently updated it to make the warning more visible and clearer. It might that it used to be much less scary when you read it initially. >> The good news is that there is a dhclient profile available elsewhere, >> that works way better on Debian: see #795467. > ok I can see that it looks like the proposed profile for isc-dhcp-client > is the one from ubuntu. still no reply from debian packagers about this > though, two years later. > what approach should we take here in order to get things going? do you > think that having more feedback from ppl who use the profile > successfully would help to get that merged in, or do you suspect it > might just be lack of available time or interest from package maintainers? I think the added value of shipping AppArmor profiles was pretty low 2 years ago, as AppArmor was not enabled by default. So I totally understand maintainers treating it as very low priority. This is being changed in testing/sid though. So I would go back to the maintainers a couple months after AppArmor is enabled by default, and our case will be much stronger then. But really, right now I'm not into adding new profiles: I'd rather polish the existing ones and handle bug reports about them, to make the "enabling AppArmor by default" experience as smooth as possible. > also, maybe if we can get more ppl to test ubuntu's profile in debian, > then they'd be willing to upstream it in apparmor? That's a possibility. Or, we upstream it ourselves. Cheers, -- intrigeri
