Hi, Seth Arnold: > On Thu, Aug 10, 2017 at 05:50:41PM -0400, intrigeri wrote: >> Context: this is about the apparmor-profiles package, that has no >> reverse-dependency, so this whole thing is not such a big deal (users >> [...] >> 2. Install *all* the profiles shipped by this package to >> /etc/apparmor.d/, set it in complain mode. >> >> (Once it's been clarified what this package is about, let's smooth >> the "get started with contributing to these profiles" process.)
> The quality levels of the profiles in this package -- and their relevance > to modern systems -- is probably too varied at this point to suggest > turning them all on in any capacity by default. OK. This plus the fact deny rules are (confusingly) enforced in complain mode, plus some more bug reports from somewhat confused users, convinced me that we should not ship all these profiles in /etc; and at the very least, not in Debian while we're still considering enabling AppArmor by default. > If Someone were to go through them with an eye towards heavily > pruning what should be pruned first, this might be > a reasonable idea. Someone != me. > I think I'd rather they all be installed on the side though, and perhaps > suggested by the tools, if they don't already. Deal. I lack energy to handle the packaging side of moving files from /etc to /usr right now though (conffiles to non-conffiles, sounds scary), so in the meantime I took several steps to make the apparmor-profile package description more humble and to stop encouraging average users to install it at all: https://salsa.debian.org/apparmor-team/apparmor/merge_requests/1, merged, not uploaded yet. Same on https://wiki.debian.org/AppArmor/HowToUse, where I also added warnings about the deny rules vs. complain mode problem. There's definitely more work to do on this bug but for now I'm happy enough with the resulting state of things, that should be vastly more sustainable than it used to for me. Cheers, -- intrigeri