Hi, Chris Lamb: > So… in the spirit of taking (reversible!) risks, can you briefly outline > what's blocking us enabling this today? :)
Thanks for asking! I've scheduled time on October 23-27 to: 1. identify what still prevents us from starting the proposed experiment 2. fix all the problems identified in #1 3. document on the BTS what must be fixed between the time we start the experiment and the time we decide what to do for the Buster release After this we should be in a very good position to go ahead and press the big red button :) The feedback I've received off-list and on the BTS so far has been extremely encouraging: a few DDs enabled AppArmor on their systems, reported bugs that were promptly fixed, and some of them successfully fixed the bug themselves locally despite having no previous experience with AppArmor… which is exactly how it should be for the LSM enabled by default in Debian IMO. In at least one case we realized only after I had fixed the bug and submitted a fix upstream that their own, local workaround was identical to my own fix, which I find enlightening wrt. the AppArmor learning curve. Cheers, -- intrigeri