On 08/19/2014 02:44 PM, Holger Levsen wrote: > Hi, > > On Samstag, 16. August 2014, intrigeri wrote: >> Seth Arnold wrote (15 Aug 2014 17:34:30 GMT) : >>> This is fine by me. >> >> Cool. Here's a merge request: >> https://code.launchpad.net/~intrigeri/apparmor-profiles/clarify-copyright-a >> nd-license/+merge/231072 > > ping - could you please have a look and merge that trivial patch so that we > can pursue with reuploading the package to Debian NEW? :) >
What package is being uploaded? Is this a separate apparmor policy package from the apparmor source package itself? If so (and forgive me if I am misinterpreting-- I'd just like to make sure that this is discussed here), I think this may make collaboration between Debian and Ubuntu difficult. Ubuntu has taken the position that system policy should in general be shipped in the packages that are being confined (the apparmor-profiles package from the apparmor source is an exception to this rule, but Ubuntu doesn't add any new policy to this package (unless we get it from upstream)). I understand the desire to ship policy in a single unified package (we've discussed this quite a bit in Ubuntu) because it can make it somewhat easier for the policy team, but I think shipping policy in the affected packages is a good thing for several reasons: * it keeps the Debian/Ubuntu developer and or team engaged with the policy because they own it. With tools like dh_apparmor and new dh, it is trivial to add policy to affected packages. These developers typically know the package better than policy writers and are in a position to test the package with new upstream releases and update the policy accordingly * Bugs go against the package that is affected. Not only is this natural, in practice, AppArmor is easy enough for regular people to use so the bugs are often either of high quality (ie, contain a patch or policy snippets to fix the bug) or are easy to understand for the developer to update the policy. We use the 'apparmor' tag in Ubuntu to make it easy for policy authors to find bugs related to apparmor policy. Debian could do something similar. * It ensures there is no bottleneck for adding AppArmor to packages. Eg, a Debian developer need only update his/her own package rather than trying to maintain the policy in a package he/she does not own. It would be a shame if a developer interested in increasing the security of his/her package by adding Apparmor would give up because it is too difficult to maintain in a foreign package. Considering Debian's strong package ownership compared to Ubuntu, this is a real concern of mine In Ubuntu, the Ubuntu Security team generally writes the initial policy. We will fix policy bugs too and we are often consulted by the Ubuntu developer wishing to fix a policy to make sure that the fix is safe. This has worked well for many years and I encourage Debian to do the same. Perhaps have a policy team that creates/refines policy, sends debdiffs to add the policy, watches for bugs (eg, via the 'apparmor' tag) and generally be available to answer questions. I would encourage the policy team to review all apparmor policy prior to Debian release (this is not hard to do with codesearch and/or a little scripting). This is pretty much what the Ubuntu Security does for Ubuntu policy. I would be happy to join this policy team and I'm sure others from Ubuntu would be too. Ubuntu has already pushed policy into Debian packages somewhat, but there is more to be done. Obviously, Debian and Ubuntu are going to have very similar if not identical policy (and where we differ, we can certainly merge the policy) so it would benefit both if we are aligned. If we can decide to use the same policy methodology, we can collaborate easily, share bugs, share fixes, share new policy, manage transitions, etc, but if we diverge on how we deliver policy, we will have a much harder time and I fear we won't have as much uptake as we could otherwise. AppArmor in Debian has been gaining traction for some time, which is great! I know that AppArmor/Ubuntu developers will be meeting with some Debian developers at DebConf and I think now would be a great time to collaborate more fully. Thanks! -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
