Hi, Vincas Dargis: > 2017.04.04 08:26, intrigeri rašė:
>> Thanks! But it ships disabled (or in complain mode) by default, right? > Yes it's disabled, and it's from firefox package. Thanks! >> OK. So these improvements shall be upstreamed. >>> Or "fixed" old "profiles/apparmor/profiles/extras/usr.lib.firefox.firefox", >>> by sending patches upstream? >> >> Yes, please. And as written above, this doesn't prevent us from >> shipping it to /etc/apparmor.d (disabled by default) if it's >> good enough. > OK but I am still a little puzzled. If Ubuntu Firefox team > does not upstream their profile it (because it's too Ubuntu-specific?), so it > kinda maybe means we can't use it as "fix" for old > "profiles/apparmor/profiles/extras/usr.lib.firefox.firefox" directly, right? Right, that's why I wrote "So these improvements shall be upstreamed" :) > So we just take some interesting parts (like Elecrolysis a.k.a. e10e > support?), > ignore networking because Debian kernel does not has it, and... try to push > that > into AppArmor upsteam? IMO the parts that require third-party kernel patches shall be upstreamed as well: the end goal would be that the resulting upstream profile can be pulled as-is by as many distros as possible, including those that apply these patches, i.e. Ubuntu and OpenSUSE. Cheers, -- intrigeri