Hi, intrigeri: > Chris Lamb: >> So… in the spirit of taking (reversible!) risks, can you briefly outline >> what's blocking us enabling this today? :)
> Thanks for asking! > I've scheduled time on October 23-27 to: We made good progress. Thanks a lot to Vincas Dargis and the Ubuntu and openSUSE folks who helped quite a bit :) > 1. identify what still prevents us from starting the proposed > experiment Done, see below for the remaining ones. > 2. fix all the problems identified in #1 We're almost there! Remaining blockers: - deal with Linux 4.14 bringing in new mediation features and having a bug (until -rc6 at least) precisely in the way it handles the obvious mitigation I've applied (feature set pinning): tracked by #877581, likely 4.14-rc7 will fix it; worst case, if Linux 4.14 reaches sid with this bug not fixed yet, I'll revert the feature set pinning and we'll deal with whatever bits of policy need updates (the most important ones all have patches submitted upstream + to the BTS already so I'm confident) - enable AppArmor by default in our Linux kernel: I'll file a bug about it once the above issue is resolved - decide how to pull the AppArmor policy + userspace: tracked by #879590, started discussion on this list and with debian-boot@ - anything else? > 3. document on the BTS what must be fixed between the time we start > the experiment and the time we decide what to do for the Buster > release I'll come back to this later. Not a blocker to start the experiment IMO. Cheers, -- intrigeri