Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

2017-11-05 Thread intrigeri 
Hi,

intrigeri:
> Cyril Brulebois:
>> intrigeri  (2017-10-25):
>>> I'm working on the last blockers towards starting the experiment I've
>>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
>>> default for a while in testing/sid.

>> Does it make sense to have it installed everywhere, including in
>> chroots, containers, etc., or should it be mainly installed in d-i
>> installed systems?

> It makes sense in any kind of system that runs its own Linux kernel:

Update: the next upload of the linux-image packages will "Recommends:
apparmor"
(https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid=bd1e10f8bd85adf182f122417a843bf6ffbac80c)

… so it might be that we don't need "Priority: standard" in the end.

Cheers,
-- 
intrigeri

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

2017-10-26 Thread intrigeri 
Hi KiBi!

Cyril Brulebois:
> intrigeri  (2017-10-25):
>> I'm working on the last blockers towards starting the experiment I've
>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
>> default for a while in testing/sid.

> Does it make sense to have it installed everywhere, including in
> chroots, containers, etc., or should it be mainly installed in d-i
> installed systems?

It makes sense in any kind of system that runs its own Linux kernel:
not in chroots & containers (there's WIP upstream for allowing
containers to stack their own AppArmor policy on top of the host's one
but we're not there yet), but definitely in systems installed by d-i
(be it during initial installation or dist-upgrades, see the email
I've just sent to -devel@ about the latter).

>> Enabling AppArmor by default on new installations requires two
>> changes:
>> 
>> 1. enable the LSM in Linux: problem solved, Ben Hutchings is fine with
>>doing this in src:linux
>> 2. install the apparmor package by default.

> It seems it's built on non-Linux ports as well, does it make sense to
> have it installed there? Please poke debian-bsd@ and debian-hurd@ if in
> doubt.

No, it doesn't make sense to install it there; it shouldn't harm
either. So far I've kept src:apparmor building on non-Linux ports in
the hope some portability issues turn out to be real bugs that affect
Linux too, but this never happened. So if it simplifies the problem
let's build the package only on Linux ports.

>> My understanding is that making the apparmor package "Priority:
>> standard" i the way to go. Correct?

> Depends on the first question above.

Replied. Anything else you need from me to answer this question?

> Thanks for checking with us in any cases. :)

No problem, I don't want to cause issues that could easily be
prevented :)

Cheers,
-- 
intrigeri

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

2017-10-26 Thread Cyril Brulebois 
Hi'ntrigeri,

intrigeri  (2017-10-25):
> I'm working on the last blockers towards starting the experiment I've
> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
> default for a while in testing/sid.

Does it make sense to have it installed everywhere, including in
chroots, containers, etc., or should it be mainly installed in d-i
installed systems?

> Enabling AppArmor by default on new installations requires two
> changes:
> 
> 1. enable the LSM in Linux: problem solved, Ben Hutchings is fine with
>doing this in src:linux
> 2. install the apparmor package by default.

It seems it's built on non-Linux ports as well, does it make sense to
have it installed there? Please poke debian-bsd@ and debian-hurd@ if in
doubt.

> This email is about (2).
> 
> Priority: standard?
> ===
> 
> My understanding is that making the apparmor package "Priority:
> standard" i the way to go. Correct?

Depends on the first question above.

> The package itself has "Installed-Size: 1803 kB".
> 
> I've trimmed the dependencies of this package a bit (just uploaded
> 2.11.1-2 as a result) so it seems to be an OK thing to do to me.
> The dependencies are now:
> 
>   libc6 (>= 2.17),
>   debconf (>= 0.5) | debconf-2.0,
>   python3:any,
>   lsb-base (>= 3.0-6),
>   debconf
> 
> … i.e. only stuff that's installed by default already anyway.
> 
> Would you folks have any problem with this change?
> 
> Once this is done I'll coordinate with Ben wrt. pushing the other big
> red button i.e. (1) once the other blockers have been resolved.

Thanks for checking with us in any cases. :)


KiBi.


signature.asc
Description: PGP signature

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

2017-10-25 Thread intrigeri 
Hi debian-boot@!

tl;dr: can I make the apparmor package Priority: standard?

Context
===

I'm working on the last blockers towards starting the experiment I've
proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
default for a while in testing/sid.

Enabling AppArmor by default on new installations requires two
changes:

1. enable the LSM in Linux: problem solved, Ben Hutchings is fine with
   doing this in src:linux
2. install the apparmor package by default.

This email is about (2).

Priority: standard?
===

My understanding is that making the apparmor package "Priority:
standard" i the way to go. Correct?

The package itself has "Installed-Size: 1803 kB".

I've trimmed the dependencies of this package a bit (just uploaded
2.11.1-2 as a result) so it seems to be an OK thing to do to me.
The dependencies are now:

  libc6 (>= 2.17),
  debconf (>= 0.5) | debconf-2.0,
  python3:any,
  lsb-base (>= 3.0-6),
  debconf

… i.e. only stuff that's installed by default already anyway.

Would you folks have any problem with this change?

Once this is done I'll coordinate with Ben wrt. pushing the other big
red button i.e. (1) once the other blockers have been resolved.

Cheers,
-- 
intrigeri