Bug#981442: apparmor: Please do not install by default or depend on python3
intrigeri, le ven. 05 févr. 2021 12:25:58 +0100, a ecrit: > Samuel Thibault (2021-02-05): > > I'll keep the VMs around, for any further test you'd want? > > No, that's good enough for me. I'll upload ASAP. Thanks! Samuel
Bug#981442: apparmor: Please do not install by default or depend on python3
Control: tag -1 + pending Hi, Samuel Thibault (2021-02-05): > I tried a bit with the base system, got […] Thanks a lot! > I'll keep the VMs around, for any further test you'd want? No, that's good enough for me. I'll upload ASAP. Cheers!
Bug#981442: apparmor: Please do not install by default or depend on python3
Hello, intrigeri, le ven. 05 févr. 2021 09:06:54 +0100, a ecrit: > I did the backporting work in a topic branch: > https://salsa.debian.org/apparmor-team/apparmor/-/tree/debian-bug-981442 Thanks! > 4. ensure aa-status works (compare with how it works in a regular > testing/sid system) I tried a bit with the base system, got apparmor module is loaded. 3 profiles are loaded. 3 profiles are in enforce mode. lsb_release nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. just like with the python version. I tried to install tcpdump and ntp, then got apparmor module is loaded. 5 profiles are loaded. 5 profiles are in enforce mode. /usr/sbin/ntpd lsb_release nvidia_modprobe nvidia_modprobe//kmod tcpdump 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/ntpd (792) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. I'm not sure how I can easily check for the complain case. (AIUI they'd be supposed to be bugs :) ) I'll keep the VMs around, for any further test you'd want? Samuel
Bug#981442: apparmor: Please do not install by default or depend on python3
Hi Samuel, tl;dR: Help! I have a tentative fix ready, but in order to see this fixed in Bullseye, someone else has to test the tentative fix by Saturday, 17:00 UTC. Samuel Thibault (2021-02-01): > intrigeri, le lun. 01 févr. 2021 09:16:23 +0100, a ecrit: >> > or avoid making it hardly depend on python3? >> >> The only reason why apparmor "Depends: python3" in current testing/sid >> is that /usr/sbin/aa-status is written in Python. >> >> Upstream commit 8f9046b1b179190d0003ae1beacf460ee93c5090, included in >> upstream 3.0.0 release, and thus in Debian experimental already, >> ported that program to C, which should allow dropping the dependency >> on python3. I did not check how hard it would be to backport >> this commit. > > That would be great to backport! I did the backporting work in a topic branch: https://salsa.debian.org/apparmor-team/apparmor/-/tree/debian-bug-981442 The resulting apparmor binary package has no dependency on python3. Salsa CI will tell us about obvious breakage in other areas, but AFAICT it does not exercise aa-status, so that's not sufficient to make me comfortable uploading this significant dependency change, so close to the freeze, in a package we install by default on any system that has a Linux kernel. I would like this to be tested: 1. build packages from the debian-bug-981442 branch 2. install the resulting apparmor binary package into a testing/sid VM (I don't think a chroot will do) that has no python3 installed 3. ensure step 2 did not install python3 4. ensure aa-status works (compare with how it works in a regular testing/sid system) If you, or someone else, has time to go through this test procedure by Saturday 17:00 UTC, and if the test result is successful, then I'll try hard to upload on Saturday night (UTC), which should hopefully allow this improvement to migrate to testing in time for the freeze :) Thanks for caring about the size of minimal systems installed by d-i! Cheers!
Bug#981442: apparmor: Please do not install by default or depend on python3
intrigeri, le lun. 01 févr. 2021 09:16:23 +0100, a ecrit: > I'm asking because AFAICT, the chain of dependencies has not changed > between Buster and Bullseye: > > - the Linux kernel images Recommends: apparmor > - apparmor depends python3:any One thing that changed is that mime-support (which python3.9 depends on) now depends on mailcap, which pulls in perl. That is getting fixed through #981016, but still better avoid installing the python stack only for aa-status :) Samuel
Bug#981442: apparmor: Please do not install by default or depend on python3
Hello, intrigeri, le lun. 01 févr. 2021 09:16:23 +0100, a ecrit: > Samuel Thibault (2021-01-31): > > As of Debian bullseye alpha3, apparmor is getting installed by default > > even in the base system, > > To be clear, in this context "base system" is d-i terminology, right? Yes. That's when one selects no task, so the absolute minimum that gets installed. > > bringing with it python3 and thus 30MB of > > various stuff that didn't used to get installed in the past, which I do > > not think we want. > > Could you please confirm whether "in the past" means "in Stretch and > older" here, or something else? I'm surprised here. It does seem that Stretch, even as 10.0, does install apparmor and thus python, indeed. But I check for the install size before each Debian release, and did not notice that. Perhaps the apparmor recommendation appeared late in the Stretch process. I'm not sure whether debian-boot was aware that python ended up getting installed. > > or avoid making it hardly depend on python3? > > The only reason why apparmor "Depends: python3" in current testing/sid > is that /usr/sbin/aa-status is written in Python. > > Upstream commit 8f9046b1b179190d0003ae1beacf460ee93c5090, included in > upstream 3.0.0 release, and thus in Debian experimental already, > ported that program to C, which should allow dropping the dependency > on python3. I did not check how hard it would be to backport > this commit. That would be great to backport! Samuel
Bug#981442: [pkg-apparmor] Bug#981442: apparmor: Please do not install by default or depend on python3
intrigeri (2021-02-01): >> or avoid making it hardly depend on python3? > > I did not check how hard that would be yet. If this is a post-Buster > regression, I'll do my best to look into it shortly! The only reason why apparmor "Depends: python3" in current testing/sid is that /usr/sbin/aa-status is written in Python. Upstream commit 8f9046b1b179190d0003ae1beacf460ee93c5090, included in upstream 3.0.0 release, and thus in Debian experimental already, ported that program to C, which should allow dropping the dependency on python3. I did not check how hard it would be to backport this commit. There's some more context in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1865519
Bug#981442: apparmor: Please do not install by default or depend on python3
Hi Samuel,
Thanks for bringing this to our attention. For now I'll focus on
trying to understand the scope and severity of this problem.
Samuel Thibault (2021-01-31):
> As of Debian bullseye alpha3, apparmor is getting installed by default
> even in the base system,
To be clear, in this context "base system" is d-i terminology, right?
> bringing with it python3 and thus 30MB of
> various stuff that didn't used to get installed in the past, which I do
> not think we want.
Could you please confirm whether "in the past" means "in Stretch and
older" here, or something else?
I'm asking because AFAICT, the chain of dependencies has not changed
between Buster and Bullseye:
- the Linux kernel images Recommends: apparmor
- apparmor depends python3:any
> Could you have a look at not installing apparmor by default,
For context, the current (Buster, Bullseye) status of enabling
AppArmor by default is the outcome of years of work and of a long
discussion on -devel@ ("Let's enable AppArmor by default (why not?)"
starts at 857eyij4fb@boum.org, August 2017). This of course does
not imply it's set in stone nor that we can't improve things :)
> or avoid making it hardly depend on python3?
I did not check how hard that would be yet. If this is a post-Buster
regression, I'll do my best to look into it shortly!
Cheers!
Bug#981442: apparmor: Please do not install by default or depend on python3
Samuel Thibault, le dim. 31 janv. 2021 13:19:28 +0100, a ecrit: > Cc-ing the linux package maintainers since that's what recommends > apparmor, thus pulling the 30MB. Actually, that not only pulls python3 but also perl, libicu, and in the end with dependencies, that amounts to 114MB. Samuel > Samuel Thibault, le dim. 31 janv. 2021 12:10:43 +0100, a ecrit: > > Package: apparmor > > Version: 2.13.6-7 > > Severity: important > > > > Hello, > > > > As of Debian bullseye alpha3, apparmor is getting installed by default > > even in the base system, bringing with it python3 and thus 30MB of > > various stuff that didn't used to get installed in the past, which I do > > not think we want. Could you have a look at not installing apparmor by > > default, or avoid making it hardly depend on python3? > > > > Samuel > > > > -- System Information: > > Debian Release: bullseye/sid > > APT prefers testing > > APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, > > 'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), > > (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), > > (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, > > 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 5.10.0-1-amd64 (SMP w/8 CPU threads) > > Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE > > not set > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages apparmor depends on: > > ii cdebconf [debconf-2.0] 0.256 > > ii debconf [debconf-2.0] 1.5.74 > > ii libc6 2.31-9 > > ii lsb-base11.1.0 > > ii python3 3.9.1-1 > > > > apparmor recommends no packages. > > > > Versions of packages apparmor suggests: > > pn apparmor-profiles-extra > > pn apparmor-utils > > > > -- debconf information excluded
Bug#981442: apparmor: Please do not install by default or depend on python3
Hello, Cc-ing the linux package maintainers since that's what recommends apparmor, thus pulling the 30MB. Also Cc-ing d-b for information. Samuel Samuel Thibault, le dim. 31 janv. 2021 12:10:43 +0100, a ecrit: > Package: apparmor > Version: 2.13.6-7 > Severity: important > > Hello, > > As of Debian bullseye alpha3, apparmor is getting installed by default > even in the base system, bringing with it python3 and thus 30MB of > various stuff that didn't used to get installed in the past, which I do > not think we want. Could you have a look at not installing apparmor by > default, or avoid making it hardly depend on python3? > > Samuel > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, > 'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), > (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), > (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, > 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-1-amd64 (SMP w/8 CPU threads) > Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages apparmor depends on: > ii cdebconf [debconf-2.0] 0.256 > ii debconf [debconf-2.0] 1.5.74 > ii libc6 2.31-9 > ii lsb-base11.1.0 > ii python3 3.9.1-1 > > apparmor recommends no packages. > > Versions of packages apparmor suggests: > pn apparmor-profiles-extra > pn apparmor-utils > > -- debconf information excluded
Bug#981442: apparmor: Please do not install by default or depend on python3
Package: apparmor Version: 2.13.6-7 Severity: important Hello, As of Debian bullseye alpha3, apparmor is getting installed by default even in the base system, bringing with it python3 and thus 30MB of various stuff that didn't used to get installed in the past, which I do not think we want. Could you have a look at not installing apparmor by default, or avoid making it hardly depend on python3? Samuel -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-1-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii cdebconf [debconf-2.0] 0.256 ii debconf [debconf-2.0] 1.5.74 ii libc6 2.31-9 ii lsb-base11.1.0 ii python3 3.9.1-1 apparmor recommends no packages. Versions of packages apparmor suggests: pn apparmor-profiles-extra pn apparmor-utils -- debconf information excluded -- Samuel ***e trouve un .xls ***e passe un moment à se demander quelle version de xml c'est ça, le .xls e: donc j'ai fait un file -+- #sos - on n'a pas forcément les mêmes références que tout le monde -+-
