[apparmor] apparmor policy versioning

Jamie Strandboge jamie at canonical.com
Fri Jul 19 02:05:31 UTC 2013 

On 07/18/2013 07:24 PM, John Johansen wrote:
> On 07/18/2013 01:02 PM, Jamie Strandboge wrote:
>> On 07/17/2013 05:57 PM, John Johansen wrote:
>>> On 07/11/2013 12:55 PM, Christian Boltz wrote:
>>>>> v2 policies can stay
>>>>> as v2 until we test them under v3 and then have them in both. I think
>>>>> we need to do it this way since people might reboot into different
>>>>> kernels and while policy should load and I don't think we guarantee
>>>>> that v3 policy compiled with a v3 parser loaded into a v2 kernel will
>>>>> work as expected (ie, just like v2 policy, v2 policy and a v2
>>>>> kernel). As such, when both exist, use the one that is appropriate
>>>>> for the kernel.
>>>>
>>>> Exactly this is the reason why I don't like to have a separate directory 
>>>> with a duplicated set of the profiles. I have more than enough 
>>>> experience with code duplication[2], and learned to avoid the "cp" 
>>>> command at any price.
>>>>
>>> yes this can be a problem
>>>
>>>> With an additional copy of the profiles, we'll end up in a maintenance 
>>>> hell - and users will kill us because they have to update two profiles 
>>>> instead of one if they want to switch kernels.
>>>>
>>> we end up with maintenance hell either way, its just deciding between
>>> which one is the 8th or 9th plane there of
>>>
>> It feels much cleaner and easier to manage with separate directories. I
>> acknowledge there is a maintenance cost, but we have a review process that
>> should keep us honest. I don't think the added cost of maintaining in two places
>> is nearly as risky or burdensome as trying to get all the corner cases handled
>> correctly.
>>
> of course to play the devils advocate the problem with directories is we
> don't just have 2, as we get new versions we have more and more directories
> 
> 
Yes, but by the time we have v4 we'll obsolete v2 :)
</half-joking>

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130718/5df76cb3/attachment-0001.pgp>

More information about the AppArmor mailing list