[apparmor] apparmor policy versioning
John Johansen
john.johansen at canonical.com
Fri Jul 19 06:56:48 UTC 2013
On 07/18/2013 07:05 PM, Jamie Strandboge wrote:
> On 07/18/2013 07:24 PM, John Johansen wrote:
>> On 07/18/2013 01:02 PM, Jamie Strandboge wrote:
>>> On 07/17/2013 05:57 PM, John Johansen wrote:
>>>> On 07/11/2013 12:55 PM, Christian Boltz wrote:
>>>>>> v2 policies can stay
>>>>>> as v2 until we test them under v3 and then have them in both. I think
>>>>>> we need to do it this way since people might reboot into different
>>>>>> kernels and while policy should load and I don't think we guarantee
>>>>>> that v3 policy compiled with a v3 parser loaded into a v2 kernel will
>>>>>> work as expected (ie, just like v2 policy, v2 policy and a v2
>>>>>> kernel). As such, when both exist, use the one that is appropriate
>>>>>> for the kernel.
>>>>>
>>>>> Exactly this is the reason why I don't like to have a separate directory
>>>>> with a duplicated set of the profiles. I have more than enough
>>>>> experience with code duplication[2], and learned to avoid the "cp"
>>>>> command at any price.
>>>>>
>>>> yes this can be a problem
>>>>
>>>>> With an additional copy of the profiles, we'll end up in a maintenance
>>>>> hell - and users will kill us because they have to update two profiles
>>>>> instead of one if they want to switch kernels.
>>>>>
>>>> we end up with maintenance hell either way, its just deciding between
>>>> which one is the 8th or 9th plane there of
>>>>
>>> It feels much cleaner and easier to manage with separate directories. I
>>> acknowledge there is a maintenance cost, but we have a review process that
>>> should keep us honest. I don't think the added cost of maintaining in two places
>>> is nearly as risky or burdensome as trying to get all the corner cases handled
>>> correctly.
>>>
>> of course to play the devils advocate the problem with directories is we
>> don't just have 2, as we get new versions we have more and more directories
>>
>>
> Yes, but by the time we have v4 we'll obsolete v2 :)
> </half-joking>
>
heh well I think/worry it will be more like v4 deprecating v2 and then
obsoleting/removing (over Christian's objections ;)) v2 at about v6
More information about the AppArmor
mailing list