[apparmor] [pkg-aa-profiles-team] License and copyright of ~apparmor-dev/apparmor-profiles?

Jamie Strandboge jamie at canonical.com
Wed Aug 20 03:46:57 UTC 2014 

On 08/19/2014 02:44 PM, Holger Levsen wrote:
> Hi,
> 
> On Samstag, 16. August 2014, intrigeri wrote:
>> Seth Arnold wrote (15 Aug 2014 17:34:30 GMT) :
>>> This is fine by me.
>>
>> Cool. Here's a merge request:
>> https://code.launchpad.net/~intrigeri/apparmor-profiles/clarify-copyright-a
>> nd-license/+merge/231072
> 
> ping - could you please have a look and merge that trivial patch so that we 
> can pursue with reuploading the package to Debian NEW? :)
> 

What package is being uploaded? Is this a separate apparmor policy package from
the apparmor source package itself?

If so (and forgive me if I am misinterpreting-- I'd just like to make sure that
this is discussed here), I think this may make collaboration between Debian and
Ubuntu difficult. Ubuntu has taken the position that system policy should in
general be shipped in the packages that are being confined (the
apparmor-profiles package from the apparmor source is an exception to this rule,
but Ubuntu doesn't add any new policy to this package (unless we get it from
upstream)). I understand the desire to ship policy in a single unified package
(we've discussed this quite a bit in Ubuntu) because it can make it somewhat
easier for the policy team, but I think shipping policy in the affected packages
is a good thing for several reasons:

 * it keeps the Debian/Ubuntu developer and or team engaged with the policy
   because they own it. With tools like dh_apparmor and new dh, it is trivial
   to add policy to affected packages. These developers typically know the
   package better than policy writers and are in a position to test the package
   with new upstream releases and update the policy accordingly
 * Bugs go against the package that is affected. Not only is this natural, in
   practice, AppArmor is easy enough for regular people to use so the bugs are
   often either of high quality (ie, contain a patch or policy snippets to fix
   the bug) or are easy to understand for the developer to update the policy.
   We use the 'apparmor' tag in Ubuntu to make it easy for policy authors to
   find bugs related to apparmor policy. Debian could do something similar.
 * It ensures there is no bottleneck for adding AppArmor to packages. Eg, a
   Debian developer need only update his/her own package rather than trying to
   maintain the policy in a package he/she does not own. It would be a shame
   if a developer interested in increasing the security of his/her package by
   adding Apparmor would give up because it is too difficult to maintain in a
   foreign package. Considering Debian's strong package ownership compared to
   Ubuntu, this is a real concern of mine

In Ubuntu, the Ubuntu Security team generally writes the initial policy. We will
fix policy bugs too and we are often consulted by the Ubuntu developer wishing
to fix a policy to make sure that the fix is safe. This has worked well for many
years and I encourage Debian to do the same. Perhaps have a policy team that
creates/refines policy, sends debdiffs to add the policy, watches for bugs (eg,
via the 'apparmor' tag) and generally be available to answer questions. I would
encourage the policy team to review all apparmor policy prior to Debian release
(this is not hard to do with codesearch and/or a little scripting). This is
pretty much what the Ubuntu Security does for Ubuntu policy. I would be happy to
join this policy team and I'm sure others from Ubuntu would be too.

Ubuntu has already pushed policy into Debian packages somewhat, but there is
more to be done. Obviously, Debian and Ubuntu are going to have very similar if
not identical policy (and where we differ, we can certainly merge the policy) so
it would benefit both if we are aligned. If we can decide to use the same policy
methodology, we can collaborate easily, share bugs, share fixes, share new
policy, manage transitions, etc, but if we diverge on how we deliver policy, we
will have a much harder time and I fear we won't have as much uptake as we could
otherwise.

AppArmor in Debian has been gaining traction for some time, which is great! I
know that AppArmor/Ubuntu developers will be meeting with some Debian developers
at DebConf and I think now would be a great time to collaborate more fully.

Thanks!

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140819/952aafcf/attachment.pgp>

More information about the AppArmor mailing list