[apparmor] cross-distribution profile repo

[Christian Boltz]

Hello,

Am Montag, 28. Juli 2014 schrieb Jamie Strandboge:
> I think you misunderstood my email. I was not advocating the status
> quo, I was merely stating what it is and what Ubuntu is currently
> doing. 

Indeed. Thanks for the clarification!

> I am all for getting more people profing and making the repo
> more usable for people and welcome the discussion.
> 
> As for what Ubuntu is currently doing with apparmor-profiles, we
> actively took the decision to have placeholders if we ship them in
> our distro since we don't want to have to maintain them in two
> places. I think what you are suggesting would suffer from the same
> issue, unless I am missing something? How do people see avoiding this
> with the new way?

I know the placeholders make sense for Ubuntu (to avoid duplication), 
but they make it hard for other distributions to pick up the profiles.

I'd propose to automatically "collect" the profiles from all packages 
and store them in a subdirectory of apparmor-profiles/$distro/$release. 
Something like "maintained-in-package/" (or "maintained-in-
package/$package/").

Collecting the profiles should be fully automated, so that we just need 
a cronjob that pulls all packages containing profiles regularly, 
extracts the profiles and pushes them to the apparmor-profiles repo. [1]


OK, next step.

We collected all profiles from various distributions and merged them.
(Yes, I'm dreaming a bit.)

Now package maintainers should check what is in the apparmor-profiles 
repo to get the latest (merged) profile for their package. They can 
probably automate that, but they at least need to know about the 
apparmor-profiles repo.

In other words: the apparmor-profiles repo will be a central place that 
package maintainers should know.

If we pull the profile from the packages or if the packager pulls the 
profile from the apparmor-profiles repo (or even both) is just a 
technical detail (and a nice chicken-egg problem ;-)


Regards,

Christian Boltz

[1] For openSUSE, I could imagine to have a meta package that 
    BuildRequires all packages containing profiles. This package could 
    then collect all the profiles so that we have to pull only one 
    package. An additional advantage would be that OBS automatically 
    rebuilds it when one of the packages in BuildRequires was changed.

-- 
ACK. Ich hab ne Weile in einer Newsgruppe die Mail 'invalid@'
verwendet. Und ich bekomme Spam, der mich als "Invalid" anredet...
[David Haller in suse-linux]