[apparmor] Ubuntu / Debian namespaces [Was: include IceWeasel in FireFox abstraction]

intrigeri intrigeri at debian.org
Wed Apr 25 20:38:24 UTC 2012 

Hi,

Jamie Strandboge wrote (25 Apr 2012 12:21:26 GMT) :
> So I guess I just wanted to bring up the point that Debian may want
> to consider their own namespace.

Thank you for raising this point.

It seems to me very little of abstractions/ubuntu-* is
Ubuntu-specific. Most of it could easily be shared with Debian.
Duplicating all the Ubuntu abstractions into abstractions/debian-*
would basically mean maintaining our own Debian fork of Ubuntu
abstractions; I assume everybody here agrees this is not desirable.

Assuming we want to somehow share these abstractions and the
maintenance thereof, the cheapest way may be to simply keep the
current ubuntu-* names, consider it as Debian's upstream, and merge
the tiny Debian -specific stuff into there as needed.

Upsides:

  * No changes for existing Ubuntu installs.

  * Given these abstractions are already shipped in the upstream
    AppArmor tarball, it only seems logical to me to consider it as
    upstream code I could use, redistribute and contribute to.

Downsides:

  * Slightly confusing files naming on Debian systems, but well,
    Ubuntu systems have had "Debian" written in many files for years,
    and it looks like everybody can live with it, so why not try the
    contrary? :)

  * This probably would change the way you have been working on the
    ubuntu-* abstractions, since being upstream for someone else
    implies some additional responsibilities and removes
    some flexibility.

If, at some later point, the Debian -specific bits start to be too
large, invasive or incompatible, I'm happy to consider moving these
into Debian-specific abstractions. Alternatively, we could move
ubuntu-* to debian-* and have every such file include a derivative-$1
file, where e.g. Ubuntu -specific bits would go, but well, this would
look totally backwards to me wrt. the reality of who is upstream and
who's not on this topic.

What do you think?

(Note that I intend to push into Debian AppArmor profiles taken from
Ubuntu real soon now, starting with usr.bin.evince that, to name one,
includes more than a dozen of Ubuntu abstractions, and works
perfectly, as-is, on current Debian unstable.)

Regards,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

More information about the AppArmor mailing list