[apparmor] apparmor policy versioning

[John Johansen]

On 07/18/2013 01:02 PM, Jamie Strandboge wrote:
> On 07/17/2013 05:57 PM, John Johansen wrote:
>> On 07/11/2013 12:55 PM, Christian Boltz wrote:
>>>> v2 policies can stay
>>>> as v2 until we test them under v3 and then have them in both. I think
>>>> we need to do it this way since people might reboot into different
>>>> kernels and while policy should load and I don't think we guarantee
>>>> that v3 policy compiled with a v3 parser loaded into a v2 kernel will
>>>> work as expected (ie, just like v2 policy, v2 policy and a v2
>>>> kernel). As such, when both exist, use the one that is appropriate
>>>> for the kernel.
>>>
>>> Exactly this is the reason why I don't like to have a separate directory 
>>> with a duplicated set of the profiles. I have more than enough 
>>> experience with code duplication[2], and learned to avoid the "cp" 
>>> command at any price.
>>>
>> yes this can be a problem
>>
>>> With an additional copy of the profiles, we'll end up in a maintenance 
>>> hell - and users will kill us because they have to update two profiles 
>>> instead of one if they want to switch kernels.
>>>
>> we end up with maintenance hell either way, its just deciding between
>> which one is the 8th or 9th plane there of
>>
> It feels much cleaner and easier to manage with separate directories. I
> acknowledge there is a maintenance cost, but we have a review process that
> should keep us honest. I don't think the added cost of maintaining in two places
> is nearly as risky or burdensome as trying to get all the corner cases handled
> correctly.
> 
of course to play the devils advocate the problem with directories is we
don't just have 2, as we get new versions we have more and more directories