[apparmor] Sharing profiles maintenance once they're ready for production

[intrigeri]

Hi,

as some of you know, I've been working on including more AppArmor
profiles into Debian.

Importing stuff is not that hard as a one-shot job, but I am concerned
about long-term maintenance, and am not convinced by the current
workflow and infrastructure we have to maintain profiles once they are
deemed ready for production and leave lp:apparmor-profiles.

http://wiki.apparmor.net/index.php/Profiles#Development reads:

  Once a distribution representative has decided that a profile is
  ready for production use, it will be added to the distribution's
  main packaging. The profile in the repository will then be replaced
  with a text file describing where the profile has been moved to, and
  the procedure to file bugs against it.

This seems to imply that once, say, the Totem profile as ready for
production, we won't have any cross-distribution place to share the
maintenance work and VCS history.

Practically speaking, in the current state of things, this means
I would have to create tools to track changes in the profiles shipped
in Ubuntu packages, that I've picked for the Debian
apparmor-profiles-extra packages; also, improvements Debian might want
to contribute will have to go through patches proposed against the
individual Ubuntu packages. All this is perfectly doable, but
I wouldn't say it encourages shared maintenance of profiles.

So, I have a few questions for more experienced people around there:

1. I've little experience maintaining profiles in a cross-distro way,
   but I suspect that tunables should be enough to cope with most
   distribution-specific deltas. What do you think?

2. Was this discussed previously? Was the idea of a cross-distro VCS
   repository for shared maintenance of profiles investigated yet?

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc