[pkg-aa-profiles-team] Centralized or distributed policy [Was: License and copyright of ~apparmor-dev/apparmor-profiles?]

[intrigeri]

Hi (again!),

Jamie Strandboge wrote (20 Aug 2014 21:43:59 GMT) :
>  * When shipping in a package, ideally the package should support both complain
>    and enforce mode for individual profiles so that installing it may enable
>    enforcing policy (this isn't a collaboration concern, just a packaging one)

I'm not sure I understand what you mean here. May you please point me
to an example of what you find to be the best practice in this area?

>  * shipping all policy in one package means more is loaded and compiled than is
>    strictly needed for the system

Sure. As long as we're only shipping a handful of profiles in that
policy package, this should not be a big deal, though.

>  * a collaboration option is to ship profile in the package, but file bugs
>    against the source packages that are being confined (ideally with debdiffs to
>    make it easy for the Debian developer to take it ;). This is a bit of best of
>    both worlds-- the policy can still be developed by the policy team, but we
>    give the developer the option to take over

Yes, I think we should do that, even if my previous similar attempts
were not exactly successful. todo++, again :)

Cheers,
-- 
intrigeri