[pkg-apparmor] Bug#830502: Bug#830502: apparmor-profiles: Reconsider what profiles are shipped in /etc/apparmor.d/ and in which mode

[Jamie Strandboge]

On Thu, 2017-08-10 at 17:50 -0400, intrigeri wrote:
> 
> And the long-term goal is that eventually, some of these shared
> profiles might become good enough to be shipped in the apparmor
> package and enforced by default (and others should simply dropped from
> Debian-based distros if nobody cares enough to make them work on
> Debian and maintain them proactively).

I agree with what Seth said, so I'll only respond on this point.

When the profiles are good enough to ship by default, Ubuntu historically has
preferred to ship profiles in the package that is under enforcement, since you
get the security policy by default (without having to opt-in to another package)
and because it allows the maintainer of the package to update the rules (ie, the
maintainer of cups need only worry about the cups package as opposed to cups and
apparmor).

This of course isn't without its problems, but wanted to clarify this point wrt
Ubuntu at least.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170811/38adff43/attachment.sig>