Re: [RFC] Changing priority of selinux back to optional
On Tue, 5 Feb 2008 23:19:14 +0100, Frans Pop <elendil@planet.nl> said:
> The priority of selinux packages was changed from optional to
> standard, fairly shortly before the release of Etch.
> I propose to revert that change before Lenny. The basic reason is that
> the selinux packages have basically been unmaintained since the
> release of Etch. Because of that current SeLinux just cannot be
> expected to work.
While this is mostly true (I have been swamped in real life
work), I do expect tha to change this spring (indeed, most of the
SELinux packages are now sitting in incoming -- happy happenstance)
> An additional reason is that the installation of selinux packages adds
> significantly to the size of the base system and accounts for a
> significant part of the time it takes to install the "standard" task,
> especially on slower architectures. This would be OK if there were
> real benefits in having SeLinux, but ATM that benefit is just not
> there.
I am not sure I agree. SELinux is working for me in production
on Lenny/Sid machines;
> Packages (both tools and policy packages) currently available in
> unstable and testing are seriously outdated when compared with their
> upstream versions. This also means that, with the soft freeze for
> Lenny starting fairly soon, that there is little time left to
> substantially improve the SeLinux support in Debian, which was one of
> the arguments for making it standard in the first place.
Err, I think you are making far too much of the amount of effort
required. While we are a few minor version behind; updating it was a
days effort -- apart from policy, which I'll get to tomorrow.
So I am not sure we are in dire straits, but y'all will have to
make that decision.
> Some facts.
> Package etch lenny/sid upstream policycoreutils 1.32-3 2.0.16-1 2.0.42
> (?) setools 2.4-3 2.4-3 3.3.2 refpolicy 0.0.20070507-5 0.0.20070507-5
> 20071214 libsepol 1.14-2 2.0.3-1 2.0.20 (?) libselinux 1.32-3
> 2.0.15-2 2.0.50 (?)
> None of the packages in Debian has been updated since June/July 2006.
That is indeed true. It is also nmo longer the case, but I
can't excuse the fact that I have been very busy.
> There are also some longstanding bugs, including fairly simple
> packaging errors in Etch, none of which have been addressed. Examples:
> - #440474: chcat: syntax errors
> - #405975: semodule_deps and semodule have alignment issues
> - #427906: postinst: policy package name to deb name, lacks glob
> #support
> - #438604: selinux-basics: Invalid test for dynamic motd updating
> - #438706: selinux-doc: Error in doc-base definition
> - #438887: refpolicy: Spurious "+" causes warnings when building
> #modules
> None of these bugs has seen any reaction from the package maintainers.
Mostly fixed.
manoj
--
Excess of grief for the deceased is madness; for it is an injury to the
living, and the dead know it not. -- Xenophon
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: