[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's enable AppArmor by default (why not?)


Chris Lamb:
> So… in the spirit of taking (reversible!) risks, can you briefly outline
> what's blocking us enabling this today? :)

Thanks for asking!

I've scheduled time on October 23-27 to:

1. identify what still prevents us from starting the proposed

2. fix all the problems identified in #1

3. document on the BTS what must be fixed between the time we start
   the experiment and the time we decide what to do for the Buster

After this we should be in a very good position to go ahead and press
the big red button :)

The feedback I've received off-list and on the BTS so far has been
extremely encouraging: a few DDs enabled AppArmor on their systems,
reported bugs that were promptly fixed, and some of them successfully
fixed the bug themselves locally despite having no previous experience
with AppArmor… which is exactly how it should be for the LSM enabled
by default in Debian IMO. In at least one case we realized only after
I had fixed the bug and submitted a fix upstream that their own, local
workaround was identical to my own fix, which I find enlightening wrt.
the AppArmor learning curve.


Reply to: