Re: Let's enable AppArmor by default (why not?)

To: debian-devel@lists.debian.org
Subject: Re: Let's enable AppArmor by default (why not?)
From: Anthony DeRobertis <anthony@derobert.net>
Date: Fri, 27 Oct 2017 11:14:55 -0400
Message-id: <[🔎] 20171027151455.fdmxc2vo76gfcpdx@derobert.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] CAFX5sbxcN-_tn1wvZP3viBR3BT4pfiEYgRcoGTTwZWk1B=v-dg@mail.gmail.com>
References: <857eyij4fb.fsf@boum.org> <[🔎] 857evij6ji.fsf@boum.org> <[🔎] a55bcdd0-b5ee-3b42-b620-c548a950e6de@derobert.net> <[🔎] CAFX5sbxcN-_tn1wvZP3viBR3BT4pfiEYgRcoGTTwZWk1B=v-dg@mail.gmail.com>

On Fri, Oct 27, 2017 at 10:01:18AM +0200, Mathieu Parent wrote:

> Could'nt we:
> 
> 5. Make linux-image-$abi-$arch Depends on apparmor | selinux-basics |
> tomoyo-tools | linux-no-lsm
> 
> With linux-no-lsm being a new empty package, and all of apparmor,
> selinux-basics, tomoyo-tools enable the corresponding LSM.

I don't think there is a good way to guarantee which alternative there
apt picks. It could pick to install linux-no-lsm for example (and who
knows, maybe due to fewer dependencies, or a conflict, or whatever, it
will). Even if it works today, that seems fragile...

Also, a Depends: with one of the alternatives being "don't install
anything" strikes me as a hack to work around not having Recommends or
Suggests — but we do have those, so I'm not sure why we wouldn't use
them instead.

Reply to:

References:
- Re: Let's enable AppArmor by default (why not?)
  - From: intrigeri <intrigeri@debian.org>
- Re: Let's enable AppArmor by default (why not?)
  - From: Anthony DeRobertis <anthony@derobert.net>
- Re: Let's enable AppArmor by default (why not?)
  - From: Mathieu Parent <math.parent@gmail.com>

Prev by Date: Re: Let's enable AppArmor by default (why not?)
Next by Date: Re: Let's enable AppArmor by default (why not?)
Previous by thread: Re: Let's enable AppArmor by default (why not?)
Next by thread: Re: Let's enable AppArmor by default (why not?)
Index(es):
- Date
- Thread