[pkg-apparmor] Review of AppArmor/PackageMaintainers

[intrigeri]

Hi,

here's a review of https://wiki.debian.org/AppArmor/PackageMaintainers.

> Ubuntu and !openSUSE

What's this "!" ?

> most of Debian's AppArmor profiles are imported directly from the
> Ubuntu's repositories. On Ubuntu's side, development of profiles
> takes place over Bazaar at Launchpad:
> https://launchpad.net/apparmor-profiles
> https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files

This is not correct: these repos are the upstream ones, and
upstream != Ubuntu.

Also, these two links should be formatted as a list.

> eg. The AppArmor profile

s/eg/e.g/

s/The/the/

> profiles should also be delivered within their package

Nitpicking: "their package" is unclear, since we're anyway shipping
them in a package, that currently is then "their" package. I suggest
"in the package that ships the software they are confining" instead.

> which provides the profiles via the apparmor-profiles-extra

Missing word — "package" — at the end of the sentence.

"the" is a bit strong, since we're also shipping profiles in two other
packages we maintain (apparmor has a lot of abstractions, and
apparmor-profiles has the upstream profiles), and quite a few other
Debian packages also ship profiles.

I suggest "which provides additional profiles via the
apparmor-profiles-extra package".

Then in the "Debian source package" column, the link to the apparmor
source package is broken.

In the "Debian binary package" column, on the line corresponding to
the apparmor source package, the apparmor package should also be
listed (abstractions). Sorry I missed that one last time we
discussed this.

The "Ubuntu source package" and "Ubuntu binary package" should be
filled with the correct data on the first line.

"ubuntu-evince" doesn't mean much. Instead point to Ubuntu's bzr
packaging repo for Evince?

The links to apparmor-profiles-extra in the binary package column
should all point to the binary package page.

The link to Ubuntu's Evince binary package should point to the package
page, not to https://launchpad.net/evince.

> If you, as a package maintainer, want to provide a profile with your
> package, you should first check if 

I think one additional bullet point is needed, i.e. "that profile is
shipped in Ubuntu".

> In debian/rules you will need copy the AppArmor profiles to
> /etc/apparmor.d/

s/copy/install/

One missing bit in this documentation is how to migrate a profile from
e.g. apparmor-profiles-extra to the package that ships the
confined application. There's a pretty good doc about a similar
operation on the Ubuntu wiki, IIRC (versioned breaks+replaces, plus
the appropriate dh maintainer script helper to handle conffiles
migrating from one package to the other). This is not a blocker, but
at least it should be made clear that it is possible, desirable, that
it requires some coordination, and that some more detailed doc should
be written.

Ideally, we would write this piece of doc while doing it for real,
e.g. IIRC the irssi maintainers are happy to include the confinement
profile we currently ship in aa-p-extra into their package. I think
it's also not worth going through this until we are ready to monitor
and provide help for profiles shipped in packages we don't maintain
(usertags etc.).

> sudo tail -f /var/log/syslog | grep 'DENIED'

This only works if auditd isn't installed, right?

> sudo aa-disable /etc/apparmor.d/profile*  

This "profile*" isn't very clear. I suggest adding an actual example.

Great job, again!

Cheers,
-- 
intrigeri