[pkg-apparmor] Review of "How does my AppArmor profile get into Debian?"

[intrigeri]

Hi,

here's a review of
https://apparmor.451f.org/2014/12/23/how-does-my-apparmor-profile-get-into-debian/

> First of all, let me emphasize that one needs to distinguish between
> AppArmor, the kernel module, and the AppArmor profiles, which define
> rules for application confinement.

I think it would be worth mentioning the AppArmor userspace tools, too
(shipped in the apparmor and apparmor-utils Debian packages, all built
from the apparmor source package), especially given the following
quote is about kernel/userspace, not about kernel/profiles.

> So, we can find the upstream AppArmor profile development taking
> place at Canonical’s launchpad. The profiles which are developed
> there serve as a basis for those included in Debian

s/for those/for some of those/, maybe?

> the rules of a profile which are not applicable for a system are ignored

s/not applicable for a system/not supported by the AppArmor parser and running kernel/ ?
not much longer, but way more precise :)

Also, I'm not sure it's worth mentioning that the "unsupported rules"
problem has been solved, without describing the actual problem.
I suggest either dropping this paragraph entirely, or explaining that
the AppArmor 2.8.x parser would fail to load a profile that has e.g.
`mount' or `signal' rules, unless the kernel has out-of-tree patches
applied to support them.

> and finally included into the corresponding package.

Unclear. I think I've already mentioned this, and proposed
a rephrasing, in another recent review.

> The team takes care of merging changes from the upstream profiles
> into Debian.

s/into Debian/into Debian, and vice-versa/ ?

Regarding the table, I suspect that my comments about
AppArmor/PackageMaintainers also apply here. And we'll want to
maintain a single version of it.

> at a different point in time then when the apparmor-profiles-extra
> package is updated

s/then/than/

Thanks!

Cheers,
-- 
intrigeri