[pkg-apparmor] Bug#768415: Bug#768415: apparmor-profiles-extra: Migrate ntpd profile and tunables file to apparmor-profiles

[Felix Geyer]

On 12.08.2015 15:16, intrigeri wrote:
> Actually, usr.sbin.ntpd has been in the upstream VCS for years.
> 
> In practice, mostly OpenSUSE folks are maintaining it there, while
> Ubuntu is maintaining its own, that's shipped in the ntp package there
> (and in apparmor-profiles-extra in Debian).
> 
> The current diffstat between these two versions is:
> 
>  usr.sbin.ntpd |   81 +++++++++++++++++++++++++---------------------------------
>  1 file changed, 35 insertions(+), 46 deletions(-)
> 
> So, next step is actually *not* to switch to upstream's profile (via
> apparmor-profiles), but rather to merge these two diverging profiles
> upstream. Then only, we can switch to upstream's one and deal with the
> conffile migrating between packages.
> 
> Meta: I'm personally not very interested in ntpd (I'm more into
> systemd-timesyncd these days), so it's very unlikely that I work on
> this again.

We need to make a general decision on how we want to ship profiles.
Personally I think it's a bad idea to maintain profiles inside apparmor
and ship them as a package:
- We should only ship profiles that have actually been tested on Debian.
- They shouldn't be coupled to the apparmor release cycle.

In the current state I wouldn't recommend installing apparmor-profiles.
It feels more like a profile dumping ground of partially maintained profiles
that are disabled / in complain mode.

I'd rather ship a smaller set of profiles that we know work well.
Maybe we can discuss this next week at Debconf?

Cheers,
Felix