[pkg-apparmor] Bug#830501: Gather data relevant to enabling AppArmor by default
intrigeri at debian.org
intrigeri at debian.org
Fri Jul 8 15:56:22 UTC 2016
Source: apparmor
Severity: normal
[I'll piggy-back on the BTS and pretend it's an appropriate TODO list
management system.]
In order to build a case for enabling AppArmor by default in Buster,
we need to gather some data:
* usage:
- in Debian: popcon
- elsewhere: Tails, Ubuntu and others
* usability cost: how often did AppArmor break stuff in sid?
in testing? in stable? how fast were such issues fixed?
* maintenance cost: how much work did we (and other maintainers
affected by AppArmor) have to do to keep the policy up-to-date,
since we started this effort? Let's focus on policy, and ignore the
userspace tools packaging — that's a given.
* security benefits: find CVEs / DSAs that were mitigated by the
AppArmor policy we ship (not only it's useful for _us_ to check if
our work had a measurable impact, but it also helps building the
case in favor of enabling AppArmor by default, for example if
having it would allow the security team to flag some issues no-dsa
and focus on other matters)
I'll try to work on that shortly after the Stretch release to the
latest, so that we can raise this topic in the broader Debian
community as early as possible in the Buster development cycle.
Help is welcome!
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list