Hello, (I'm just recovering from some KMail/Akonadi migration "fun" (bug 721931) and currently use IMAP until everything works again - is the migration tool really considered production-ready?) am Donnerstag, 6. Oktober 2011 schrieb Stephan Kulow:
Am Donnerstag, 6. Oktober 2011 schrieb Tim Edwards:
What replaces it in 12.1? Or is it just not needed on the kind of systems (mostly desktop, laptop) that Opensuse is intended to be used on?
We never had apparmor in real use by default. If you wanted to secure your system, you had to do manual work.
I'm sorry to say that, but you are wrong ;-) There are not too many profiles installed by default, but the maintainers of at least two programs/packages already complained about the now missing apparmor protection: - Peter Czanik / syslog-ng - see http://195.135.221.135/opensuse-factory/2011-09/msg00745.html - Lars Müller / samba (in this thread) - (and AJ at least cares about the profile for nscd) Those examples already show something important: syslog-ng and nscd are running on every installation. I don't have to tell you that nscd handles DNS queries and therefore network traffic. Having it protected is always a good idea. And: yes, I'd call that "in real use". Maybe the maintainers of ping and traceroute don't really care if they get some extra protection or not, but those programs also handle network traffic and are potentially endangered by faked/malicious traffic. All this protection was available _by default_, without manual work. There were also several users who complained that apparmor is no longer installed by default, but I'm too tired to google the archive links for those mails ;-)
And now we added one more step for those: install apparmor pattern. For everyone else, the system is faster.
... and less secure :-( Maybe it saves a bit of boot time, but AFAIK there isn't a measureable performance impact in the running system. Oh, and loading the apparmor profiles at boot will become much faster with my next commit of the apparmor package because I'll enable caching. The cache will be written at the first start of apparmor (and whenever a profile was changed). To give you some numbers, I measured this with "time rcapparmor reload" on my system: - without caching: 7.5s - enable caching, first start (= write the cache): 10s - restart with cache filled: 0.3 to 0.4s In other words: The startup time for apparmor will see a massive 2000% speedup in the next days. See https://bugzilla.novell.com/show_bug.cgi?id=689458 for all the technical details. To avoid another mail, I'll quote some text from another mail you sent: Am Donnerstag, 6. Oktober 2011 schrieb Stephan Kulow:
I had the impression you and Marcus at least are part of this list. http://lists.suse.de/opensuse-factory/2011-08/msg00345.html triggered no response and as such Sascha changed the patterns.
I assume "no response" was meant as "no response from the security team" because otherwise you'd have missed lots of mails, for example http://lists.suse.de/opensuse-factory/2011-08/msg00391.html and various replies to it.
And at that point, Jeff was basically saying that he does not maintain appamor and the security team didn't care that it was bitrotting either.
Yes, but I replied and stepped up. Initially my plan was to "only" upstream the openSUSE patches to make maintenance easier for Jeff, but then I completely took over the package. This also fixes the problem with the bitrotting apparmor package, so please re-add it to default pattern! Oh, BTW: can you make me the default assignee for AppArmor in bugzilla, please? Gruß Christian Boltz -- Jetzt warte ich noch ein paar Wochen, bis die neue Version 10.1 herauskommt, höre mir die Schreie der Early-Adopters an, und überlege dann, ob ich bis 10.2 warte, lieber die 10.0 installiere oder doch jetzt die 10.1 nehme... [Sandy Dobic in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org