Comment # 10 on bug 1150338 from 
(In reply to Martin Wilck from comment #8)
> (In reply to Christian Boltz from comment #7)
> > (For example, my current tumbleweed has
> > /etc/alternatives/gs -> /usr/bin/gs.bin - I never did any manual changes to
> > it, so it seems to be the current default.)
> 
> The default changes to /usr/bin/gs.wrap if you install the gswrap package.

Well, _if_. On the latest Tumbleweed (dup'ed since years), gswrap doesn't get
installed automatically, therefore I'm quite sure that 99% of the Tumbleweed
users still use gs.bin.

Even with the quite broad profile we have now, I don't see the point in
removing the AppArmor profile because
- removing it makes things less secure (even the very broad profile can for 
  exammple prevent executing binaries)
- most people (still?) use gs.bin because it's (still?) the default on a
  regularly dup'ed Tumbleweed
- even if at some point in the future most people use gs.wrap, we shouldn't 
  reduce security for those using gs.bin

> Anyway, as I've been asked to review
> https://build.opensuse.org/request/show/730528 - is there consensus about
> the AA profile?

I strongly recommend to keep the profile (and to extend it to also attach to
gs.bin, not only gs)

You are receiving this mail because: