(12:01:29 PM) jjohansen: cboltz, sbeattie, sarnold, jdstrand, mdeslaur: if your interested its time for the monthly apparmor meeting(12:01:39 PM) mdeslaur: hi jjohansen!(12:01:49 PM) jdstrand: hi :)(12:02:20 PM) terryh [~Terry@71-212-104-91.tukw.qwest.net] entered the room.(12:02:21 PM) ***sbeattie o/(12:03:16 PM) jjohansen: Well I guess that will have to do, lets get started(12:03:20 PM) ***cboltz hides(12:03:29 PM) jjohansen: cboltz: good idea :)(12:03:57 PM) jjohansen: I guess first up is dealing with the 3.0 release(12:04:02 PM) sarnold: o/(12:04:43 PM) jjohansen: its running behind schedule (big surprise), and I propose we postpone its release(12:05:16 PM) jjohansen: I'd rather do a good release with the base target features than trickle out just a few things(12:06:06 PM) jjohansen: what I was thinking was setting a new target date for the beta to say the start of June or so(12:06:10 PM) jdstrand: that seems to make sense(12:06:55 PM) jjohansen: that gives us about 3 months more dev and polish time and we can then look at rolling a release at some point in the summer(12:07:06 PM) jjohansen: cboltz: what is suse schedule looking like(12:07:18 PM) sbeattie: jjohansen: would you want to do an alpha release before the beta?(12:07:25 PM) cboltz: 12.3 will be released in two weeks(12:07:34 PM) cboltz: and 13.1 will be in +8 months(12:07:47 PM) jjohansen: sbeattie: yes, I'd like to roll several alphas before the beta(12:08:04 PM) jjohansen: cboltz: so a release in 5-6 months would work out well for you then :)(12:08:20 PM) cboltz: assuming we don't postpone again, it should work ;-)(12:08:45 PM) sbeattie: jjohansen: okay, I wasn't sure given the previous alphas being skipped.(12:08:54 PM) jjohansen: cboltz: well we are getting there(12:09:08 PM) sbeattie: (but on the whole, I am okay with this plan)(12:09:25 PM) jjohansen: sbeattie: well I kind of did a half assed alpha1 kernel, which was really on the 2.8 userspace(12:09:35 PM) jjohansen: but never really announced it as such(12:10:11 PM) jjohansen: sbeattie: I do really want to get an alpha out but I'd like to have certain things working well enough(12:10:23 PM) jjohansen: we are close on the labeling/stacking and dbus(12:10:39 PM) jjohansen: the env filtering is further out(12:10:51 PM) cboltz: BTW and OT: I'm also making good progress with PostfixAdmin 3.0. We'll see who wins the "release 3.0" race ;-)(12:10:59 PM) jjohansen: oh I guess we have the new fs interface which seems to be solid(12:11:43 PM) jjohansen: cboltz: heh well I wouldn't be surprised if apparmor lost :)(12:12:22 PM) cboltz: are you always that pessimistic? ;-)(12:12:45 PM) jjohansen: so alpha wise my goal is to roll an actual alpha in a week or two, it won't be next week as I want to coordinate with tyhicks and get the new query interface in(12:13:44 PM) jjohansen: cboltz: who me, I am very optimistic, I believe we will eventually have a 3.0 release ;-)(12:14:20 PM) cboltz: ;-)(12:15:54 PM) jjohansen: so I haven't heard any complaints with the plan, so I will record it as doing monthlyish alphas and a beta target for early june(12:16:05 PM) jjohansen: Moving on to 2.8.2(12:16:30 PM) jjohansen: sbeattie: you had some things you thought should probably go in?(12:17:22 PM) jjohansen: Basically with 3.0 being delayed I think we need to make sure we roll all the fixes we can into 2.8(12:17:34 PM) sarnold: would the new libaudit link -> cap_audit_write needed in PAM be worth adding to 2.8.2?(12:18:04 PM) sbeattie: Oh, yes, some of the configury stuff around python3 is broken in 2.8, and needs a couple of cherrypicked patches.(12:18:09 PM) jjohansen: sarnold: yes I think so, though I am surprised suse hasn't seen it already(12:18:43 PM) sbeattie: sarnold: where I ran into it was in mostly custom emitted profiles in the ubuntu tests of the pam_apparmor stack.(12:18:56 PM) jjohansen: also I am open to 2.8.2 picking up a few little tweaks/improvements to the build etc above strictly just bug fixes(12:19:15 PM) jjohansen: ah right(12:19:30 PM) sbeattie: jjohansen: do you have any particular improvements in mind?(12:19:33 PM) sarnold: sbeattie: ohh(12:19:33 PM) jjohansen: still I would expect if someone tried pam_apparmor on suse they would hit it(12:20:24 PM) jjohansen: sbeattie: not at the moment, but there was discussion of cleaning up the rpm infrastructure a bit, and tweaks to the make system etc last time(12:20:33 PM) cboltz: jjohansen: pam_apparmor is one of the things I don't use myself(12:20:40 PM) cboltz: what exactly is broken with it?(12:20:55 PM) jjohansen: we would have to evaluate case by case but I am open to a few tweaks like that going in(12:21:21 PM) jjohansen: cboltz: its a pam module that can be used to put users/applications into apparmor profiles(12:21:36 PM) cboltz: I know what it is/does ;-)(12:22:10 PM) jjohansen: ah right, the issue is there are new rejects etc if you have auditd enabled(12:22:16 PM) sbeattie: cboltz: nothing is broken with it; the discussion was prompted by ubuntu finally getting libaudit in main and enabled at build time for a bunch of things, which broke some tests of the pam_apparmor stack, because adding libaudit caused audit events to be written from userspace, requiring capability audit_write where it hadn't been needed before.(12:22:33 PM) jjohansen: so Ubuntu has been using it with syslog, but hit errors with the inclusion of auditd(12:22:46 PM) jdstrand: jjohansen: just with auditd enabled? it doesn't required a newer pam or something?(12:23:04 PM) ***jdstrand uses pam-apparmor, but hasn't seen it on 12.04(12:23:34 PM) sbeattie: no, it's not bound to auditd; it's the build-time enabling of the libaudit configure option.(12:24:16 PM) jjohansen: sbeattie: well its both, as it won't use auditd if it isn't present(12:24:49 PM) sbeattie: jjohansen: pam will still try generate the userspace audit events even if auditd is not running.(12:25:14 PM) jdstrand: ok, that was more in line with what I was thinking(12:26:37 PM) sbeattie: anyway, it's a bit of a diversion. At best, there might be improvements in an abstraction or two that could be made related to it.(12:27:13 PM) jjohansen: yeah, but that is something that could definitely got into 2.8.2 as if you hit it you would call it a bug(12:27:45 PM) jjohansen: Anyway I don't think 2.8.2 is a rush but I was thinking maybe we could get it out next month(12:28:30 PM) jjohansen: If you see anything thats a bug, or think it would be appropriate with 3.0 still being a ways out please nominate it(12:28:47 PM) sbeattie: Agree on 2.8.2(12:29:19 PM) jjohansen: so we can move on(12:29:25 PM) sbeattie: I'm happy to be the sucker^W^W^W handle that release, if you want.(12:29:59 PM) jjohansen: sbeattie: thanks(12:30:50 PM) jjohansen: cboltz: we have a packaging item around rpm on the agenda. Did you want to talk to that(12:31:02 PM) cboltz: yes(12:31:13 PM) cboltz: it's just an idea and I'd like to hear feedback(12:31:23 PM) jjohansen: okay, go(12:31:24 PM) cboltz: the (possible) problem is basically:(12:31:35 PM) cboltz: a package contains an apparmor profile(12:31:41 PM) cboltz: what should it have in its requirements?(12:32:02 PM) cboltz: if it requires apparmor-profiles, people might complain because they want to run ping unprotected ;-)(12:32:20 PM) cboltz: and if it does not require it, the abstractions are missing and the profile fails to load(12:32:32 PM) cboltz: that's why I was thinking about splitting the package into(12:32:35 PM) cboltz: a) profiles(12:32:49 PM) cboltz: b) everything else (directory structure, abstractions, tunables etc.)(12:33:02 PM) cboltz: what's your opinion about this?(12:33:35 PM) mdeslaur: that's basically what we do on ubuntu(12:34:31 PM) jjohansen: cboltz: it makes a lot of sense and I really don't know why the abstractions aren't split off from the rest of the profiles(12:34:56 PM) jjohansen: my guess is it was just more work and we want to get something out the door(12:35:06 PM) cboltz: probably because "nobody did it"(12:35:45 PM) sarnold: probably paralyzed trying to come up with The Best Way to do it... I recall some talk about automatically building a giant pile of packages, one for each profile (family) and requirements to match...(12:35:50 PM) jjohansen: cboltz: well it was our goal at one time to get all the profiles into their respective packages but that proved to be hard :)(12:35:52 PM) cboltz: and it doesn't cause too much problems (only if a package comes with its own profile _and_ the parser is installed)(12:36:15 PM) sarnold: cboltz: your suggestion sounds very practical to me. It's hard to see a downside, anyway. :)(12:36:44 PM) cboltz: sarnold: well, the rpm database will grow a bit ;-)(12:37:03 PM) sarnold: cboltz: hehe, it already tracks 27k files...(12:37:26 PM) cboltz: jjohansen: IMHO getting the profiles into their respective packages only makes sence if the package maintainer cares about the profile(12:37:39 PM) cboltz: otherwise it just means I have to update 20 packages instead of one ;-)(12:38:10 PM) jjohansen: cboltz: yep, like I said it proved to be hard :)(12:38:21 PM) cboltz: (ideally the _upstream_ maintainers should care, but that's even harder...)(12:40:08 PM) jdstrand: ya(12:40:32 PM) cboltz: BTW: after some discussion on the opensuse-factory ML around protecting stuff like firefox and acroread, I'm also thinking about creating an apparmor-profiles-paranoid-will-break-something package ;-)(12:40:59 PM) sarnold: ooh(12:41:14 PM) cboltz: (you all know that profiling applications with a "save as..." menu option never makes everybody happy)(12:41:50 PM) cboltz: (and that's also the reason why I'm not too keen to add an acroread profile to the profiles package)(12:42:43 PM) jjohansen: cboltz: well get them to patch the file dialog to use the new apparmor sandbox file dialog that is coming (eventually) and everyone will be happy :)(12:43:12 PM) cboltz: that's the long-term goal, but I haven't seen this dialog yet ;-)(12:43:28 PM) jjohansen: cboltz: hence the eventually(12:43:41 PM) cboltz: I'm really looking forward to it, because it will solve lots of problems(12:44:01 PM) jjohansen: yes, it will be nice to have(12:44:51 PM) jjohansen: alright so can we get a sucker^w volunteer to do some base packaging work around this(12:45:05 PM) jjohansen: it would make sense to have this upstream I think(12:45:35 PM) cboltz: I'm not sure if upstream makes sense here ;-)(12:45:45 PM) cboltz: basically I only have to split the %files in the spec(12:46:12 PM) cboltz: so the only upstream thing that could be helpful is a README.packaging that recommends to split profiles and abstractions etc. in separate packages(12:46:20 PM) jjohansen: well, we do ship a reference set, and currently the abstractions and profiles are treated the same(12:46:34 PM) jdstrand: I think that is probably right(12:46:44 PM) jdstrand: it is a referene set, it can be shipped together(12:47:42 PM) jdstrand: I can see the benefit of the split I guess, but README.packaging sounds easier, especially since distros may not use whatever split we come up with(12:47:53 PM) jjohansen: heh, okay I'll defer, cboltz feel free to submit patches to the README :)(12:48:18 PM) jjohansen: might not but are lazy so are likely too(12:48:28 PM) ***jdstrand nods(12:48:45 PM) cboltz: I'll send a patch whenever I'm bored ;-) (which doesn't happen too often)(12:50:07 PM) jjohansen: Alright moving on(12:50:26 PM) jjohansen: next meeting. Should we move back to tuesday?(12:50:56 PM) jjohansen: And if so March 2 or March 9th?(12:51:04 PM) jjohansen: gah, stupid jj.(12:51:13 PM) jjohansen: April 2 or April 9th(12:51:51 PM) ***jjohansen would really like to have an extra February of dev time(12:51:55 PM) jdstrand: I'd suggest 9th(12:52:08 PM) jdstrand: but it can be either(12:52:13 PM) jdstrand: (imho)(12:52:13 PM) sarnold: n odifference for me(12:52:34 PM) cboltz: I don't really care about the day, and both dates you proposed are OK for me(12:53:00 PM) sbeattie: I'm okay with either(12:53:11 PM) jjohansen: alright thats good enough for me(12:53:11 PM) jjohansen: Tuesday April 9th, @20:00 UTC(12:53:29 PM) jjohansen: does anyone have anything else they would like to discuss(12:53:30 PM) sbeattie: would that be the intended regular date, 2nd tues of each month?(12:53:42 PM) sbeattie: (just to try for a consistent schedule)(12:53:47 PM) jjohansen: sbeattie: yeah that is what we have tried for(12:54:20 PM) sbeattie: okay, couldn't rmemeber if it was 1st or 2nd tues. Works for me,(12:54:35 PM) jjohansen: hrmm or was it first tuesday? Anyways I am good with codifying it as we try for the 2nd(12:54:49 PM) cboltz: the 2nd will avoid April 1st 2014 ;-)(12:55:16 PM) jjohansen: well that settles it then(12:55:17 PM) ***jdstrand votes for 2nd tuesday, but doesn't have a strong opinion(12:55:55 PM) ***cboltz votes for the first because he wants to do some april fool's jokes next year(12:56:20 PM) jdstrand: heh(12:57:53 PM) jjohansen: alright thanks for coming everyone, see you on the 9th(12:57:58 PM) jjohansen: or sooner(12:58:02 PM) jdstrand: thanks jjohansen! :)(12:58:05 PM) mdeslaur: thanks jjohansen!(12:58:07 PM) cboltz: I have two small things left ;-)(12:58:19 PM) cboltz: one: any news on updating the wiki?(12:58:31 PM) jjohansen: cboltz: oh, drat(12:59:02 PM) cboltz: two: did someone write a description for a GSoC project about rewriting the tools + adding some features?(12:59:17 PM) jjohansen: no, no news on the wiki we really do need to do that. I'll poke kees to remind me about who I need to contact(12:59:58 PM) jjohansen: cboltz: oh drat no I haven't managed to get to that yet, sarnold have you?(01:00:26 PM) sarnold: no, I didn't, I thought got a bit intimidated when I saw the other proposals were more than just hand-waving :)(01:00:49 PM) jjohansen: alright I will see what I can come up with this weekend(01:01:34 PM) jjohansen: and then I can send it to the ml for people to help with revisions(01:01:56 PM) ***jjohansen sticks a sticky to his monitor(01:02:22 PM) cboltz: another one? how big is your monitor? ;-)(01:02:41 PM) jjohansen: all too small(01:03:15 PM) cboltz: for the stickies or to display the applications?(01:04:02 PM) jjohansen: stickies, and well I guess trying to see applications through all the stickies(01:04:28 PM) cboltz: ;-)(02:15:46 PM) terryh left the room (quit: Ping timeout: 480 seconds).(03:46:45 PM) cboltz left the room (quit: ).