On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote: > Didier Raboud suggested to use dpkg triggers for what dh_apparmor > does, and is happy to give a hand. See the attached message. > Thank you, Didier! > > What do the original dh_apparmor authors / Ubuntu folks think? > Any reason Didier missed, that explains why this might not be that > good an idea?
Thanks for forwarding this along intrigeri. > From: Didier Raboud <o...@debian.org> > > While updating src:cups to solve #735313, I went and took a look at > dh-apparmor and I gained the convictions that this would be better > implemented as part of a centralized dpkg-trigger (in apparmor probably) > instead of being replicated across all packages shipping apparmor files > (although this is significantly helped with dh-apparmor). > > apparmor could have an 'interest /etc/apparmor.d/' triggers file and its > postinst would then do the machinery to create (or remove) the > /etc/apparmor.d/local/* files accordingly. This does sound nice, but the next part worries me.. > This could also have the side benefit of only running apparmor_parser > once for all files installed at the same time. When would this single apparmor_parser run happen? It needs to happen before daemons are started or restarted in their postinst scripts, otherwise the AppArmor policy won't be enforced. > You might be interested in taking a look at cups's postinst to see how > timestamps are kept to avoid useless re-processing, although an initial > trigger processing code could just replicate dh-apparmor's postinst code > for all apparmor profiles found. > > I'd be happy to help with this feature, just ask if you need help! Thanks!
signature.asc
Description: Digital signature
