On Fri, 8 Sep 2006, Jason L Tibbitts III wrote:
>>>>> "JM" == James Morris
<jmorris(a)redhat.com> writes:
JM> This guideline would request that developers test their package
JM> with SELinux enabled (and by this I mean in enforcing mode) and
JM> follow a simple procedure:
Just like the IPv6 thing, I don't think this is an appropriate topic
for the packaging committee to consider.
If it were in our purview, we could require that packages operate with
SELinux targeted enforcing, but forcing reviewers and package
maintainers to do this is a good way to make sure we have no package
maintainers or reviewers (except for the ones who are paid by Red Hat,
of course).
A big +1 here.
We must *always* remember when working with community packagers: they do
this work to accomplish *their* needs. The fact that they accomplish
*our* needs as well is almost always a fortunate side effect.
I mean, FC5 as shipped won't even boot in my environment with
SELinux
turned on. (Yes, I reported the problems and they were quickly fixed,
but that still doesn't get me a system I can boot to the point of
getting updates.) So I think it's way too early to be forcing people to
test with SELinux on.
For Extras, an SELinux SIG would be great; they could go through and
test applications, probably the server ones first. Core could of
course make their own policy. It's not for the packaging committee to
dictate either of those policies.
Another big +1. The unfortunate side effect here is that it's possible --
even likely -- that most community packagers won't give two craps about
the SELinux SIG.
Now, the packaging committee could publish guidelines for how to
include SELinux rules in a package; that would be great.
+1 again.
--g
-------------------------------------------------------------
Greg DeKoenigsberg || Fedora Project ||
fedoraproject.org
Be an Ambassador ||
http://fedoraproject.org/wiki/Ambassadors
-------------------------------------------------------------