Project

General

Profile

Feature #12170

Upstream OnionCircuits AppArmor profile

Added by intrigeri 9 months ago. Updated 20 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
01/24/2017
Due date:
% Done:

10%

QA Check:
Feature Branch:
Type of work:
Code
Blueprint:
Easy:
Affected tool:
Onion Circuits

Description

In Tails 2.10, anonym introduced an AppArmor profile for OnionCircuits. That's great! Now, IMO our commitment to upstreaming our stuff implies we should have this profile included in the upstream Git repo, and installed by the Debian package.

History

#1 Updated by intrigeri 9 months ago

Any reason I've missed why we should not, or cannot, do that?

#2 Updated by anonym 7 months ago

  • Assignee changed from anonym to u

You'll find it in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits. Thanks so much for taking over this from me! :))))))

#3 Updated by u 7 months ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

#4 Updated by intrigeri 7 months ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

Yeah! :)

#5 Updated by u 6 months ago

  • Status changed from Confirmed to Resolved

Sascha integrated this, so I'm considering this as done.

#6 Updated by intrigeri 4 months ago

  • Status changed from Resolved to In Progress
  • Target version changed from Tails_2.12 to Tails_3.2
  • % Done changed from 0 to 10

u wrote:

Sascha integrated this, so I'm considering this as done.

... and since then anonym updated the profile in tails.git (ad0d64919f54260b3cc8d19252f97345091fcafd) but nobody copied the change to OnionCircuit's repo. I've just done this.

IMO we should keep this ticket open as long as we replace the upstream profile with our own one, so next steps are:

  1. publish a new upstream release with the last AppArmor profile changes & fixes
  2. upload to sid
  3. install OnionCircuits from testing or sid instead of from our own repo (until a proper backport is needed)

Sascha, can you please do the first two steps and then reassign to me? Thanks!

Additionally, I've pushed some fixes because the profile that was upstreamed breaks OnionCircuits on my sid (https://bugs.debian.org/865843).

#7 Updated by intrigeri 4 months ago

  • Assignee changed from u to sst

#8 Updated by sst 4 months ago

Hi intrigeri, thanks for the feedback and sorry for the delay in answering.
I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before. That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1 but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

#9 Updated by intrigeri 4 months ago

Hi Sascha!

I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before.

Indeed, I've verified you don't have write access to the upstream repo.

That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1

Let's avoid doing this and instead ensure we can put out new upstream releases when needed.

but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

Indeed, the current theory is that Alan is the upstream maintainer. But he wrote:

I'm happy to partcicpate to maintain Onion Circuits. However, I can't
promise to be responsive within a few weeks sometimes (and I don't even
speek about a few days...) so if people want more responsiveness and
have time to participate on the maintenance, I would love them joining!

So I see three options:

  • ask Alan to release 0.4.1 and wait until it happens (possibly 3-8 weeks)
  • you prepare the release in your own repo, then I review and merge it into the official repo
  • I release 0.4.1 myself

Regarding timing, as far as Tails is concerned we're in no hurry: we just need the updated package to be in Debian by mid-September. But I'm not a big fan of leaving OnionCircuits broken in Debian (for AppArmor users) for too long, so I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

#10 Updated by sst 4 months ago

Hi intrigeri,

[...]

I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

That sounds like a plan. I'll send an email ASAP.

Cheers
Sascha

#11 Updated by anonym 20 days ago

  • Target version changed from Tails_3.2 to Tails_3.3

Also available in: Atom PDF