Upstream OnionCircuits AppArmor profile
In Tails 2.10, anonym introduced an AppArmor profile for OnionCircuits. That's great! Now, IMO our commitment to upstreaming our stuff implies we should have this profile included in the upstream Git repo, and installed by the Debian package.
- Status changed from Resolved to In Progress
- Target version changed from Tails_2.12 to Tails_3.2
- % Done changed from 0 to 10
Sascha integrated this, so I'm considering this as done.
... and since then anonym updated the profile in tails.git (ad0d64919f54260b3cc8d19252f97345091fcafd) but nobody copied the change to OnionCircuit's repo. I've just done this.
IMO we should keep this ticket open as long as we replace the upstream profile with our own one, so next steps are:
- publish a new upstream release with the last AppArmor profile changes & fixes
- upload to sid
- install OnionCircuits from testing or sid instead of from our own repo (until a proper backport is needed)
Sascha, can you please do the first two steps and then reassign to me? Thanks!
Additionally, I've pushed some fixes because the profile that was upstreamed breaks OnionCircuits on my sid (https://bugs.debian.org/865843).
Hi intrigeri, thanks for the feedback and sorry for the delay in answering.
I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before. That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1 but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?
I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before.
Indeed, I've verified you don't have write access to the upstream repo.
That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1
Let's avoid doing this and instead ensure we can put out new upstream releases when needed.
but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?
Indeed, the current theory is that Alan is the upstream maintainer. But he wrote:
I'm happy to partcicpate to maintain Onion Circuits. However, I can't promise to be responsive within a few weeks sometimes (and I don't even speek about a few days...) so if people want more responsiveness and have time to participate on the maintenance, I would love them joining!
So I see three options:
- ask Alan to release 0.4.1 and wait until it happens (possibly 3-8 weeks)
- you prepare the release in your own repo, then I review and merge it into the official repo
- I release 0.4.1 myself
Regarding timing, as far as Tails is concerned we're in no hurry: we just need the updated package to be in Debian by mid-September. But I'm not a big fan of leaving OnionCircuits broken in Debian (for AppArmor users) for too long, so I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?