Differences between revisions 37 and 77 (spanning 40 versions)
Revision 37 as of 2015-02-01 17:31:24
Size: 2890
Editor: UlrikeUhlig
Comment:
Revision 77 as of 2020-02-01 13:10:37
Size: 6737
Editor: nodiscc
Comment: move all content from Contribute/Upstream
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
<<Navigation(siblings,1)>>
----
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~

This page describes how to contribute to [[AppArmor]], both upstream and in Debian packages.


There are several ways to do this:

 * [[AppArmor/HowToUse|Enable AppArmor]], enforce a bunch of profiles, [[AppArmor/Debug|test]] and [[AppArmor/Reportbug|report bugs]] and/or happiness.
 * [[#Contribute_to_upstream_AppArmor_profiles|Contribute to upstream profiles]]
 * [[AppArmor/Debug#Edit_AppArmor_profiles|Create your own profiles]]
 * [[AppArmor/Contribute/MergeProfileFromUpstream|Update profiles shipped in apparmor-profiles-extra to the latest upstream version]]
 * Fix bugs in [[https://udd.debian.org/bugs.cgi?release=sid&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|the packages we maintain]]
 * Fix bugs in the DebianPts:apparmor package
 * Fix [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|usertagged bugs]]
 * Read, organize and update the [[AppArmor|Documentation]] and the [[AppArmor/Progress|progress tracking page]]
 * As a Debian package maintainer, [[AppArmor/Contribute/FirstTimeProfileImport|use dh_apparmor to import a profile to your package]]


Line 5: Line 23:
This page explains how to contribute to !AppArmor in Debian. ----
Line 7: Line 25:
== Infrastructure ==
Line 9: Line 26:
 * [[http://anonscm.debian.org/gitweb/?p=collab-maint/apparmor-profiles-extra.git;a=summary|Git repository for extra profiles]]
 * [[https://alioth.debian.org/projects/pkg-apparmor/|Alioth project]]
 * [[https://udd.debian.org/bugs.cgi?release=jessie&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|Bugs in the packages we maintain]]
== Debian / Upstream relationship ==
Line 13: Line 28:
<<Anchor(contactteam)>>
== Interacting with the team ==
'''We want to keep our delta with upstream as low as possible.''' If you want to submit a new profile or modify an existing one, this should be done '''upstream first'''. This process will also allow for better cross-distribution sharing and maintenance of profiles.
Line 16: Line 30:
 * '''Email''': pkg-apparmor-team@lists.alioth.debian.org
 * '''IRC''': ''#apparmor'' on irc.oftc.net (general AppArmor discussion channel)
Every distribution has adopted a different strategy to handle their profiles.
Most of Debian's !AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git: https://gitlab.com/apparmor/apparmor-profiles,
Line 19: Line 33:
== Current status == Ubuntu and openSUSE enable !AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is [[https://wiki.ubuntu.com/ApparmorProfileMigration | taken out of the profile development branch and inserted directly into the corresponding package]]: e.g. the !AppArmor profile for `evince` is included into Ubuntu's evince package.
Line 21: Line 35:
 * Debian Wheezy supports AppArmor.
 * See the [[AppArmor/Progress|progress tracking page]].
In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for [[https://wiki.debian.org/AppArmor/Progress#Included_in_the_corresponding_package|some packages]]. However, for now package maintainers can still rely on the Debian !AppArmor packaging team which provides additional profiles via the DebianPkg:apparmor-profiles-extra package.
Line 24: Line 37:
== How to participate == ||<style="background-color: lightgrey;">Upstream ||<style="background-color: lightgrey;">Debian source package ||<style="background-color: lightgrey;">Debian binary package ||<style="background-color: lightgrey;">Ubuntu source package ||<style="background-color: lightgrey;">Ubuntu binary package ||
|| [[https://gitlab.com/apparmor/apparmor|apparmor]] || DebianPts:apparmor || DebianPkg:apparmor and DebianPkg:apparmor-profiles || [[http://packages.ubuntu.com/source/apparmor|apparmor]] || [[http://packages.ubuntu.com/apparmor|apparmor]] ||
|| [[https://gitlab.com/apparmor/apparmor-profiles|apparmor-profiles]] || DebianPts:apparmor-profiles-extra || DebianPkg:apparmor-profiles-extra || [[http://packages.ubuntu.com/source/apparmor-profiles-extra|apparmor-profiles-extra]] || [[http://packages.ubuntu.com/apparmor-profiles-extra|apparmor-profiles-extra]] ||
|| Ubuntu || DebianPts:apparmor-profiles-extra || DebianPkg:apparmor-profiles-extra || [[https://launchpad.net/ubuntu/+source/tcpdump|tcpdump]] || [[http://packages.ubuntu.com/tcpdump|tcpdump]]||
|| Ubuntu || DebianPts:evince || DebianPkg:evince || [[https://launchpad.net/ubuntu/+source/evince|evince]] || [[http://packages.ubuntu.com/evince|evince]]||
|| libvirt || DebianPts:libvirt || DebianPkg:libvirt-daemon-system || [[https://launchpad.net/ubuntu/+source/libvirt|libvirt]] || [[http://packages.ubuntu.com/libvirt-daemon-system|libvirt-daemon-system]]||
Line 26: Line 44:
=== Ship an AppArmor profile in "your" package ===
 * [[AppArmor/Contribute/ImportProfileFromUpstream | Import a profile from upstream]]
 * [[AppArmor/Contribute/ImportProfileFromExtra | Import a profile from apparmor-profiles-extra]] to the package to the package you maintain
 * [[AppArmor/Contribute/PackageMaintainers | Learn how to package using dh_apparmor]], ie. if your upstream already provides an !AppArmor profile
 * To create a completely new profile, see section "Create new profiles" on this page.
 * [[AppArmor/Debug | Debug and test]]
Note: we merely use `evince` and `libvirt` as example packages in this table. The libvirt upstream tarball includes an own !AppArmor profile, whereas the evince upstream tarball does not.
Line 33: Line 46:
=== Improve quality of AppArmor profiles === == Contribute to upstream AppArmor profiles ==
Line 35: Line 48:
 * '''Use !AppArmor''': [[AppArmor/HowToUse|enable AppArmor]], enforce a bunch of profiles, [[AppArmor/Debug | test]] and [[AppArmor/Reportbug | report and triage bugs]] and/or happiness. [[#Debian_.2F_Upstream_relationship|Upstream AppArmor profiles live in many different repositories.]] This documentation focuses on contributing to profiles that live in the [[https://gitlab.com/apparmor/apparmor-profiles | upstream apparmor-profiles repository]], but the procedure is quite similar for the other repositories.
Line 37: Line 50:
==== Upstream Debian changes to AppArmor profiles ====
 * [[AppArmor/Contribute/Upstream|Contribute to Upstream]].
If you want to contribute to existing/upstream AppArmor profiles, you need to:
Line 40: Line 52:
==== Import Upstream changes to Debian ====
 * [[AppArmor/Contribute/MergeProfileFromUpstream | Update profiles shipped in apparmor-profiles-extra to the latest upstream version]]
 * Generate and update your profiles: see '''[[AppArmor/HowToUse#Edit_AppArmor_profiles]]'''
 * Test your profiles: see [[AppArmor/Debug]]
 * create an account on [[https://gitlab.com/|GitLab.com]]
 * upload a SSH key to be able to push your changes.
 * install the Git version control system: `sudo apt install git`
 * Fork the upstream project: https://gitlab.com/apparmor/apparmor-profiles/forks/new
 * `git clone` your brand new fork.
 * Create a topic branch `git checkout -b BRANCHNAME origin/master`
 * [[AppArmor/HowToUse#Edit_AppArmor_profiles|Edit the profile, install/reload it]], and [[AppArmor/Debug|test it]]
 * Once done, you can commit the changes to your local repository: `git add -p && git commit`
 * Push the changes to your remote repository on a dedicated branch: `git push -u origin BRANCHNAME`
 * Then you will see a link that proposes you send a merge request through the web interface.
Line 43: Line 65:
==== Create new profiles ====
 * '''Create''' or patch profiles: [[AppArmor/Contribute/Upstream|Contribute to Upstream]].
Line 46: Line 66:
=== Debug, report triage and fix bugs ===
 * [[AppArmor/Debug | Debug AppArmor profiles]]
 * [[AppArmor/Reportbug | Report and triage bugs]] and/or happiness.
 * '''Fix bugs''' in [[https://udd.debian.org/bugs.cgi?release=jessie&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|the packages we maintain]]
 * '''Fix bugs''' in the DebianPts:apparmor package.
 * '''Fix usertagged''' [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|bugs]]
== Get in touch with upstream ==
Line 53: Line 68:
=== Miscellaneous ===
 * '''Convince''' Ubuntu to upstream their !AppArmor profiles to Debian.
 * '''Organize''' by keeping the [[AppArmor/Progress|progress tracking page]] up-to-date.
 * '''Documentation''': improve the [[AppArmor/HowToUse|documentation about the user side of things]].
 * [[https://lists.ubuntu.com/mailman/listinfo/apparmor|AppArmor upstream mailing list]] - anything that is not a merge request
 * [[https://help.ubuntu.com/community/ReportingBugs|file a bug against apparmor on Launchpad]] - to get a new profile into the upstream apparmor-profiles package (see also [[https://gitlab.com/apparmor/apparmor/-/wikis/Launchpadtutorial|Launchpad tutorial]])

== Get in touch with the Debian AppArmor Packaging team ==

To update Debian profiles from upstream, please contact the packaging team:

 * pkg-apparmor-team@lists.alioth.debian.org mailing list
  * [[https://lists.alioth.debian.org/mailman/listinfo/pkg-apparmor-team|mailing list archives]]
 * `#apparmor` [[IRC|IRC channel]] on irc.oftc.net
 * [[AppArmor/Reportbug | report a bug with the usertag "new-profile" or "modify-profile"]]
 * [[https://salsa.debian.org/apparmor-team/|AppArmor Salsa project]]



----

CategorySystemSecurity

Translation(s): none

This page describes how to contribute to AppArmor, both upstream and in Debian packages.

There are several ways to do this:


Debian / Upstream relationship

We want to keep our delta with upstream as low as possible. If you want to submit a new profile or modify an existing one, this should be done upstream first. This process will also allow for better cross-distribution sharing and maintenance of profiles.

Every distribution has adopted a different strategy to handle their profiles. Most of Debian's AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git: https://gitlab.com/apparmor/apparmor-profiles,

Ubuntu and openSUSE enable AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is taken out of the profile development branch and inserted directly into the corresponding package: e.g. the AppArmor profile for evince is included into Ubuntu's evince package.

In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for some packages. However, for now package maintainers can still rely on the Debian AppArmor packaging team which provides additional profiles via the apparmor-profiles-extra package.

Upstream

Debian source package

Debian binary package

Ubuntu source package

Ubuntu binary package

apparmor

apparmor

apparmor and apparmor-profiles

apparmor

apparmor

apparmor-profiles

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

Ubuntu

apparmor-profiles-extra

apparmor-profiles-extra

tcpdump

tcpdump

Ubuntu

evince

evince

evince

evince

libvirt

libvirt

libvirt-daemon-system

libvirt

libvirt-daemon-system

Note: we merely use evince and libvirt as example packages in this table. The libvirt upstream tarball includes an own AppArmor profile, whereas the evince upstream tarball does not.

Contribute to upstream AppArmor profiles

Upstream AppArmor profiles live in many different repositories. This documentation focuses on contributing to profiles that live in the upstream apparmor-profiles repository, but the procedure is quite similar for the other repositories.

If you want to contribute to existing/upstream AppArmor profiles, you need to:

Get in touch with upstream

Get in touch with the Debian AppArmor Packaging team

To update Debian profiles from upstream, please contact the packaging team:


CategorySystemSecurity