On Saturday, April 09, 2011 12:54:23 Thomas S Hatch wrote:
On Sat, Apr 9, 2011 at 11:49 AM, Yaro Kasear <yaro@marupa.net> wrote:
On Saturday, April 09, 2011 12:01:04 Thomas S Hatch wrote:
On Sat, Apr 9, 2011 at 9:18 AM, Yaro Kasear <yaro@marupa.net> wrote:
On Friday, April 08, 2011 14:29:34 Heiko Baums wrote:
Am Fri, 8 Apr 2011 10:55:16 -0600
schrieb Thomas S Hatch <thatch45@gmail.com>:
Yaro makes many good points, I think that my recommendation
would
be
to allow someone to maintain support for SELinux in community. If SELinux support is deemed something that would be a good idea to
move
to core in the future than do so, otherwise leave it in community.
I'd prefer a separate [selinux] repo. So that people know what they
are
doing.
I know, packages with SELinux support could and should be named something like selinux-XXX or XXX-selinux, but I think a new repo
would
be better and more secure - not only from SELinux' view.
This way SELinux users can just add [selinux] to pacman.conf above [core]. For the other users it should be deactivated by default.
Heiko
Here's another question. Isn't it general packaging policy to not fully support packages that have unofficial upstream patches applied? Isn't SELinux "unofficial" to all the upstream?
SELinux has been in the vanilla kernel for quite some time, say the
2.6.20
ish realm, and the majority of the core utils have had SELinux support built in for years. SELinux is official upstream.
But I don't want to argue about this anymore :) I think that we have a solution, I will be putting up an SELinux third party repo for testing in the next month or two and then once we have an assurance that it is
working
well we look into moving SELinux support into community.
This has been a great discussion, and I am excited to get some work done
on
improving SELinux support on Arch!
-Thomas S Hatch
What about the SELinux patches for things other than the kernel? Are those "official" to upstream? This is not for an argument, now I'm just genuinely curious.
The vast majority are, but there are a few places where patches are needed, like in pam and ssh.
So yes, there is a "half and half" going on. Basic SELinux support works without patches, but adding some of the more advanced features to some of the core applications require a few patches.
-Thomas S Hatch
Great! Well, I look forward to maybe testing out your repository. Maybe I'll actually get SELinux working.