public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] Update on SELinux development guideline(s)
@ 2011-08-23 18:10 Sven Vermeulen
  2011-08-23 21:18 ` Chris Richards
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2011-08-23 18:10 UTC (permalink / raw
  To: gentoo-hardened

Hi guys,

In the "Gentoo Hardened SELinux Development Policy" [1] we have a section
requiring development to use the 'gentoo_' prefix. The reason for that was
to ensure no collisions occur when a patch is added upstream.

[1] http://www.gentoo.org/proj/en/hardened/selinux-policy.xml

However, with the release of 20110726 and other changes, I'm pondering about
removing this section from the guideline, and here is why...

First of all, "safe migration" is not possible. We had around 40-something
patches applied to 20101213 and less than one third could still be applied
to 20110726. Not because the patch was included, but because the structure
of the code had changed. All other patches needed to be made manual anyhow.

Using gentoo_ prefix or not wouldn't make a difference here.

Second, if a collision occurs, we would either get a failed patch (which we
can then safely drop from our patch bundle) or a duplicate definition (which
we will notice during builds, after which we can update our patches). 

Using gentoo_ prefix or not wouldn't make a difference here.

Third, we are pushing many of our changes upstream. However, as long as we
use different naming conventions, then the patches cannot easily be pushed.
Currently, I'm manually typing over most patches that include gentoo_
prefixes into a reference policy checkout for submitting upstream, which is
*very* time consuming.

Using gentoo_ prefix is a time hogger. Using upstream naming convention
would be much leaner.

Fourth, supporting tools that help SELinux developers for a proper coding
style as well as other documents and guidelines are often based on the
naming convention. By using a gentoo_ prefix, these tools give warnings (and
the documents are less valid). If we need anything at all, a suffix would be
much more flexible.

Using gentoo_ prefix here is causing development efforts to become more
difficult.


I'd rather use the gentoo_ prefix for those things that we *know* are not to
be merged upstream anytime soon and which are /Gentoo/ specific (like some
of our booleans).

Any objections here? 

Wkr,
	Sven Vermeulen



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [gentoo-hardened] Update on SELinux development guideline(s)
  2011-08-23 18:10 [gentoo-hardened] Update on SELinux development guideline(s) Sven Vermeulen
@ 2011-08-23 21:18 ` Chris Richards
  0 siblings, 0 replies; 2+ messages in thread
From: Chris Richards @ 2011-08-23 21:18 UTC (permalink / raw
  To: gentoo-hardened


> I'd rather use the gentoo_ prefix for those things that we *know* are not
> to
> be merged upstream anytime soon and which are /Gentoo/ specific (like some
> of our booleans).
>
> Any objections here?

It seemed like a good idea at the time.  Sounds like it has created more
problems than it solved?

My main concern (which prompted the current scheme) was that I didn't want
us creating collisions with upstream policy.  It sounds like what you are
saying is that there are already enough issues with applying upstream
policy that our current scheme isn't really saving us anything.  That
being the case, I think I am OK with dropping the prefix.

Later,
Gizmo




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-08-23 21:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-23 18:10 [gentoo-hardened] Update on SELinux development guideline(s) Sven Vermeulen
2011-08-23 21:18 ` Chris Richards

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox