Hi, thanks for the quick answer. For now I'll focus on Andrej's plans (not potential future improvements) and the bits I know best, leaving it to Andrej to reply about the other aspects :)
Niels Thykier (2021-02-06): > intrigeri: > As I read dh_apparmor, it generates maintscript based on the > --profile-name parameter. That name must match a file installed > in /etc/apparmor.d (of same name). This implies that something else > have (or will) install the actual file into /etc/apparmor.d. > > => Is this correctly understood? Right. >> Possible improvements for further iterations, definitely not blocking >> this plan IMO, i.e. food for future thought: >> >> - Either drop support for --profile-name or, if for some reason it's >> still needed, support declarative syntax to configure it. >> > > What about manifests? We can have them declarative by providing them in > a "guessible" location (e.g. debian/apparmor-manifests/<foo> would match > debian/.../etc/apparmor.d/<foo>). But that implies that "omission" > (including accidental) is silently accepted as "no manifest". > I do not know the consequence of that, so I cannot say if this > approach is good or not. FTR, I've not found any trace of a package in the archive using the --manifest=manifestfile facility. > Accordingly, I am not going to take a decision in the near future > about whether dh_apparmor should be enabled by default via debhelper > itself. Fully agreed, this was merely food for thought for potential future iterations :)
