I have spit out my current diffs in policy on fedoraproject.org

I have spit out my current diffs in policy on fedoraproject.org

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/Policy/

Patch is now up to 28000 lines.

I have it split into 147 patches.

Kernel patches should be fairly easy to merge,
System patches other than userdomain should not be difficult.

Then we get to service/apps ...


Going forward this is going to get more difficult.  I think we need more
people with the ability to update the reference policy.  Even if they
just cherry pick through the differences in my patches and upstream.  I
don't believe one person can keep up with the volume of changes.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkejNFcACgkQrlYvE4MpobMoQACfVxHA3wlf/bZA0hQSE6bLI8bm
yzEAoOZczbxPVGnI+uC6s5p2i6N5CpRs
=ylKl
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have spit out my current diffs in policy on fedoraproject.org

[Stephen Smalley]

On Fri, 2008-02-01 at 10:01 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> http://people.fedoraproject.org/~dwalsh/Policy/
> 
> Patch is now up to 28000 lines.
> 
> I have it split into 147 patches.
> 
> Kernel patches should be fairly easy to merge,
> System patches other than userdomain should not be difficult.
> 
> Then we get to service/apps ...
> 
> 
> Going forward this is going to get more difficult.  I think we need more
> people with the ability to update the reference policy.  Even if they
> just cherry pick through the differences in my patches and upstream.  I
> don't believe one person can keep up with the volume of changes.

Maybe create a fedora branch of refpolicy?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have spit out my current diffs in policy on fedoraproject.org

[Paul Moore]

On Friday 01 February 2008 10:05:27 am Stephen Smalley wrote:
> On Fri, 2008-02-01 at 10:01 -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > http://people.fedoraproject.org/~dwalsh/Policy/
> >
> > Patch is now up to 28000 lines.
> >
> > {snip}
> >
> > Going forward this is going to get more difficult.  I think we need
> > more people with the ability to update the reference policy.  Even
> > if they just cherry pick through the differences in my patches and
> > upstream.  I don't believe one person can keep up with the volume
> > of changes.
>
> Maybe create a fedora branch of refpolicy?

Does this actually solve the problem, or just move the patch problem 
from outside refpolicy SVN into a branch within refpolicy?  The changes 
still need to get merged into the trunk and I'm not sure a branch helps 
that any (maybe it does, I guess it all depends on how Chris works).

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have spit out my current diffs in policy on fedoraproject.org

[Christopher J. PeBenito]

On Fri, 2008-02-01 at 11:07 -0500, Paul Moore wrote:
> On Friday 01 February 2008 10:05:27 am Stephen Smalley wrote:
> > On Fri, 2008-02-01 at 10:01 -0500, Daniel J Walsh wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > http://people.fedoraproject.org/~dwalsh/Policy/
> > >
> > > Patch is now up to 28000 lines.
> > >
> > > {snip}
> > >
> > > Going forward this is going to get more difficult.  I think we need
> > > more people with the ability to update the reference policy.  Even
> > > if they just cherry pick through the differences in my patches and
> > > upstream.  I don't believe one person can keep up with the volume
> > > of changes.
> >
> > Maybe create a fedora branch of refpolicy?
> 
> Does this actually solve the problem, or just move the patch problem 
> from outside refpolicy SVN into a branch within refpolicy?  The changes 
> still need to get merged into the trunk and I'm not sure a branch helps 
> that any (maybe it does, I guess it all depends on how Chris works).

That doesn't help me; on many things I need more information on the
change, so a patch format works.  Some of the problems are that the
patches are divided by module, not by changeset.  Its better than one
big mega patch, but still suboptimal, especially if a changeset crosses
modules.  I still suggest using quilt.

I'd suggest using trac's bug system on the refpolicy site so we can have
tracking of patches without flooding the mail list, however I'm sure Dan
isn't interesting in entering in 147 bugs (unless there is a nice
command line tool that can do this that I don't know of).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have spit out my current diffs in policy on fedoraproject.org

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Fri, 2008-02-01 at 11:07 -0500, Paul Moore wrote:
>> On Friday 01 February 2008 10:05:27 am Stephen Smalley wrote:
>>> On Fri, 2008-02-01 at 10:01 -0500, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> http://people.fedoraproject.org/~dwalsh/Policy/
>>>>
>>>> Patch is now up to 28000 lines.
>>>>
>>>> {snip}
>>>>
>>>> Going forward this is going to get more difficult.  I think we need
>>>> more people with the ability to update the reference policy.  Even
>>>> if they just cherry pick through the differences in my patches and
>>>> upstream.  I don't believe one person can keep up with the volume
>>>> of changes.
>>> Maybe create a fedora branch of refpolicy?
>> Does this actually solve the problem, or just move the patch problem 
>> from outside refpolicy SVN into a branch within refpolicy?  The changes 
>> still need to get merged into the trunk and I'm not sure a branch helps 
>> that any (maybe it does, I guess it all depends on how Chris works).
> 
> That doesn't help me; on many things I need more information on the
> change, so a patch format works.  Some of the problems are that the
> patches are divided by module, not by changeset.  Its better than one
> big mega patch, but still suboptimal, especially if a changeset crosses
> modules.  I still suggest using quilt.
> 
> I'd suggest using trac's bug system on the refpolicy site so we can have
> tracking of patches without flooding the mail list, however I'm sure Dan
> isn't interesting in entering in 147 bugs (unless there is a nice
> command line tool that can do this that I don't know of).
> 

The problem is something like  quilt works if you sit down and do one
massive change to policy, like removing the role separation on homedirs.
 But I get 10 Bugzilla's a day that I make changes to in the same pool.
 Then back port these fixes into F7, F8 and RHEL5.  I am also adding
additional policy components all the time.  A lot of times while I am
fixing an AVC Bugzilla, I will notice that the policy really needs a
higher level function like auth_use_nsswitch(), I make the change while
I am in there.

So it would be tough to change the way  I am working.  What we really
could use is some volunteers review and  package up changes in a way
that Chris would like to see them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkejimgACgkQrlYvE4MpobOFQQCg3u0coLduGjwDnjAv2A/AT9l3
wNoAnjqZzuCDItJGpz3EADqMRdO38RE9
=OWij
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.