On Sat, Apr 9, 2011 at 11:56 AM, Yaro Kasear <yaro@xxxxxxxxxx> wrote: > On Saturday, April 09, 2011 12:54:23 Thomas S Hatch wrote: > > On Sat, Apr 9, 2011 at 11:49 AM, Yaro Kasear <yaro@xxxxxxxxxx> wrote: > > > On Saturday, April 09, 2011 12:01:04 Thomas S Hatch wrote: > > > > On Sat, Apr 9, 2011 at 9:18 AM, Yaro Kasear <yaro@xxxxxxxxxx> > wrote: > > > > > On Friday, April 08, 2011 14:29:34 Heiko Baums wrote: > > > > > > Am Fri, 8 Apr 2011 10:55:16 -0600 > > > > > > > > > > > > schrieb Thomas S Hatch <thatch45@xxxxxxxxx>: > > > > > > > Yaro makes many good points, I think that my recommendation > > > > > > would > > > > > > > > be > > > > > > > > > > > > to allow someone to maintain support for SELinux in > community. If > > > > > > > SELinux support is deemed something that would be a good > idea to > > > > > > > > > > move > > > > > > > > > > > > to core in the future than do so, otherwise leave it in > > > > > > > community. > > > > > > > > > > > > I'd prefer a separate [selinux] repo. So that people know what > they > > > > > > are > > > > > > > > > doing. > > > > > > > > > > > > I know, packages with SELinux support could and should be > named > > > > > > something like selinux-XXX or XXX-selinux, but I think a new repo > > > > > > would > > > > > > > > > be better and more secure - not only from SELinux' view. > > > > > > > > > > > > This way SELinux users can just add [selinux] to pacman.conf > above > > > > > > [core]. For the other users it should be deactivated by default. > > > > > > > > > > > > Heiko > > > > > > > > > > Here's another question. Isn't it general packaging policy to not > > > > > fully support packages that have unofficial upstream patches > > > > > applied? Isn't SELinux "unofficial" to all the upstream? > > > > > > > > SELinux has been in the vanilla kernel for quite some time, say the > > > > > > 2.6.20 > > > > > > > ish realm, and the majority of the core utils have had SELinux > support > > > > built in for years. SELinux is official upstream. > > > > > > > > But I don't want to argue about this anymore :) I think that we have > a > > > > solution, I will be putting up an SELinux third party repo for > testing > > > > in the next month or two and then once we have an assurance that it > is > > > > > > working > > > > > > > well we look into moving SELinux support into community. > > > > > > > > This has been a great discussion, and I am excited to get some work > > > > done > > > > > > on > > > > > > > improving SELinux support on Arch! > > > > > > > > -Thomas S Hatch > > > > > > What about the SELinux patches for things other than the kernel? Are > > > those "official" to upstream? This is not for an argument, now I'm just > > > genuinely curious. > > > > The vast majority are, but there are a few places where patches are > needed, > > like in pam and ssh. > > > > So yes, there is a "half and half" going on. Basic SELinux support works > > without patches, but adding some of the more advanced features to some > of > > the core applications require a few patches. > > > > -Thomas S Hatch > > Great! Well, I look forward to maybe testing out your repository. Maybe > I'll > actually get SELinux working. > Thats good to hear! SELinux really is amazing stuff :)
