[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs

Daniel Golle daniel at makrotopia.org
Thu Mar 18 12:02:21 GMT 2021 

On Thu, Mar 18, 2021 at 07:02:30AM +0100, Petr Štetiar wrote:
> Daniel Golle <daniel at makrotopia.org> [2021-03-18 02:47:40]:
> 
> Hi,
> 
> why no discussion prior to this voting? :-)
> 
> > Providing SELinux-enaled SDK and IB for all targets/subtargets allows
> 
> so we're going to build something which might not be even usable and supported
> on those targets? I would start with a list of targets where it makes sense,
> for example by adding some feature/config option.

SELinux is not a target or architecture specific feature (other than
e.g. seccomp), all it requires is a bit more space and RAM. Hence I
wouldn't know what would be the criteria for such a feature flag to
be enabled. All targets but 'ath25' because all boards go too little
RAM for recent kernel anyway already?

> 
> Do we really want to support SELinux corner cases on really exotic targets?

To me there is no difference here, if there are 8MB or more of flash
and 64MB or more of RAM (and we already got feature flags for that),
users are free to opt for SELinux and I'd expect that to work fine,
no matter which target.

> 
> > Option A: Yes, provide SELinux SDK and IB for the 21.02.x releases.
> 
> This is not an option for me, because it's too late for such a change. It's
> not about the SDK/IB itself, thats mostly fine with me. It's mainly about the
> possible number of additional patches needed to make SELinux enabled systems
> working, which in the turn might cause regressions for !SELinux builds etc.
> 

We've been test-running this on master for almost a year now, I don't
think there will be any patches needed for !SELinux at all at this
point. What did you have in mind? (Just to understand your concern).


> > Option B: Yes, and even start offering that for 21.02-SNAPSHOTS asap.
> > Option C: No, let's not do any of that.
> 
> Option D: Start as always in master/snapshots and if the feature is usable
> and in a shape for a release, then include it in release.
> 
> So my choice is D, if that's not an option, then I'm for C.

We kinda did that (things are in master for a while now), we just
didn't offer binary builds, because doing that for snapshots would be
too wasteful (as binary updates anyway won't work great).

If you think it would provide anything useful, sure, why not have
also SELinux-enabled snapshot SDKs, IBs and their kmod :)


Cheers


Daniel

> 
> Cheers,
> 
> Petr
> 
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm

More information about the openwrt-adm mailing list