[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs

Daniel Golle daniel at makrotopia.org
Thu Mar 18 13:42:09 GMT 2021 

On Thu, Mar 18, 2021 at 02:01:37PM +0100, Dominick Grift wrote:
> ....
> I suspect that you and I have pretty much the same idea but slightly
> different.
> 
> I think we both want to make this functionality discoverable to a wider
> audience. (easier to try out, so that we get some more feedback)
> 
> For me the goal is to get feedback from users so that the configuration
> can be refined and more use-cases can be supported.
> 
> I understood Petr as saying, just enable selinux by default in master
> branch only and then by the time a new version is branched we can
> determine if the implementation is good enough to be enclosed with the
> next version by default.
> 
> But I might have misinterpreted. if so that I have no clue what he meant.

I'm not sure if he meant to enable SELinux kernel features by default
in future releases (to keep having a unified repository) and just make
the policy and userland optional (ie. like Fedora or Lineage OS do).
I didn't consider this because the +400kB in kernel size (and the
ideological pains of having code written by the NSA compiled into ones
kernel) may repell quite a few people.

The other possible interpretation is, that he meant to test-run the
necessary changes of the buildbot and generate SELinux-enabled IB, SDK
and kmods in addition to the regular build in snapshot and then
eventually have that also for future releases. (ie. what I suggested,
just starting from master/snapshots first)
I didn't suggest that because the relatively high price (in terms of
buildtime of phase1) didn't justify the potential benefits we might
gain from that to me (compared to just building from source yourself).

> 
> I like that idea because then people that use master branch (which is
> the development community) will get exposed to selinux whilst they still
> have option to opt-out and then hopefully we get some meaningful
> feedback that we can use to develop the configuration further.
> 
> As I understand it, you take a slightly different view, as you want to
> provide pre-built IB's and and SDK's.

Yes, and for release rather than for snapshots. This is because I
believe that policy development should start on top of a stable release
because developing policy for a moving target (snapshots) is unlikely
to ever converge (unless we freeze development).
Until now we didn't have this option, and for 21.02 (with or without
binary IB and SDK) this is going to change and I hope to primarily
improve policy for the release (rather than chasing micro-change by
micro-change in the ongoing development).

> 
> That works for me as well because that also lowers the barrier of
> entrance (leading to feedback). However as Petr indicated it might be a
> bit too late for that for the 21-something version now.

Yes, this is a relevant concern and the primary reason why I started
this vote.

> 
> I just want some feedback (and I don't really care how I obtain it)
> because the policy is pretty "stable" right now for the basic use cases
> and for my personal use case. At the same time I know there is still a
> lot of potential but I will not be able to tap that potential as i do
> not have access to resources needed to test it out (i dont have IPTV, i
> dont have multi-wan, i dont have an XBOX for upnp, i dont have a VOIP
> telephone etc etc.
> 
> > 
> > _______________________________________________
> > openwrt-adm mailing list
> > openwrt-adm at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-adm
> > 
> 
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm

More information about the openwrt-adm mailing list