[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs
Dominick Grift
dominick.grift at defensec.nl
Thu Mar 18 13:51:08 GMT 2021
On 3/18/21 2:42 PM, Daniel Golle wrote:
> On Thu, Mar 18, 2021 at 02:01:37PM +0100, Dominick Grift wrote:
>> ....
>> I suspect that you and I have pretty much the same idea but slightly
>> different.
>>
>> I think we both want to make this functionality discoverable to a wider
>> audience. (easier to try out, so that we get some more feedback)
>>
>> For me the goal is to get feedback from users so that the configuration
>> can be refined and more use-cases can be supported.
>>
>> I understood Petr as saying, just enable selinux by default in master
>> branch only and then by the time a new version is branched we can
>> determine if the implementation is good enough to be enclosed with the
>> next version by default.
>>
>> But I might have misinterpreted. if so that I have no clue what he meant.
>
> I'm not sure if he meant to enable SELinux kernel features by default
> in future releases (to keep having a unified repository) and just make
> the policy and userland optional (ie. like Fedora or Lineage OS do).
> I didn't consider this because the +400kB in kernel size (and the
> ideological pains of having code written by the NSA compiled into ones
> kernel) may repell quite a few people.
>
> The other possible interpretation is, that he meant to test-run the
> necessary changes of the buildbot and generate SELinux-enabled IB, SDK
> and kmods in addition to the regular build in snapshot and then
> eventually have that also for future releases. (ie. what I suggested,
> just starting from master/snapshots first)
> I didn't suggest that because the relatively high price (in terms of
> buildtime of phase1) didn't justify the potential benefits we might
> gain from that to me (compared to just building from source yourself).
>
I see. Understood (i think). I guess I misinterpreted his words.
>>
>> I like that idea because then people that use master branch (which is
>> the development community) will get exposed to selinux whilst they still
>> have option to opt-out and then hopefully we get some meaningful
>> feedback that we can use to develop the configuration further.
>>
>> As I understand it, you take a slightly different view, as you want to
>> provide pre-built IB's and and SDK's.
>
> Yes, and for release rather than for snapshots. This is because I
> believe that policy development should start on top of a stable release
> because developing policy for a moving target (snapshots) is unlikely
> to ever converge (unless we freeze development).
> Until now we didn't have this option, and for 21.02 (with or without
> binary IB and SDK) this is going to change and I hope to primarily
> improve policy for the release (rather than chasing micro-change by
> micro-change in the ongoing development).
Good point
>
>>
>> That works for me as well because that also lowers the barrier of
>> entrance (leading to feedback). However as Petr indicated it might be a
>> bit too late for that for the 21-something version now.
>
> Yes, this is a relevant concern and the primary reason why I started
> this vote.
>
>>
>> I just want some feedback (and I don't really care how I obtain it)
>> because the policy is pretty "stable" right now for the basic use cases
>> and for my personal use case. At the same time I know there is still a
>> lot of potential but I will not be able to tap that potential as i do
>> not have access to resources needed to test it out (i dont have IPTV, i
>> dont have multi-wan, i dont have an XBOX for upnp, i dont have a VOIP
>> telephone etc etc.
>>
>>>
>>> _______________________________________________
>>> openwrt-adm mailing list
>>> openwrt-adm at lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-adm
>>>
>>
>> _______________________________________________
>> openwrt-adm mailing list
>> openwrt-adm at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-adm
More information about the openwrt-adm
mailing list