Maintain our Tor Browser AppArmor profile delta in a simpler way
For years, we've been maintaining a patch on top of the AppArmor profile shipped in the torbrowser-launcher
Debian package: https://tails.boum.org/contribute/release_process/tor-browser_AppArmor_patch/
This system is complex and it creates an awful Git history. I'm not sure if anyone but me understands it enough to use it. Finally, the main benefits of this system have gone away as time passed and things changed. These benefits were:
-
Force ourselves to regularly rebase our patch on top of the current upstream (+ Debian) one
- This benefit still exists, e.g. without #18340 (closed) we would not be updating our profile right now.
- The way to let us know we should do something, via
devel
branch FTBFS'ing, is crude, to say the least. It often does not match the urgency level of upgrading our AppArmor profile, which could wait for a few weeks just fine, and does not deserve blocking development based on ourdevel
branch. - I think there are better ways to get the same benefit. It boils down to "regularly check if X happened and if so, create an issue". Which we do successfully in many other places. To start with, we could track this via a per-release or quarterly, issue whose last step is to create the next issue. And since I'm the main person committing changes upstream, I should know when we should create such an issue, too.
-
Take advantage of improvements that live in the Debian package but not upstream
- The situation is the opposite to what it used to be: since a couple years I've stopped working on the Debian package and instead maintain this profile directly upstream, where I have commit access. So nowadays, the Debian package is generally lagging behind upstream, not the opposite.
-
Encourage ourselves to ensure the profile shipped in the Debian package is in a good shape
- I've personally given up on that. I'm generally using the upstream profile rather than the one in Debian, which is too often outdated and broken.
- I don't think it's a good use of our resources. If anything, I'd rather advice Debian users to use the Flatpak for torbrowser-launcher, rather than the Debian package which is broken way too often for Debian stable users.
-
Anything else?
So, I propose we switch to a different model:
-
base our main branch of https://gitlab.tails.boum.org/tails/torbrowser-launcher on top of upstream's develop
branch -
add https://gitlab.tails.boum.org/tails/torbrowser-launcher as a submodule in tails.git -
drop config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
andconfig/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
-
copy our profile via auto/config
to/etc/apparmor.d/
-
update doc: https://tails.boum.org/contribute/release_process/tor-browser_AppArmor_patch/ -
schedule a recurring task to merge upstream's develop
branch into our own torbrowser-launcher branch -
rename the master
branch toobsolete