Report from DebCamp18

This was a nice DebCamp! Here is what I've been up to.

AppArmor

Uploaded 2.13-3 to sid after along review process by the Ubuntu maintainers (Salsa FTW!). Highlights:
- Yay for cross-distro collaborative maintenance :)
- New upstream 2.13 release
- Lots of packaging cleanups, getting closer to upstream and aiming at closingDebian bug #870697 some day.
- Please set proper SELinux labels : applied patch by Laurent [email protected].
- Fixed A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG .
- Made aa-notify point to Debian documentation (Debian bug #904436).
Move the binary cache from /etc to /var/cache : reached conclusions on the upstream discussion, implemented and sent amerge request.
Don't include python-apparmor nor python-libapparmor in Buster : submitted amerge request, promptly merged by one of the Ubuntu maintainers of the package.
Please make apparmor Multi-Arch: foreign : learned a little bit about Multi-Arch, documented my findings on the bug and requested more information from better skilled people.
Submitted amerge request to mark libapparmor-perl Multi-Arch: same , promptly merged by one of the Ubuntu maintainers for the package.
Relaunched , with a concrete proposal, the discussion about reconciling Apertis' packaging Git repository for src:apparmor with the Vcs-Git now shared by Debian and Ubuntu.

abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro aka.Debian bug #865206: improved my merge request based on Simon McVittie's feedback (thanks!).
clamav-freshclam: AppArmor denies access to /proc//status : had a quick look and provided hints for further debugging.
thunderbird: missing AppArmor entries : proposed cheap solutions.
tor: Tor doesn't start because of AppArmor : initial triaging.
usr.bin.chromium-browser: Cumulative update for Bionic / Chromium 65 : did a few more rounds of review and finally merged.
openntpd: Apparmor denies logging : confirmed that the proposed solution is good enough IMO.
Please support AppArmor network rules : clarified status (tl;dr: this was merged in mainline Linux but the userspace to benefit from it is not ready yet).
Played with Thunderbird 60 from experimental, looking for necessary updates of the corresponding AppArmor policy… and found none. In passing, found a few minor issues with Enigmail ( merge request ) and reporteda bug that makes Thunderbird 60 unusable for me.
Totem and GStreamer : the way we've historically confined Totem programs and their relationship to GStreamer conflicts by design with the sandboxing that was recently implemented in Totem . So I've proposed upstream to lower our expectations a bit and simplify the AppArmor policy accordingly. In passing, I've noticed an issue with Totem vs. recent Mesa and proposed a merge request to fix it.

Tried to give Thunderbird a custom reportbug script that includes the status of the AppArmor profile in bug reports, in order to ease the Thunderbird maintainers' task when triaging newly reported bugs. Sadly, computing this status requires root credentials so this won't work. Instead, explained in README.apparmor how to get this information, so that the Thunderbird maintainers can point users there when they have a doubt.

Triaged and investigated a few packages that don't build reproducibly.
Identified a few new candidates for removal from sid.
Removing packages that depend on obsolete libraries from the GNOME 2 area:
- updated status of this process that I've started at DebCamp17 last year ⇒ filed a bunch of removal bugs;
- filed RC bugs to prevent a number of other packages from being shipped in Buster.