On Tue, 2007-08-28 at 00:01 +0000, Linux Kernel Mailing List wrote:
> +NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
> +P: Paul Moore
> +M: [email protected]
> +L: [email protected]
> +S: Maintained
> +
Aren't there now 2 subsystems in MAINTAINERS for the same thing?
NETLABEL
P: Paul Moore
M: [email protected]
W: http://netlabel.sf.net
L: [email protected]
S: Supported
On Tuesday, August 28 2007 2:46:19 am Joe Perches wrote:
> On Tue, 2007-08-28 at 00:01 +0000, Linux Kernel Mailing List wrote:
> > +NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
> > +P: Paul Moore
> > +M: [email protected]
> > +L: [email protected]
> > +S: Maintained
> > +
>
> Aren't there now 2 subsystems in MAINTAINERS for the same thing?
>
> NETLABEL
> P: Paul Moore
> M: [email protected]
> W: http://netlabel.sf.net
> L: [email protected]
> S: Supported
Yes and no. Labeled networking consists of several different subsystems
because the term "labeled networking" can often mean several different
things. I'll spare everyone the gory details, but if you are interested in
more information check out the SELinux mailing list archives from the past
month; there has been a lot of discussion about the different types of
labeled networking and the requirements/goals of each.
NetLabel is just one subsystem that provides labeled networking
functionality (CIPSO is provided through the NetLabel subsystem), Labeled
IPsec and SECMARK also provide labeled networking functionality. Originally
I wrote/supported/maintained just NetLabel but over the past weekend James
Morris asked me to look after all of the different labeled networking
subsystems ... for better or worse I agreed :)
If having both a labeled networking and NetLabel maintainer entry is a
problem then how about the patch below?
Index: linux-2.6_maintainers/MAINTAINERS
===================================================================
--- linux-2.6_maintainers.orig/MAINTAINERS
+++ linux-2.6_maintainers/MAINTAINERS
@@ -2609,13 +2609,6 @@ W: http://www.netfilter.org/
W: http://www.iptables.org/
S: Supported
-NETLABEL
-P: Paul Moore
-M: [email protected]
-W: http://netlabel.sf.net
-L: [email protected]
-S: Supported
-
NETROM NETWORK LAYER
P: Ralf Baechle
M: [email protected]
@@ -2661,9 +2654,10 @@ L: [email protected]
T: git kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6.git
S: Maintained
-NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
+NETWORKING [LABELED] (NetLabel/CIPSO, Labeled IPsec, SECMARK)
P: Paul Moore
M: [email protected]
+W: http://netlabel.sf.net (NetLabel/CIPSO)
L: [email protected]
S: Maintained
--
paul moore
linux security @ hp
On Tue, 2007-08-28 at 08:46 -0400, Paul Moore wrote:
> If having both a labeled networking and NetLabel maintainer entry is a
> problem then how about the patch below?
I don't think it is.
> -NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
> +NETWORKING [LABELED] (NetLabel/CIPSO, Labeled IPsec, SECMARK)
> P: Paul Moore
> M: [email protected]
> +W: http://netlabel.sf.net (NetLabel/CIPSO)
> L: [email protected]
> S: Maintained
My preference would be for something like:
NETLABEL and CIPSO
P: Paul Moore
M: [email protected]
W: http://netlabel.sf.net
L: [email protected]
S: Maintained
F: Documentation/netlabel/
F: include/net/netlabel.h
F: net/netlabel/
Labeled IPsec and SECMARK
P: Paul Moore
M: [email protected]
L: [email protected]
S: Supported
F: include/linux/netfilter/*SECMARK*
F: net/netfilter/*SECMARK*
I would like to add appropriate file patterns for each
block. Also, I'm not sure of the Supported/Maintained
status of each block.
The distinction is supposed to be:
Supported: Someone is actually paid to look after this.
Maintained: Someone actually looks after it.
Could you please clarify those for me?
cheers, Joe
On Tuesday, August 28 2007 12:45:50 pm Joe Perches wrote:
> On Tue, 2007-08-28 at 08:46 -0400, Paul Moore wrote:
> > If having both a labeled networking and NetLabel maintainer entry is a
> > problem then how about the patch below?
>
> I don't think it is.
>
> > -NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
> > +NETWORKING [LABELED] (NetLabel/CIPSO, Labeled IPsec, SECMARK)
> > P: Paul Moore
> > M: [email protected]
> > +W: http://netlabel.sf.net (NetLabel/CIPSO)
> > L: [email protected]
> > S: Maintained
>
> My preference would be for something like:
>
> NETLABEL and CIPSO
> P: Paul Moore
> M: [email protected]
> W: http://netlabel.sf.net
> L: [email protected]
> S: Maintained
> F: Documentation/netlabel/
> F: include/net/netlabel.h
> F: net/netlabel/
>
> Labeled IPsec and SECMARK
> P: Paul Moore
> M: [email protected]
> L: [email protected]
> S: Supported
> F: include/linux/netfilter/*SECMARK*
> F: net/netfilter/*SECMARK*
>
> I would like to add appropriate file patterns for each
> block. Also, I'm not sure of the Supported/Maintained
> status of each block.
>From the little bit of the discussion that I saw a few weeks ago the idea of
file patterns in the MAINTAINERS file didn't go over very well. I still
don't see the "F" field specified/described at the top of the file.
As long as it is not a problem to have two maintainer entries, I think James'
patch (what it currently in-tree) is pretty good right now - it fits with the
rest of the NETWORKING [*] entries and looks correct to me.
> The distinction is supposed to be:
>
> Supported: Someone is actually paid to look after this.
> Maintained: Someone actually looks after it.
>
> Could you please clarify those for me?
Sure. HP is my current employer, i.e. they pay me, and both myself and HP
have pledged to continue supporting NetLabel (see the patchset posting that
was first accepted into the 2.6.19); I imagine this would fall under
the "Supported" category as currently stated. A few days ago I was asked,
and agreed to, maintain all of the labeled networking code (in addition to
NetLabel). While it is extremely likely that HP will support this decision
and allow me to work on all of the labeled networking infrastructure at work,
it would be overstepping my role within the company to say that HP is
pledging support for all of labeled networking.
I think the important thing here is that "someone is looking after this",
whether or not they are actually paid to do so is not quite as important in
my mind. If you feel strongly about the distinction please let me know and I
will update the status when/if it changes.
--
paul moore
linux security @ hp