The severity would have shown people which haven't upgraded, that there are issues... :-( On Tue, 2017-10-31 at 16:01 +0000, Ben Hutchings wrote: > Although you can disable it (security=dac or apparmor=0) if you want. Sure. I never said this wasn't possible. > > While I'm usually in favour of anything that improves security > > (leaving aside the question here whether SELinux wouldn't be the > > much > > more powerful solution ;-) )... this happened too silent (e.g. no > > NEWS entry)... peopl may not even have installed the userland > > tools. > > The change was noted in the changelog, so it's not silent. Well one cannot expect the average user to read every single entry of the kernel changes included in there, can one? > I intend to add a NEWS entry in the next linux-latest upload. It > doesn't make sense to add NEWS to linux-image-* packages as that will > only be displayed for upgrades that don't involve an ABI bump Perhaps one should have delayed the activation then until such bump, in which the user will get an update for the meta-package as well.. which then contains such notice :-) > My understanding was that enabling AppArmor shouldn't do very much > until a policy is loaded (which it won't be if you don't install the > userland tools). As you've found, that isn't entirely correct. Mhh well that was a surprise for me as well :) > Applications built for Linux are unrelated to Linux? I don't think > so. With that argument, one everything would be related on the kernel... and on the bootloader (cause without it, not applications at all)... and so on.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature