Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
On Sat, Dec 02, 2017 at 07:21:59PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + pending
>
> On Sat, 2017-12-02 at 14:37 +0100, intrigeri wrote:
> > Adam D. Barratt:
> > > Please go ahead, bearing in mind that the window for getting fixes
> > > into
> > > the 9.3 point release closes during this weekend.
> >
> > Thanks, uploaded.
> >
>
> Flagged for acceptance.
>
> Regards,
>
> Adam
>
please see #879585 / #882697 for potential fallout caused by this
update.
TL;DR: while pinning the features prevents breakage for people using
AA who install a more recent kernel from backports, it potentially
breaks systems using a custom/backports/newer kernel and AA profiles
requiring features not supported by the pinned 4.9 feature set. since
both the AA config file itself and the feature set file are conffiles,
overriding is not easily possible without conffile modification.
we (a Debian derived hypervisor distribution) are using Debian Stretch
as base, but ship a more recent 4.13-based kernel with full AA support
and LXC with matching AA profiles. pinning the features to those offered
by Stretch's 4.9 kernel would break all user installations using LXC,
and we (as a distribution) could only override this pinning by shipping
our own apparmor packages (which we would like to avoid if possible).
I'll of course defer to intrigeri and the release team on whether to go
ahead as-is, include the patch to allow easier overriding or postpone
the apparmor stable update until the next cycle to allow for further
discussion.
thanks for your time and consideration!
Reply to: