Hi, Carsten Schoenert: > Am 05.11.2017 um 10:45 schrieb intrigeri: > meeh, go ahaed. > Looks fine from the technical side. As long as you put in tagging and > closing information so gbp can pick up the bug number later for > preparing changelog I'm more than happy. As I see actions on the BTS > nevertheless I will ask back in case I have further questions.
:) > I'm really happy you take some responsibility on the apparmor profile, I > will mostly not have the time to also look at those bug reports while > keep up the packaging up to the current needing. No problem. > We still need to think about some automatic testing of Thunderbird > packages together with some extensions. Otherwise we will always hit > some issues while bringing new ESR versions into the security-update > like happen with 52.0 and the enigmail extension. But this is another thing. Indeed. It was fine to ship the profile in enforce mode as long as it was only affecting users who had voluntarily enabled AppArmor, but I suspect this won't work with a broader userbase: Thunderbird is simply too popular for us to be allowed to break it. And given how wide open the profile has to be in order to work with a broad userbase (e.g. since we need to run basically arbitrary apps to open attachments), it doesn't provide that much security anyway. Frankly, it's the kind of apps for which Flatpak + Portals would be much better suited than AppArmor. So if we see too many issues and maintenance churn, let's disable the profile by default. Cheers, -- intrigeri
