Hi, I'll first clarify because it seems to me you're using the same word with very different meanings in a comparison:
Fabian Grünbichler: > TL;DR: while pinning the features prevents breakage for people using > AA who install a more recent kernel from backports, In this case, "breakage" == application stops working after installing a newer kernel. > it potentially breaks systems using a custom/backports/newer kernel > and AA profiles requiring features not supported by the pinned 4.9 > feature set. In this case, "breaks" == the AppArmor confinement becomes weaker, but the application keeps working. > since > both the AA config file itself and the feature set file are conffiles, > overriding is not easily possible without conffile modification. Right. Sorry I did not think about this Debian derivative use case. > I'll of course defer to intrigeri and the release team on whether to go > ahead as-is, include the patch to allow easier overriding or postpone > the apparmor stable update until the next cycle to allow for further > discussion. I slightly prefer fixing ASAP a non-default use case I want to support in Debian (that's what we did in s-p-u already), even if it makes a derivative's life slightly harder temporarily when using an much more non-default configuration. I would understand if the release team prefers to delay this update to a future point release though. But I can live with both approaches. The vast majority of Stretch users are not affected by either of the problems described above anyway. Cheers, -- intrigeri
