Control: tags -1 severity important
Control: usertags -1 tb-apparmor
Hi,
Am 14.02.26 um 22:51 schrieb Jeremy Bícha:
On Sat, Feb 14, 2026 at 3:42 PM Debian Tester <[email protected]> wrote:
I am sure I did not enable the Thunderbird apparmor profile. Something did,
so from my perspective, the only question left for me is, what did enable
the Thunderbird apparmor profile on my boxes? If it was some install
script of some package in the Debian archive, then there could be some
pure Debian installations that do have the Thunderbird apparmor profile
enabled by default. Also, I am not convinced, based on a seven year-old
README file, that every pure Debian installation now, seven years later,
will have the Thunderbird apparmor profile disabled by default.
why it should be enabled now (by default)?
No, there is no other package then apparmor itself that would enable it,
have a look at the modification time of or similar
/etc/apparmor.d/disable/usr.bin.thunderbird so you will know when it was
modified.
I don't think there's anything in Debian that re-enabled the profile.
If your install is old enough, maybe it wasn't disabled when the
change in the default happened.
Then you (the reporter of that issue) will have for sure experienced
some other issues in the past originated in apparmor. We all agreed many
years back to have the apparmor profile for Icedove/Thunderbird by
default disabled in preparation for the Buster release.
I would suggest that, until the Thunderbird apparmor profile is fixed, that
the next update to Thunderbird or apparmor check to see it it is enabled,
and if it is, then it should be set to complain mode until the Thunderbird
apparmor profile is fixed.
That was done once before. Someone would just need to update the
version number to do it again:
https://salsa.debian.org/mozilla-team/thunderbird/-/blob/debian/sid/debian/thunderbird.postinst#L72-81
The Thunderbird package will do nothing on this in the future, a user
who has enabled the apparmor package is basically on it's own as
enabling the profile was done manually. That's what the apparmor
maintainers together with the Thunderbird maintainers have agreed on in
the past.
We found strong reasons to have the profile disabled by default. As
nothing has changed in the recent years on this I've set the severity to
important.
Doing a similar thing as done for versions greater then 1:52.5.0-1~
isn't simple as it might look like, turning now the profile off for all
the user that have switched it on isn't a good idea.
A potential fix needs to be done within the Apparmor package as this is
providing also the profile.
A few more small hints can be found on
https://wiki.debian.org/Thunderbird#AppArmor_profile
--
Regards
Carsten
