On 2/14/2026 4:23 PM, Carsten Schoenert wrote: > Control: tags -1 severity important > Control: usertags -1 tb-apparmor > > Hi, > > Am 14.02.26 um 22:51 schrieb Jeremy Bícha: > > On Sat, Feb 14, 2026 at 3:42 PM Debian Tester <[email protected]> wrote: > >> I am sure I did not enable the Thunderbird apparmor profile. Something did, > >> so from my perspective, the only question left for me is, what did enable > >> the Thunderbird apparmor profile on my boxes? If it was some install > >> script of some package in the Debian archive, then there could be some > >> pure Debian installations that do have the Thunderbird apparmor profile > >> enabled by default. Also, I am not convinced, based on a seven year-old > >> README file, that every pure Debian installation now, seven years later, > >> will have the Thunderbird apparmor profile disabled by default. > > why it should be enabled now (by default)? > No, there is no other package then apparmor itself that would enable it, > have a look at the modification time of or similar > /etc/apparmor.d/disable/usr.bin.thunderbird so you will know when it was > modified. > > > I don't think there's anything in Debian that re-enabled the profile. > > If your install is old enough, maybe it wasn't disabled when the > > change in the default happened. > > Then you (the reporter of that issue) will have for sure experienced > some other issues in the past originated in apparmor. We all agreed many > years back to have the apparmor profile for Icedove/Thunderbird by > default disabled in preparation for the Buster release.
I am not the reporter of the issue but I am experiencing it now. But you are not correct to say that I have for sure experienced other issues in the past originated in apparmor because the apparmor profile for Thunderbird has apparently been enabled all this time: My sid and testing installations date back to the days when Jessie was the stable version, and I have never, over those ten plus years experienced any apparmor issue in either sid or testing in thunderbird or in any other package until this gdk-pixbuf transition. Something enabled the Thunderbird apparmor profile on my box, but it was not me as the user that did it. I have never even heard of tools like aa-complain and aa-enforce until today, and I have used Debian for more than eleven years. How could I have enabled the apparmor profile if I have never even heard of the tools that are used to enable it? > > >> I would suggest that, until the Thunderbird apparmor profile is fixed, that > >> the next update to Thunderbird or apparmor check to see it it is enabled, > >> and if it is, then it should be set to complain mode until the Thunderbird > >> apparmor profile is fixed. > > > > That was done once before. Someone would just need to update the > > version number to do it again: > > https://salsa.debian.org/mozilla-team/thunderbird/-/blob/debian/sid/debian/thunderbird.postinst#L72-81 > > The Thunderbird package will do nothing on this in the future, a user > who has enabled the apparmor package is basically on it's own as > enabling the profile was done manually. That's what the apparmor > maintainers together with the Thunderbird maintainers have agreed on in > the past. > We found strong reasons to have the profile disabled by default. As > nothing has changed in the recent years on this I've set the severity to > important. > > Doing a similar thing as done for versions greater then 1:52.5.0-1~ > isn't simple as it might look like, turning now the profile off for all > the user that have switched it on isn't a good idea. I agree, but I am sure I did not enable the apparmor profile, yet somehow it was enabled on both my sid and testing installations that have had zero apparmor problems with any package, including Thunderbird, since the time my installations originated way back when Jessie was the stable version, and I have been very conservative about changing defaults and have updated frequently and always followed the Don't break Debian rules. My case might still be a corner case, but this issue was definitely *not* caused by the user deliberately changing any default apparmor profile settings on my installations. Are you sure there was not a bug in the patch to Thunderbird to ensure the apparmor profile got disabled in preparation for Buster? Maybe, for some reason, on my installations that date back to the days when Jessie was released, the Thunderbird apparmor profile did not get disabled. Again, my case might be a corner case that fell through the cracks. The main point I am trying to get across is there might be other installations out there like mine that for whatever reason (other than user intervention) the apparmor profile for Thunderbird is enabled. We haven't yet heard from the reporter of this bug yet on matters such as how old that installation is or if disabling the apparmor Thunderbird profile fixes this issue on that installation, or if that user manually enabled the Thunderbird apparmor profile in that installation. If that user also says no changes to the apparmor profile were ever made by the user on that installation, then there would be strong evidence that there is some install/upgrade path that can lead to the situation where the Thunderbird apparmor profile, for whatever reason, was left enabled despite previous attempts to disable it by default in Debian packaging. > > A potential fix needs to be done within the Apparmor package as this is > providing also the profile. > > A few more small hints can be found on > https://wiki.debian.org/Thunderbird#AppArmor_profile >
