On 2/14/2026 4:23 PM, Carsten Schoenert wrote: > Control: tags -1 severity important > Control: usertags -1 tb-apparmor > > Hi, > > Am 14.02.26 um 22:51 schrieb Jeremy Bícha: > > On Sat, Feb 14, 2026 at 3:42 PM Debian Tester <[email protected]> wrote: > >> I am sure I did not enable the Thunderbird apparmor profile. Something did, > >> so from my perspective, the only question left for me is, what did enable > >> the Thunderbird apparmor profile on my boxes? If it was some install > >> script of some package in the Debian archive, then there could be some > >> pure Debian installations that do have the Thunderbird apparmor profile > >> enabled by default. Also, I am not convinced, based on a seven year-old > >> README file, that every pure Debian installation now, seven years later, > >> will have the Thunderbird apparmor profile disabled by default. > > why it should be enabled now (by default)? > No, there is no other package then apparmor itself that would enable it, > have a look at the modification time of or similar > /etc/apparmor.d/disable/usr.bin.thunderbird so you will know when it was > modified. > > > I don't think there's anything in Debian that re-enabled the profile. > > If your install is old enough, maybe it wasn't disabled when the > > change in the default happened. > > Then you (the reporter of that issue) will have for sure experienced > some other issues in the past originated in apparmor. We all agreed many > years back to have the apparmor profile for Icedove/Thunderbird by > default disabled in preparation for the Buster release. > > >> I would suggest that, until the Thunderbird apparmor profile is fixed, that > >> the next update to Thunderbird or apparmor check to see it it is enabled, > >> and if it is, then it should be set to complain mode until the Thunderbird > >> apparmor profile is fixed. > > > > That was done once before. Someone would just need to update the > > version number to do it again: > > https://salsa.debian.org/mozilla-team/thunderbird/-/blob/debian/sid/debian/thunderbird.postinst#L72-81 > > The Thunderbird package will do nothing on this in the future, a user > who has enabled the apparmor package is basically on it's own as > enabling the profile was done manually. That's what the apparmor > maintainers together with the Thunderbird maintainers have agreed on in > the past. > We found strong reasons to have the profile disabled by default. As > nothing has changed in the recent years on this I've set the severity to > important. > > Doing a similar thing as done for versions greater then 1:52.5.0-1~ > isn't simple as it might look like, turning now the profile off for all > the user that have switched it on isn't a good idea.
I will update my suggestion: On the next Thunderbird update, add a message during upgrade/installation (is that done via the NEWS.Debian file?) that says something like: The Thunderbird apparmor profile is intended to be disabled in a default installation. There is a regression since the gdk-pixbuf+glycin transition that causes Thunderbird to fail to start if the Thunderbird apparmor profile is enabled in some configurations. One known configuration where Thunderbird fails to start is when launching Thunderbird under Gnome and the Thunderbird apparmor profile is enabled. Therefore, if you have manually enabled the Thunderbird apparmor profile or if for some other reason the Thunderbird apparmor profile is enabled, it will be necessary to manually disable the Thunderbird apparmor profile to successfully launch Thunderbird under Gnome until #1127710 in the BTS is closed. > > A potential fix needs to be done within the Apparmor package as this is > providing also the profile. > > A few more small hints can be found on > https://wiki.debian.org/Thunderbird#AppArmor_profile >
