Hi intrigeri,
sorry for answering later but I'm busy with ongoing business trips.
Am 16.02.26 um 13:09 schrieb intrigeri:
Hi Carsten,
Carsten Schoenert (2026-02-14):
Feb 14 14:20:19 debian kernel: audit: type=1400 audit(1771096819.060:2399): apparmor="DENIED" operation="exec" class="file"
profile="thunderbird" name="/usr/lib/thunderbird/glxtest" pid=11876 comm="thunderbird" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
You might need to add something similar to this within the profile.
/usr/lib/thunderbird/glxtest ixr,
glxtest is needed since some versions Thunderbird is able to start.
Yup.
I've been trying since November 2024 to upstream Tails' updates, such
as this one, to the AppArmor profile:
https://gitlab.com/apparmor/apparmor-profiles/-/merge_requests/61
Ohh, thats a long time and there are some more modifications needed or
useful for the profile I thought. But never did used AppArmor in Debian
in a serious way.
A few weeks ago, I've sent a last call for collaboration there.
No reply so far.
A problem what a lot of projects having and I do experiencing too while
working on some Python packages in Debian, projects are not fully dead
but did fade away due previous active members and decision makers have
given up or moved away from the project, or being just unresponsive.
It's hard to deal with this because it contradicts the principle of
pushing changes upstream first.
So, my next step, as announced on that MR a while ago, is to remove
the AppArmor profile from the Debian package in sid: without
a collaborative effort upstream, there's no good way for me to keep
maintaining it for Debian, with an amount of effort that I can
justify. Given the profile is so widely open and disabled by default,
that's not the end of the world. Not all experiments succeed, it's OK.
Thoughts?
I'm totally fine with this decision!
Sometimes it's better to accept that a "fight" is lost before to loose
even more energy and time while trying to keep a fragile situation.
I've read about the indentation of you to let the chapter AppArmor end
in Debian a while ago. If this all is not fun enough while working on
this it's better to let it go, my interests what to work on have also
shifted in the past years. At the moment my time is limited to work good
enough on in time update for the TB package, so Christoph did stand up
to do this since a while.
If this works for you, I'll prepare a MR.
Thanks a lot for your patience so far,
You are welcome! Christoph an are happy to merge in your suggested
upstream modifications of the AppArmor profile into the current the
packaging of Thunderbird!
--
Regards
Carsten
