On Mon, Feb 26, 2018 at 06:43:18PM +0100, Olivier Tilloy wrote: > Although it wouldn't be a big deal to diverge, it'd be easier if we > could align on this. What do you think?
I think it's bad. We had that once (see changelog) See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883800 and changed it back to complain. Cc'ing it. > <jdstrand> oSoMoN: but, complain mode may be noisy for people who > don't care about apparmor > <jdstrand> oSoMoN: so, the idea is, in Ubuntu, if the profile is good > enough to use in the default install of the package, it is enforce. if > the profile can't really be turned on by default for *reasons* (eg, > firefox, libreoffice), ship it disabled > <jdstrand> oSoMoN: if the profile is installed via some other means > and is 'in progress', eg, apparmor-profiles, then install in complain > mode And the profile here IS in-progress. Or why do we constantly find new stuff which needs to be fixed? :) And disabling it would hide it alltogether and bugs like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887593 wouldn't even be filed, thus not knowing what to do until it breaks for users as it happened for your 5.4.5 packages (and our 5.4.3 packages) There also is still stuff hidden by complain that would break if it's in enforce. See e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882597 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884747 In fact, I got a issue like this on my raspberrypi at home (which for kernel and sanity reasons is buster already and this cupsd is apprmor-enforced.) Or https://cgit.freedesktop.org/libreoffice/core/commit/?id=b13678b1e1d6f4cac548ae7e088b6030c31cf081 wouldn't have been done. Or... (imagine) Regards, Rene