Hello Cédric, Am 15.12.2017 um 12:09 schrieb Cédric Dufour - Idiap Research Institute: > Hello Debian Security Team, > > May I ask that you have a look at bug > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884191 > > I find it strange a change as significant as the one at hand makes it > to OldStable and Stable via Debian Security Updates without further > notice.
that sentence isn't fully correct. For really important changes within a package that should take note on the user side we use the NEWS files like also done for Thunderbird in the latest package uploads. And no, debconf is no option here. > And I'm quite embarassed that disabling an available (albeight > optional) security feature is done in such a way that it can not be > reliably re-enabled by those who *do* use that feature There is the AppArmor profile not re-enable? What let you came to that conclusion? As written before two commands are needed. $ sudo rm /etc/apparmor.d/disable/profile.name $ sudo apparmor_parser -r /etc/apparmor.d/profile.name You was talking about some no go thing in a "enterprise system administration" in the bug report, if you experience such problems I expect you are able to handle a deployment of packages for hundreds of clients in your environment if you call yourself a enterprise system administrator! Debian can't solve all the possible problems that can happen in various rare circumstances, but the package system is flexible enough to handle that. No, I don't see I'm as the package maintainer or the security team has to do something special here. Like most of the Debian package maintainers I'm doing the packaging work in my *free* time (like the security team to) and Debian is no company so I also don't see that I have any costumer relationship. There is no contract that can enforce the Debian community to do anything if you or any other company is using Debian. > (by reliably, > I mean wihtout needing to monitor updates closely and take > appropriate actions to correct their effects). Sorry, do I understand you correctly, you don't look as a system administrator what updates are going to be installed on your systems? You don't do any testing of such updates before you switch them available for all your clients? For me than you need a bit of rethinking how to do your work. If you haven't any central deployment and configuration management for packages in a environment like you have described you can't do any structured work. You don't do any repacking of various packages? How do you handle all the clients behind the firewall that try to download things from the internet? Some typical packages that comes to my mind are the snmp-mibs-downloader or ttf-mscorefonts-installer. If you don't adjust contents of that packages you can't install them successfully on clients. If your clients are able to connect to the whole internet than you have some more problems as a never has ever reached a official release and now temporally disabled AppArmor profile for Thunderbird! For building own Thunderbird packages all you would need to do is clone into the Thunderbird package, checkout the branch debian/jessie, run 'git revert d8ff6b69957e9d5900cb094d28f64861f5a56261', modify the changelog file and rebuild the packages. If you don't have any infrastructure for providing modified packages in greater environment than you need to take what the Debian repositories are providing. Or choose a other distribution. Or even better, help to smash down the count of currently open bugs about AppArmor issues in the Thunderbird profile! I will happily re-enable the profile if most of the issues are solved. https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=tb-apparmor;users=thunderb...@packages.debian.org > Must I make my mind about it or is it something that has been > overlooked (in the context of Security Updates) ? No, but please think about the corner cases we and for packaging I have to think about. You are *one* user the Thunderbird packages with some not so typical environment, most the users are not in that category. And all the big systems I know provide at least a configuration management and/or create own packages for their users and machines. -- Regards Carsten Schoenert
