Comment 22 for bug 1350598

Pat had the idea of implementing a variation of '8'. Essentially, look inside the tar file and see if apparmor, click-apparmor or apparmor-easyprof-ubuntu changed, then say something along the lines of "Security policy will be updated after the device is restarted. This process may take several minutes." The result of the detection could flag displaying a static string during the boot process if people wanted. The scope of the recompile is not communicated (eg, changing a rule in a little used policy group won't trigger a recompile of all policy), but this is handled by the phrasing of 'may take' and people can simply be pleasantly surprised when it is faster.

This technique has one minor flaw: it doesn't detect the kernel .features file changing but I don't think that should block implementing this improvement. In practice, the kernel won't be changing this file during a normal OTA, and for an OTA for an OS version update that may have the .features change in the kernel (eg, 15.04 to 16.04) the other components will be changing with it.