Comment 20 for bug 1861408

I can not speak to specifics but there are a lot of potential reason's a packager (not firefox specific) might not be updating the profile.

- They don't use the profile / or maybe apparmor. (package maintainership evolves and not everyone who might even be aware of it without digging in)

- The auto package tests don't report a failure. This could be the tests aren't set up to use apparmor or just that they don't have a specific test for a change. Packagers are often very busy and won't dig into an update unless there are problems being reported.

- The packager can be using a different kernel version which results in apparmor or the kernel/apparmor having different features being used. Yes they should be testing on a given release but there are HWE kernels and upstream kernel builds that users may be using that are different from what the packager tests on.

- Testing didn't show up an issue, but a different config or usage pattern that a user has will show up an issue.

- The packager is not familiar with apparmor and can't or at least doesn't feel compfortable updating the profile.

- The upstream packager tries to maintain a single profile version for all releases of a package. Eg. FF 71 is released on multiple distro versions (xenial, bionic, ...) each of those distros have different kernels and the application will use different features and apparmor presents different features.

- AppArmor does not provide adequate means to distribute/use a single profile version across multiple releases when the features required are significantly different.

I am not arguing that the profile should not be updated, just providing some reasons for why it might not be. Ideally it should be tested, and updated if necessary with every release especially when the profile is part of the package.