Comment 10 for bug 2065915

Thanks. The profiles there are a bit different though - IIUC, they're there so that people who wish to opt-in to applying AppArmor profiles have a library to easily consult and use. There's a complication though which is that due to a change in 24.04 it's now required to explicitly enable "userns" so we need a bunch of profiles for those AIUI. I'm not familiar with how that fits in with the apparmor-profiles package, which I believe is still optional.

I believe it does make sense for packaging to ship a profile with "userns" where required so that the package works by default, and that's what I see those profiles doing and what you're now doing for these packages in Oracular. Up to there, everything seems correct.

Using "cantor" as an example, it looks like you added specific confinement for AppArmor profiles prior to the release of 24.04 though. To then turn off confinement in an update in 24.04 would be a regression from the user's perspective - going from confined (more secure) to unconfined (less secure) - contrary to typical user expectations of what a stable release means.

On the other hand it doesn't seem appropriate to mandate that you must now rewrite all the profiles you added so that they work and leave the package broken if you cannot.

If I'm missing something in my understanding above, please correct me!

I'm open to suggestions on how to resolve this dilemma, but I would like to explore further the possibility of fixing the existing profiles rather than removing confinement. You said that the "packages still didn't work". Maybe we can find somebody to help with that?