Hi, Thanks for the quick reply! Some comments and more questions inline below:
John Johansen (2025-02-10): > On 2/10/25 03:48, intrigeri wrote: >> Currently Debian testing/sid is tracking AppArmor 3.1.x. >> >> I'm wondering if I should upgrade to 4.x for Debian 13 (Trixie), whose >> freeze will start in a few months. I would greatly appreciate >> some advice. >> > Yes. We have been planning to get debian updated to 4.1. Beta4 > should be dropping some time today. We still have a couple of > known issues to fix before finally release but it is getting > close. It should release some time this month (February). > > 4.1 will be a long term support version, where the current 4.0 > release was not. OK, so I'll try to upload 4.1.0~beta4 to experimental ASAP. I hope I can recycle some of the 4.1.0~beta1 packaging work from Ubuntu even though the Ubuntu packaging has switched to a Git workflow that makes this hard. And then from there we'll see what's left to do and whether that's realistic to get it into Debian testing in time for the freeze for disruptive changes (March 15). I'll make the final decision once 4.1 final is released. >> Do I understand correctly that 4.x (or is it only 4.1?) >> may not support policy that was written for 3.x? >> > > AppArmor 4.x is backwards compatible with 3.x through the abi > mechanism. If a profile declares support for a 3.x abi that > is what will be supported and used. OK, so, do I understand correctly that if we ship 4.1 in Debian Trixie, all profiles shipped in Trixie MUST: - Either declare abi/4.x — there's already a few in Debian, but not many; this will work. - Or declare abi/3.0 — there's already a few in Debian, but not many; this will work in most cases, but in some cases profile interactions may break things and extra work is needed to fix things. To tell whether that's the case, is it sufficient to run them through `apparmor_parser --skip-cache --skip-kernel-load` and assume the parser will error out if they're not compatible? If that works, we're in luck: I can do that via autopkgtests! If takes more manual work, I doubt we'll have capacity to evaluate all the profiles in Debian in due time. - Or declare no ABI but luckily be compatible with ABI 4.x. I think the majority of the profiles we have in Debian currently declare no ABI. I don't know if they are compatible with ABI 4.x. Same as above: To tell whether that's the case, is it sufficient to run them through `apparmor_parser --skip-cache --skip-kernel-load` and assume the parser will error out if they're not compatible? If that works, we're in luck: I can do that via autopkgtests! If takes more manual work, I doubt we'll have capacity to evaluate all the profiles in Debian in due time. Correct? I've tried to understand how this works from https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi but I failed so far. If there's other doc I should read, please point me to it :) Cheers, -- intrigeri
