Hi,
On Mon, Dec 25, 2017 at 08:55:34AM +0100, [email protected] wrote:
> Package: thunderbird
> Version: 1:52.5.2-1
> Severity: serious
> X-Debbugs-Cc: Simon Deziel <[email protected]>, Guido Günther
> <[email protected]>
>
> Hi,
>
> I've upgraded thunderbird from 1:52.5.0-1 to 1:52.5.2-1 in my test sid
> VM after double-checking that
> /etc/apparmor.d/disable/usr.bin.thunderbird existed and the profile
> was not loaded.
>
> The upgrade removed /etc/apparmor.d/disable/usr.bin.thunderbird
> (because it's not shipped as a file owned by the package anymore) and
> thus loaded the profile in enforced mode. I think this is not what was
> intended with commit 8c57218.
>
> I'm setting RC severity because enabling the AppArmor profile breaks
> too much functionality, which is why we've decided to disable it
> by default.
>
> postinst got this added in 1:52.5.2-1:
>
> # Disable apparmor on new installations and when we're
> upgrading from
> # a version that had it enabled by default
> if test -z "$2" || dpkg --compare-versions "$2" le "1:52.5.0-1~"; then
> mkdir -p /etc/apparmor.d/disable
> ln -s /etc/apparmor.d/usr.bin.thunderbird
> /etc/apparmor.d/disable/usr.bin.thunderbird
> fi
>
> The buggy behavior I'm reporting is caused by:
>
> $ dpkg --compare-versions "1:52.5.0-1" le "1:52.5.0-1~"
> $ echo $?
> 1
Since we want to establish a lower bound for fixed versions (those that
ship the symlink) it's probably better written as:
if test -n "$2" && dpkg --compare-versions "$2" gt "1:52.5.0-1~"; then
: # Leave the disable/ symlink at users choice if
# upgrading from a version that ships the symlink
else
mkdir -p /etc/apparmor.d/disable
ln -s /etc/apparmor.d/usr.bin.thunderbird
/etc/apparmor.d/disable/usr.bin.thunderbird
fi
It looks odd but this way it also works for backports to stable (which
are frequent) without having to modify the postinst.
Cheers
-- Guido
