Hi, On Tue, Dec 26, 2017 at 12:23:28PM +0100, Carsten Schoenert wrote: > Hello Guido and intrigeri, > > On Mon, Dec 25, 2017 at 11:34:08AM +0100, Guido Günther wrote: > > > Since we want to establish a lower bound for fixed versions (those that > > ship the symlink) it's probably better written as: > > > > > > if test -n "$2" && dpkg --compare-versions "$2" gt "1:52.5.0-1~"; > > then > > : # Leave the disable/ symlink at users choice if > > # upgrading from a version that ships the symlink > > else > > mkdir -p /etc/apparmor.d/disable > > ln -s /etc/apparmor.d/usr.bin.thunderbird > > /etc/apparmor.d/disable/usr.bin.thunderbird > > fi > > > > It looks odd but this way it also works for backports to stable (which > > are frequent) without having to modify the postinst. > > I've done some tests with Guido suggestion. > The possible update constellations working so far within my tests. > > Update from 52.4.0 to 52.5.2: > The new package install the link to disable the AA profile. > > Update from 52.4.0 with already disabled AA profile: > The new version holds the disabled AA profile, I just need to do a 'ln > -sf' to prevent a exit code 1 if the symlink is already existing.
Ah, good catch. I'd rather do a [ -f /etc/apparmor.d/disable/usr.bin.thunderbird ] || ln -s /etc/apparmor.d/usr.bin.thunderbird /etc/apparmor.d/disable/usr.bin.thunderbird in this case since the user might have the symlink point somewhere else for whatever reason. I think we don't want to overwrite that if he made a deliberate choice. > > Anything I'm still missing? Did you test reinstalling 52.5.2 on top of 52.5.2 with removed link. It shouldn't be recreated in this case (and if it works for this version it will work for all later versions). Cheers, -- Guido
