On Sat, Dec 02, 2017 at 07:21:59PM +0000, Adam D. Barratt wrote: > Control: tags -1 + pending > > On Sat, 2017-12-02 at 14:37 +0100, intrigeri wrote: > > Adam D. Barratt: > > > Please go ahead, bearing in mind that the window for getting fixes > > > into > > > the 9.3 point release closes during this weekend. > > > > Thanks, uploaded. > > > > Flagged for acceptance. > > Regards, > > Adam >
please see #879585 / #882697 for potential fallout caused by this update. TL;DR: while pinning the features prevents breakage for people using AA who install a more recent kernel from backports, it potentially breaks systems using a custom/backports/newer kernel and AA profiles requiring features not supported by the pinned 4.9 feature set. since both the AA config file itself and the feature set file are conffiles, overriding is not easily possible without conffile modification. we (a Debian derived hypervisor distribution) are using Debian Stretch as base, but ship a more recent 4.13-based kernel with full AA support and LXC with matching AA profiles. pinning the features to those offered by Stretch's 4.9 kernel would break all user installations using LXC, and we (as a distribution) could only override this pinning by shipping our own apparmor packages (which we would like to avoid if possible). I'll of course defer to intrigeri and the release team on whether to go ahead as-is, include the patch to allow easier overriding or postpone the apparmor stable update until the next cycle to allow for further discussion. thanks for your time and consideration!
