Debian Bug report logs - #882697
stretch-pu: package apparmor/2.11.0-3+deb9u2

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: intrigeri <intrigeri@debian.org>

Date: Sat, 25 Nov 2017 19:45:01 UTC

Severity: normal

Tags: confirmed, stretch

Fixed in version 9.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sat, 25 Nov 2017 19:45:04 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 25 Nov 2017 19:45:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Sat, 25 Nov 2017 20:42:30 +0100
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

this update avoids breakage for Stretch users who have enabled AppArmor and run
Linux 4.14+ (e.g. from backports once it's there), by pinning the AppArmor
feature set in the kernel to the Stretch kernel's feature set, i.e. the feature
set the AppArmor policy shipped in Stretch supports (it's not ready to deal with
new AppArmor mediation features brought in recent kernels).

We already have exactly the same thing in current testing/sid, albeit with Linux
4.13's feature set for now.

Cheers!
[apparmor_2.11.0-3+deb9u1.debdiff (text/plain, attachment)]

Added indication that bug 882697 blocks 879585 Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sat, 25 Nov 2017 20:00:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sat, 02 Dec 2017 11:09:05 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Dec 2017 11:09:05 GMT) (full text, mbox, link).


Message #12 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Sat, 02 Dec 2017 11:06:38 +0000
Control: tags -1 + confirmed

On Sat, 2017-11-25 at 20:42 +0100, intrigeri wrote:
> this update avoids breakage for Stretch users who have enabled
> AppArmor and run
> Linux 4.14+ (e.g. from backports once it's there), by pinning the
> AppArmor
> feature set in the kernel to the Stretch kernel's feature set, i.e.
> the feature
> set the AppArmor policy shipped in Stretch supports (it's not ready
> to deal with
> new AppArmor mediation features brought in recent kernels).
> 
> We already have exactly the same thing in current testing/sid, albeit
> with Linux
> 4.13's feature set for now.
> 

Please go ahead, bearing in mind that the window for getting fixes into
the 9.3 point release closes during this weekend.

Regards,

Adam



Added tag(s) confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 882697-submit@bugs.debian.org. (Sat, 02 Dec 2017 11:09:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sat, 02 Dec 2017 13:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Dec 2017 13:39:03 GMT) (full text, mbox, link).


Message #19 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Sat, 02 Dec 2017 14:37:32 +0100
Adam D. Barratt:
> Please go ahead, bearing in mind that the window for getting fixes into
> the 9.3 point release closes during this weekend.

Thanks, uploaded.

Cheers,
-- 
intrigeri



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sat, 02 Dec 2017 19:24:08 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Dec 2017 19:24:08 GMT) (full text, mbox, link).


Message #24 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Sat, 02 Dec 2017 19:21:59 +0000
Control: tags -1 + pending

On Sat, 2017-12-02 at 14:37 +0100, intrigeri wrote:
> Adam D. Barratt:
> > Please go ahead, bearing in mind that the window for getting fixes
> > into
> > the 9.3 point release closes during this weekend.
> 
> Thanks, uploaded.
> 

Flagged for acceptance.

Regards,

Adam



Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 882697-submit@bugs.debian.org. (Sat, 02 Dec 2017 19:24:08 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 13:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Grünbichler <f.gruenbichler@proxmox.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 13:33:03 GMT) (full text, mbox, link).


Message #31 received at 882697@bugs.debian.org (full text, mbox, reply):

From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 6 Dec 2017 14:31:25 +0100
On Sat, Dec 02, 2017 at 07:21:59PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + pending
> 
> On Sat, 2017-12-02 at 14:37 +0100, intrigeri wrote:
> > Adam D. Barratt:
> > > Please go ahead, bearing in mind that the window for getting fixes
> > > into
> > > the 9.3 point release closes during this weekend.
> > 
> > Thanks, uploaded.
> > 
> 
> Flagged for acceptance.
> 
> Regards,
> 
> Adam
> 

please see #879585 / #882697 for potential fallout caused by this
update.

TL;DR: while pinning the features prevents breakage for people using
AA who install a more recent kernel from backports, it potentially
breaks systems using a custom/backports/newer kernel and AA profiles
requiring features not supported by the pinned 4.9 feature set. since
both the AA config file itself and the feature set file are conffiles,
overriding is not easily possible without conffile modification.

we (a Debian derived hypervisor distribution) are using Debian Stretch
as base, but ship a more recent 4.13-based kernel with full AA support
and LXC with matching AA profiles. pinning the features to those offered
by Stretch's 4.9 kernel would break all user installations using LXC,
and we (as a distribution) could only override this pinning by shipping
our own apparmor packages (which we would like to avoid if possible).

I'll of course defer to intrigeri and the release team on whether to go
ahead as-is, include the patch to allow easier overriding or postpone
the apparmor stable update until the next cycle to allow for further
discussion.

thanks for your time and consideration!




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 14:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 14:33:02 GMT) (full text, mbox, link).


Message #36 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Cc: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 06 Dec 2017 15:28:03 +0100
Hi,

I'll first clarify because it seems to me you're using the same word
with very different meanings in a comparison:

Fabian Grünbichler:
> TL;DR: while pinning the features prevents breakage for people using
> AA who install a more recent kernel from backports,

In this case, "breakage" == application stops working after installing
a newer kernel.

> it potentially breaks systems using a custom/backports/newer kernel
> and AA profiles requiring features not supported by the pinned 4.9
> feature set.

In this case, "breaks" == the AppArmor confinement becomes weaker,
but the application keeps working.

> since
> both the AA config file itself and the feature set file are conffiles,
> overriding is not easily possible without conffile modification.

Right. Sorry I did not think about this Debian derivative use case.

> I'll of course defer to intrigeri and the release team on whether to go
> ahead as-is, include the patch to allow easier overriding or postpone
> the apparmor stable update until the next cycle to allow for further
> discussion.

I slightly prefer fixing ASAP a non-default use case I want to support
in Debian (that's what we did in s-p-u already), even if it makes
a derivative's life slightly harder temporarily when using an much
more non-default configuration. I would understand if the release team
prefers to delay this update to a future point release though.

But I can live with both approaches. The vast majority of Stretch
users are not affected by either of the problems described
above anyway.

Cheers,
-- 
intrigeri



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 14:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Grünbichler <f.gruenbichler@proxmox.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 14:57:04 GMT) (full text, mbox, link).


Message #41 received at 882697@bugs.debian.org (full text, mbox, reply):

From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
To: intrigeri <intrigeri@debian.org>
Cc: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 6 Dec 2017 15:53:52 +0100
On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote:
> Hi,
> 
> I'll first clarify because it seems to me you're using the same word
> with very different meanings in a comparison:
> 
> Fabian Grünbichler:
> > TL;DR: while pinning the features prevents breakage for people using
> > AA who install a more recent kernel from backports,
> 
> In this case, "breakage" == application stops working after installing
> a newer kernel.
> 
> > it potentially breaks systems using a custom/backports/newer kernel
> > and AA profiles requiring features not supported by the pinned 4.9
> > feature set.
> 
> In this case, "breaks" == the AppArmor confinement becomes weaker,
> but the application keeps working.

not the case for all scenarios unfortunately. LXC containers using the
upstream profiles (and a kernel supporting the needed features) don't
start anymore:

apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=21550 comm="lxc-start" flags="rw, rslave"

the profile[1] contains:

mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,

the same profile and container worked fine without feature pinning. this
is not specific to certain container configurations either AFAICT.

> 
> > since
> > both the AA config file itself and the feature set file are conffiles,
> > overriding is not easily possible without conffile modification.
> 
> Right. Sorry I did not think about this Debian derivative use case.
> 

while it is sometimes cumbersome to work around such issues, it is
understandable to not have them on one's radar, especially if the
upstream software does not provide an easy way to extend configuration
files.

> > I'll of course defer to intrigeri and the release team on whether to go
> > ahead as-is, include the patch to allow easier overriding or postpone
> > the apparmor stable update until the next cycle to allow for further
> > discussion.
> 
> I slightly prefer fixing ASAP a non-default use case I want to support
> in Debian (that's what we did in s-p-u already), even if it makes
> a derivative's life slightly harder temporarily when using an much
> more non-default configuration. I would understand if the release team
> prefers to delay this update to a future point release though.
> 

obviously with my downstream hat on, I'd strongly prefer not having to
carry apparmor packages for the remainder of Stretch ;) but if necessary
we will take this route, and work together with upstream and you to get
more easily overridden apparmor config including feature pinning in time
for Buster, hopefully eliminating the need for forked apparmor packages.

> But I can live with both approaches. The vast majority of Stretch
> users are not affected by either of the problems described
> above anyway.

I am glad we noticed it before the point release went live!

1: https://github.com/lxc/lxc/blob/d680929bbc07e399ceaf8954c2059bd788905fc7/config/apparmor/abstractions/start-container




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 17:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 17:57:05 GMT) (full text, mbox, link).


Message #46 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Cc: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 06 Dec 2017 18:54:15 +0100
Hi again Fabian & release team,

Fabian Grünbichler:
> On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote:
>> > it potentially breaks systems using a custom/backports/newer kernel
>> > and AA profiles requiring features not supported by the pinned 4.9
>> > feature set.
>> 
>> In this case, "breaks" == the AppArmor confinement becomes weaker,
>> but the application keeps working.

> not the case for all scenarios unfortunately. LXC containers using the
> upstream profiles (and a kernel supporting the needed features) don't
> start anymore:

> apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=21550 comm="lxc-start" flags="rw, rslave"

Wow, Assuming you're indeed running with the 4.9 feature set I've
uploaded, that's definitely a bug: the 4.9 feature set is supposed to
fully disable mount mediation, so a mount denial should never happen.
At first glance this very much looks like a bug in the custom kernel
you're using.

If you can reproduce this with a pristine 4.13 or 4.14 Debian kernel,
then I'm very sorry and I agree we should revert this s-p-u until this
kernel bug is fixed in mainline; I'll gladly help you report this bug
upstream. If, however, you can't reproduce this bug with a Debian
kernel, well, then it's a bug in the kernel patches you've applied and
I think we should leave s-p-u as-is.

Possibly helpful: can you please share the content of
/etc/apparmor.d/cache/.features on the system that exposes
this problem?

Cheers,
-- 
intrigeri



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 18:15:03 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 18:15:03 GMT) (full text, mbox, link).


Message #51 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Cc: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 06 Dec 2017 19:13:11 +0100
intrigeri:
> At first glance this very much looks like a bug in the custom kernel
> you're using.

According to #883703 this bug affects the mainline Linux kernel as
well so this stretch-pu may break as many use cases at it'll repair
when running Linux 4.13+ on Stretch :/

Dear release team, how can we revert this s-p-u? Should I upload
2.11.0-3+deb9u2 that reverts to what we had in 2.11.0-3?

I'm very sorry for the mess.

Cheers,
-- 
intrigeri



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Wed, 06 Dec 2017 21:06:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Dec 2017 21:06:03 GMT) (full text, mbox, link).


Message #56 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org, Fabian Grünbichler <f.gruenbichler@proxmox.com>
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Wed, 06 Dec 2017 21:03:44 +0000
On Wed, 2017-12-06 at 19:13 +0100, intrigeri wrote:
> intrigeri:
> > At first glance this very much looks like a bug in the custom
> > kernel
> > you're using.
> 
> According to #883703 this bug affects the mainline Linux kernel as
> well so this stretch-pu may break as many use cases at it'll repair
> when running Linux 4.13+ on Stretch :/
> 
> Dear release team, how can we revert this s-p-u? Should I upload
> 2.11.0-3+deb9u2 that reverts to what we had in 2.11.0-3?

I don't think there's a particular need for that currently (and it
wouldn't get accepted until after the point release anyway). We'll ask
ftp-master not to include the package during the point release at the
weekend and in the meantime affected users still have the possibility
to downgrade the package to its current stable version.

Regards,

Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sun, 07 Jan 2018 11:27:04 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 07 Jan 2018 11:27:04 GMT) (full text, mbox, link).


Message #61 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Sun, 07 Jan 2018 12:23:40 +0100
Control: tag -1 + moreinfo

The issue in Linux 4.14 with feature set pinning vs. mount operations
was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in
the proposed-updates stable queue is not suitable for Stretch
currently ⇒ dear release team, feel free to reject or delete it if it
helps you ensure it does not land in the next point release.

Also, after some discussion with Fabian the proposed change was
re-implemented slightly differently in testing/sid; I want to do the
same for the Stretch proposed update ⇒ tagging "moreinfo".

I'm not sure if I should remove the "confirmed" and/or "pending" tag
so in doubt I'll leave it to you to do the right thing.

Cheers,
-- 
intrigeri



Added tag(s) moreinfo. Request was from intrigeri <intrigeri@debian.org> to 882697-submit@bugs.debian.org. (Sun, 07 Jan 2018 11:27:04 GMT) (full text, mbox, link).


Removed tag(s) pending and confirmed. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 13 Jan 2018 16:36:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Mon, 19 Feb 2018 14:00:10 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 19 Feb 2018 14:00:10 GMT) (full text, mbox, link).


Message #70 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Mon, 19 Feb 2018 13:56:35 +0000
On 2018-01-07 11:23, intrigeri wrote:
> Control: tag -1 + moreinfo
> 
> The issue in Linux 4.14 with feature set pinning vs. mount operations
> was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in
> the proposed-updates stable queue is not suitable for Stretch
> currently ⇒ dear release team, feel free to reject or delete it if it
> helps you ensure it does not land in the next point release.
> 
> Also, after some discussion with Fabian the proposed change was
> re-implemented slightly differently in testing/sid; I want to do the
> same for the Stretch proposed update ⇒ tagging "moreinfo".

Any news on this? We're likely to be looking at freezing p-u for the 
next point release in a couple of weeks time.

Regards,

Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Mon, 19 Feb 2018 17:09:05 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 19 Feb 2018 17:09:05 GMT) (full text, mbox, link).


Message #75 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Date: Mon, 19 Feb 2018 18:04:38 +0100
Hi Adam & other release managers,

Adam D. Barratt:
> Any news on this?

Yes: the main blocker (in src:linux) has been fixed a few weeks ago
so it's now feasible to make progress on the src:apparmor side.
The next steps are tracked on #879585 that I've kept up-to-date.

> We're likely to be looking at freezing p-u for the next point
> release in a couple of weeks time.

I've been following the Stretch 9.4 scheduling thread with this in
mind. My current plan is to prepare an updated stable p-u around
February 24-25.

Thanks for the ping! :)

Cheers,
-- 
intrigeri



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Sun, 25 Feb 2018 12:06:04 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 25 Feb 2018 12:06:04 GMT) (full text, mbox, link).


Message #80 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Sun, 25 Feb 2018 13:01:49 +0100
[Message part 1 (text/plain, inline)]
Control: tag -1 - moreinfo
Control: retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2

Hi,

here's the updated debdiff; I've bumped the version in order to
avoid confusion.

This will now work fine except for Linux 4.14 to 4.14.12 that have the
bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the
previous point release. The kernel fix has been in sid since
2018-01-15, in stretch-backports since 2018-01-16, and in testing
since 2018-01-20. So IMO the benefit (repairing stuff for Stretch
users running an up-to-date backported kernel) is worth the risk
(breaking stuff for Stretch users running an outdated Linux 4.14.x).

May I upload (with s/UNRELEASED/stretch/ of course)?

Cheers,
-- 
intrigeri

[apparmor_2.11.0-3+deb9u2.debdiff (text/x-diff, attachment)]

Removed tag(s) moreinfo. Request was from intrigeri <intrigeri@debian.org> to 882697-submit@bugs.debian.org. (Sun, 25 Feb 2018 12:06:04 GMT) (full text, mbox, link).


Changed Bug title to 'stretch-pu: package apparmor/2.11.0-3+deb9u2' from 'stretch-pu: package apparmor/2.11.0-3+deb9u1'. Request was from intrigeri <intrigeri@debian.org> to 882697-submit@bugs.debian.org. (Sun, 25 Feb 2018 12:06:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Mon, 26 Feb 2018 19:51:14 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 26 Feb 2018 19:51:14 GMT) (full text, mbox, link).


Message #89 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Mon, 26 Feb 2018 19:50:40 +0000
On Sun, 2018-02-25 at 13:01 +0100, intrigeri wrote:
> here's the updated debdiff; I've bumped the version in order to
> avoid confusion.

Well you can't upload another +deb9u1 as that version is already in the
archive, so it's required in any case.

> This will now work fine except for Linux 4.14 to 4.14.12 that have
> the
> bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the
> previous point release. The kernel fix has been in sid since
> 2018-01-15, in stretch-backports since 2018-01-16, and in testing
> since 2018-01-20. So IMO the benefit (repairing stuff for Stretch
> users running an up-to-date backported kernel) is worth the risk
> (breaking stuff for Stretch users running an outdated Linux 4.14.x).
> 
> May I upload (with s/UNRELEASED/stretch/ of course)?

What's the difference between this and +deb9u1? Is it simply this
change:

-++features-file=/etc/apparmor/features
+++features-file=/usr/share/apparmor-features/features

and the equivalent in debian/install?

The changelog going from -3 to -3+deb9u2 is confusing, particularly
given that +deb9u1 has been available to users of proposed-updates for
some time. If the above is correct, please keep the previous changelog
stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the
path change.

Regards,

Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Tue, 27 Feb 2018 07:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 27 Feb 2018 07:51:04 GMT) (full text, mbox, link).


Message #94 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Tue, 27 Feb 2018 08:47:53 +0100
[Message part 1 (text/plain, inline)]
Hi,

Adam D. Barratt:
> What's the difference between this and +deb9u1? Is it simply this
> change:

> -++features-file=/etc/apparmor/features
> +++features-file=/usr/share/apparmor-features/features

> and the equivalent in debian/install?

Yes (modulo the timing matter regarding the Linux 4.14.x bug, which
was the only reason why +deb9u1 could not make it into a stable
release last time).

> The changelog going from -3 to -3+deb9u2 is confusing, particularly
> given that +deb9u1 has been available to users of proposed-updates for
> some time. If the above is correct, please keep the previous changelog
> stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the
> path change.

Done and accordingly adjusted the maintainer scripts to remove
the old (now obsolete) /etc/apparmor/features conffile from systems
that had +deb9u1 installed.

I'm attaching 2 updated debdiffs: one from the version in Stretch and
the other one from the version that's already in stable p-u.

Cheers,
-- 
intrigeri

[apparmor_2.11.0-3_to_2.11.0-3+deb9u2.debdiff (text/x-diff, attachment)]
[apparmor_2.11.0-3+deb9u1_to_2.11.0-3+deb9u2.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Tue, 27 Feb 2018 08:21:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 27 Feb 2018 08:21:04 GMT) (full text, mbox, link).


Message #99 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Tue, 27 Feb 2018 08:16:15 +0000
Control: tags -1 + confirmed

On 2018-02-27 7:47, intrigeri wrote:
> Hi,
> 
> Adam D. Barratt:
>> What's the difference between this and +deb9u1? Is it simply this
>> change:
> 
>> -++features-file=/etc/apparmor/features
>> +++features-file=/usr/share/apparmor-features/features
> 
>> and the equivalent in debian/install?
> 
> Yes (modulo the timing matter regarding the Linux 4.14.x bug, which
> was the only reason why +deb9u1 could not make it into a stable
> release last time).
> 
>> The changelog going from -3 to -3+deb9u2 is confusing, particularly
>> given that +deb9u1 has been available to users of proposed-updates for
>> some time. If the above is correct, please keep the previous changelog
>> stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing 
>> the
>> path change.
> 
> Done and accordingly adjusted the maintainer scripts to remove
> the old (now obsolete) /etc/apparmor/features conffile from systems
> that had +deb9u1 installed.

Thanks.

Please feel free to upload.

Regards,

Adam



Added tag(s) confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 882697-submit@bugs.debian.org. (Tue, 27 Feb 2018 08:21:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Tue, 27 Feb 2018 11:27:05 GMT) (full text, mbox, link).


Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 27 Feb 2018 11:27:05 GMT) (full text, mbox, link).


Message #106 received at 882697@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Tue, 27 Feb 2018 12:22:59 +0100
Adam D. Barratt:
> Please feel free to upload.

Uploaded, thanks.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#882697; Package release.debian.org. (Fri, 02 Mar 2018 22:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 02 Mar 2018 22:39:03 GMT) (full text, mbox, link).


Message #111 received at 882697@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
Subject: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Date: Fri, 02 Mar 2018 22:36:23 +0000
Control: tags -1 + pending

On Tue, 2018-02-27 at 12:22 +0100, intrigeri wrote:
> Adam D. Barratt:
> > Please feel free to upload.
> 
> Uploaded, thanks.
> 
> 
Flagged for acceptance.

Regards,

Adam



Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 882697-submit@bugs.debian.org. (Fri, 02 Mar 2018 22:39:03 GMT) (full text, mbox, link).


Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 10 Mar 2018 11:03:14 GMT) (full text, mbox, link).


Notification sent to intrigeri <intrigeri@debian.org>:
Bug acknowledged by developer. (Sat, 10 Mar 2018 11:03:14 GMT) (full text, mbox, link).


Message #118 received at 882697-done@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 877593-done@bugs.debian.org, 877934-done@bugs.debian.org, 882158-done@bugs.debian.org, 882434-done@bugs.debian.org, 882697-done@bugs.debian.org, 882773-done@bugs.debian.org, 882813-done@bugs.debian.org, 882815-done@bugs.debian.org, 882819-done@bugs.debian.org, 882821-done@bugs.debian.org, 882822-done@bugs.debian.org, 882826-done@bugs.debian.org, 882827-done@bugs.debian.org, 883066-done@bugs.debian.org, 883124-done@bugs.debian.org, 883483-done@bugs.debian.org, 883952-done@bugs.debian.org, 883959-done@bugs.debian.org, 883963-done@bugs.debian.org, 884111-done@bugs.debian.org, 884451-done@bugs.debian.org, 884452-done@bugs.debian.org, 884483-done@bugs.debian.org, 884606-done@bugs.debian.org, 884711-done@bugs.debian.org, 885027-done@bugs.debian.org, 885086-done@bugs.debian.org, 885184-done@bugs.debian.org, 885531-done@bugs.debian.org, 885582-done@bugs.debian.org, 886380-done@bugs.debian.org, 886482-done@bugs.debian.org, 886589-done@bugs.debian.org, 886593-done@bugs.debian.org, 886636-done@bugs.debian.org, 886877-done@bugs.debian.org, 887311-done@bugs.debian.org, 887352-done@bugs.debian.org, 887359-done@bugs.debian.org, 887589-done@bugs.debian.org, 887855-done@bugs.debian.org, 887999-done@bugs.debian.org, 888006-done@bugs.debian.org, 888488-done@bugs.debian.org, 888552-done@bugs.debian.org, 888731-done@bugs.debian.org, 888802-done@bugs.debian.org, 888958-done@bugs.debian.org, 889001-done@bugs.debian.org, 889279-done@bugs.debian.org, 889317-done@bugs.debian.org, 889622-done@bugs.debian.org, 889728-done@bugs.debian.org, 889983-done@bugs.debian.org, 890105-done@bugs.debian.org, 890189-done@bugs.debian.org, 890470-done@bugs.debian.org, 890506-done@bugs.debian.org, 890860-done@bugs.debian.org, 891053-done@bugs.debian.org, 891142-done@bugs.debian.org, 891277-done@bugs.debian.org, 891285-done@bugs.debian.org, 891419-done@bugs.debian.org, 891421-done@bugs.debian.org, 891423-done@bugs.debian.org, 891426-done@bugs.debian.org, 891464-done@bugs.debian.org, 891484-done@bugs.debian.org, 891503-done@bugs.debian.org, 891577-done@bugs.debian.org, 891807-done@bugs.debian.org, 891829-done@bugs.debian.org, 891854-done@bugs.debian.org, 891900-done@bugs.debian.org, 891918-done@bugs.debian.org, 891972-done@bugs.debian.org, 886771-done@bugs.debian.org, 891585-done@bugs.debian.org
Subject: Closing bugs for updates included in 9.4
Date: Sat, 10 Mar 2018 10:57:46 +0000
Version: 9.4

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Apr 2018 07:37:51 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Mar 29 01:11:38 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.