[pkg-apparmor] Bug#880078: Re: Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

[Vincas Dargis]

On 2017.11.12 19:14, intrigeri wrote:
> Rules that are not supported by the running kernel are ignored even if
> they're explicitly listed via the features-file setting. In other
> words, features-file caps the feature set, but it doesn't require the
> kernel to support all listed features.

Thanks, that's clear.

>> If there's machine running RC7 and `features-files=` line is
>> commented out, what that state actually means?
> 
> When no pinning is defined, the active feature set is the one of the
> running kernel. In this example, you would have all features from
> Linux 4.14-rc7 enabled. Note that I recommend using this combination
> (recent kernel + no pinning) only for people like us, who want to
> discover issues as early as possible, so we can fix them before they
> hit Debian users. Enthusiastic users are of course welcome to do the
> same if they wish to give a hand: they'll notice issues and report
> bugs that we would not notice in other environments (yeah, CI and all
> that).

OK so we have now 4.14 released, and when it hits Sid, we will still have older feature set, and we can use our time to 
test bleeding-edge AppArmor features to catch any problematic denies, right?

What do you believe would be deadline for enabling 4.14 features (removing feature set limits / upgrading feature set file)?

Is it possible that Buster could be released with old feature set, or you would consider that a critical failure and 
apparmor-by-default should be reverted?

There are quite a few profiles to check (and progress is rather slow on my part), although if feature set pining is 
working fine on 4.14, we have still have some time, I guess..?