[pkg-apparmor] Bug#1127710: thunderbird: apparmor profile prevents launching thunderbird with gdk-pixbuf >= 2.44.5

Carsten Schoenert c.schoenert at t-online.de
Sun Feb 22 05:08:26 GMT 2026 

Hi intrigeri,

sorry for answering later but I'm busy with ongoing business trips.

Am 16.02.26 um 13:09 schrieb intrigeri:
> Hi Carsten,
> 
> Carsten Schoenert (2026-02-14):
>>> Feb 14 14:20:19 debian kernel: audit: type=1400 audit(1771096819.060:2399): apparmor="DENIED" operation="exec" class="file" profile="thunderbird" name="/usr/lib/thunderbird/glxtest" pid=11876 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>>
>> You might need to add something similar to this within the profile.
>>
>>> /usr/lib/thunderbird/glxtest ixr,
>>
>> glxtest is needed since some versions Thunderbird is able to start.
> 
> Yup.
> 
> I've been trying since November 2024 to upstream Tails' updates, such
> as this one, to the AppArmor profile:
> https://gitlab.com/apparmor/apparmor-profiles/-/merge_requests/61

Ohh, thats a long time and there are some more modifications needed or 
useful for the profile I thought. But never did used AppArmor in Debian 
in a serious way.

> A few weeks ago, I've sent a last call for collaboration there.
> No reply so far.

A problem what a lot of projects having and I do experiencing too while 
working on some Python packages in Debian, projects are not fully dead 
but did fade away due previous active members and decision makers have 
given up or moved away from the project, or being just unresponsive.

It's hard to deal with this because it contradicts the principle of 
pushing changes upstream first.

> So, my next step, as announced on that MR a while ago, is to remove
> the AppArmor profile from the Debian package in sid: without
> a collaborative effort upstream, there's no good way for me to keep
> maintaining it for Debian, with an amount of effort that I can
> justify. Given the profile is so widely open and disabled by default,
> that's not the end of the world. Not all experiments succeed, it's OK.
> 
> Thoughts?

I'm totally fine with this decision!
Sometimes it's better to accept that a "fight" is lost before to loose 
even more energy and time while trying to keep a fragile situation.

I've read about the indentation of you to let the chapter AppArmor end 
in Debian a while ago. If this all is not fun enough while working on 
this it's better to let it go, my interests what to work on have also 
shifted in the past years. At the moment my time is limited to work good 
enough on in time update for the TB package, so Christoph did stand up 
to do this since a while.

> If this works for you, I'll prepare a MR.
> 
> Thanks a lot for your patience so far,

You are welcome! Christoph an are happy to merge in your suggested 
upstream modifications of the AppArmor profile into the current the 
packaging of Thunderbird!

-- 
Regards
Carsten

More information about the pkg-apparmor-team mailing list