[apparmor] Which version for Debian 12 ("Bookworm")?

John Johansen john.johansen at canonical.com
Tue Sep 27 08:19:40 UTC 2022 

On 9/27/22 00:59, intrigeri wrote:
> Hi,
> 
> Debian testing/sid currently has AppArmor 3.0.7.
> 
> Debian testing will be frozen in February 2023,
> in preparation for the Debian 12 ("Bookworm")
> release.
> 
> I'm wondering whether I should upload 3.1.x to Debian.
> 
honestly, I wouldn't bother

> I see no release notes for 3.1.x on the website and it's hard for me

sadly I haven't had time to get to them, and neither has anyone else.
They will come because like you said digging into the git log is
not a great experience

> to make sense of the Git log, considering much of the changes were
> also merged into 3.0.x.
> 
yes many of the bug fixes have been landed in 3.0.x, it does have
some feature development but I wouldn't call it a major release in
that sense.

The goal was to release a large release this fall. Unfortunately
there just hasn't been time and the decision was made to release 3.1
with all the bug fixes plus a few new features.

> I understand Ubuntu decided *not* to upgrade to 3.1.x in their
> upcoming release (Kinetic, 22.10), but instead backport some of the
> 3.1.x changes to 3.0.x.
> 
correct, unfortunately the FFe process has just taken too long and
no one has had time to land it

> I guess my question really is:
> 
>   - What are the major benefits of upgrading to 3.1.x?

primarily some improvements in genprof/logprof

> 
>   - When can we expect the 3.1.x series to be stable and polished
>     enough to deserve being included in a LTS distro release?
> 
with it not landing in 22.10, I don't know that it will. We
plan to land 4.0 in 23.04. That will have some larger features
to call.
- support for the new extended permissions
- support for namespace mediation
- support for fine grained posix (and hopefully sys V) mediation
- support for policy overlays
- support for config overlays
- improvements to aa-status
- support for prefixes on parsing
- support for text policy in kernel
- support for zstd compression
- possibly support for a new ioctl query interface which would half the kernel part of the overhead for dbus mediation
- possibly support for boolean rule operations
- possibly support for some inheritance syntax
- support for user conditional
- support for change_profile with return

and well there is possibly more. So when will it land? Hopefully in December, whether it will be ready (stable enough) for Bookworm in February is an open question. But my guess is its actually release will be pushed into late January as there are some things we must land for it and so likely not.

More information about the AppArmor mailing list