New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817280088

Comment:
I think this is a bigger problem that requires a better solution. apparmor's upstream often fixes their profiles[1] when new versions of software require new permissions, but void ships profiles from the last apparmor release which are often broken by the time a new release comes out. The simplest solution right now I can think of would involve creating a new package with apparmor profiles which would track upstream's master.
The best solution may be to create a new void-appamor git repository which would track new versions of software in void[2], because there are often some void specific permissions. This would also allow us to have profiles for more packages than what upstream provides, but this will require dedicating some time to it.

> We can add rules to /etc/apparmor.d/local/ if touching the main profile rule is not ideal

@FollieHiyuki I think `/etc/apparmor.d/local/` is meant for user customizations, so distributions shouldn't touch that if not neccessary (for example nvidia graphics cards may require different permissions than intel or amd).

[[1] many commits to apparmor profiles since the last release 4 months ago](https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d)
[[2] Apparmor profile plumbing issue](https://github.com/void-linux/void-infrastructure/issues/82)