Until now I maintained strict policy for upgrades in Whonix stable apt repository:
only fix grave usability bugs, such as the Tor Browser 4.x compatibility fix
and of course also planned to also ship security fixes should issues be reported
This is similar to Debian stable.
The reason is, should I also add other upgrades before a major version and through testing, an upgrade could create a mess for everyone. Not as in security, but as in broken dependencies, upgrader and such stuff. The prevent such a worst case, this policy is in place.
I am considering to make an exception for packages that are not installed by default where the gain would be huge. The Whonix AppArmor profiles. (Whonix · GitHub)
I am considering to make an exception for packages that are not installed by default where the gain would be huge. The Whonix AppArmor profiles. (https://github.com/Whonix?query=apparmor-profile-)
I agree. They seem to be going substantial improvement all the time that I want to take advantage of much sooner than the next major release. Also the TBB changes and breakage it causes to apparmor profiles warrants a more dynamic release cycle for apparmor packages IMO.