madaidan via Whonix Forum:
When updating (with the developer repository), I now get this message
Configuration file ‘/etc/apparmor.d/tunables/home.d/live-mode’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** live-mode (Y/I/N/O/D/Z) [default=N] ?
Similar to /etc/machine-id.
Didn’t happen to me. Probably happen because you modified the file locally before the upgrade.
 This prompt would still happen when upgrading in live-mode since then “Modified (by you or by a script) since installation.” is true.
Should not happen in persistent-mode since then package default config gets replaced with newer package default config.
We should probably figure out a way to skip this if possible.
Would be worth figuring out anyhow generally.  is a good enough reason to do so.
It’s happening because the file is placed in /etc, therefore considered a configuration file.
Root causes: Debian isn’t stateless. Doesn’t have clean separation of distribution shipped files and user generated/modified files. It’s not possible to simply wipe /etc and /var to be back at the same state as everyone else using the same version. See these two blog posts for more detail to see what I mean:
Other root causes:
- apparmor profiles aren’t in non-/etc. Apparmor profiles by packages in /usr or /lib (not sure) would not cause this issue. Then package default would be installed.
- original apparmor bug which makes this required in first place.
There is one approach (just an approach, not a solution).
Well, there is apt-get-noninteractive. See
In other words apt can pass option(s) to dpkg to make it run non-interactively. Question can be answered beforehand.
sudo apt-get -o Dpkg::Options::=--force-confnew
This (apt-get-noninteractive) works for most packages. Well, there are some non-free firmware packages which ask special questions which are non-trivial to cover (but covered in Whonix).
Could also be set through a dpkg option but that would apply to all packages always installing package version and deactivating (move to backup file
.dpkg-old (?) of locally modified configuration file version).
… might work. But not a great solution.
Other than that, I currently have no idea how to avoid this.