Bug#252194: libgnomevfs2-common has too many Depends that should be Suggests

Jakob Bohm Jakob Bohm <jbj@image.dk>, 252194@bugs.debian.org
Wed, 2 Jun 2004 02:41:54 +0200 

Package: libgnomevfs2-common
Version: 2.6.1.1-3
Severity: normal
Tags: security sid

The new version of libgnomevfs2-common, which was recently
uploaded to unstable, declares Depends relationships on a lot of
packages that are only needed if support for those specific file
systems is wanted.

Many of those packages in turn bring in lots of other packages
related to those file systems, such as Kerberos, gnutls, fam.

In addition to filling up the users disk space, some of those
directly or indirectly Depended on packages are or include
network daemons, I noticed fam and Kerberos, but there may be
others.  Bringing in unwanted or unrequested network daemons is
bad for security (it is actually one of the primary security
hole in MS Windows...), so I have put a security tag on this
report.

In my own (not uncommon I think) setup this was particularly
obvious: My sid chroot doesn't manage my desktop, so it isn't
running Gnome, but libgnomevfs2-dev was installed to satisfy
build-dependencies of various desktop-neutral programs. The
buildds and anyone else building software in general probably
have the same problem.


I respectfully suggest that the packaging of gnomevfs2 be
changed as follows:

1. Dependencies for individual file systems (as opposed to the
  abstract vfs interface) are reduced to Suggests.  If desired a
  meta-package gnomevfs2-allfilesystems may be created for use
  by first time users.

2. It is ensured that the vfs interface can be loaded and used
  without installing any particular file system support, and
  that support for any one file system does not need any
  unrelated file system to work.  I suspect this is already
  mostly done, since the problematic Depends were not specified
  by version 2.4.x of the package.


Friendly

Jakob

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.18jbj3.1.64
Locale: LANG=C, LC_CTYPE=da_DK


-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.