Bug#252194: libgnomevfs2-common has too many Depends that should
be Suggests
Josselin Mouette
252194@bugs.debian.org, 252194@bugs.debian.org
Mon, 07 Jun 2004 15:26:50 +0200
--=-cXpx+8i/ZU+GA+zcV3+7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Le lun 07/06/2004 =E0 00:59, Jakob Bohm a =E9crit :
> While only the "client" half of the SMB and Kerberos protocols
> get installed, these protocols have sufficiently often been
> the point of attack in security incidents, that many users
> will not want them installed.
>=20
> Some well-known attacks against the SMB and Kerberos protocols
> are attacks against the client side, typically involving
> server spoofing and fooling the client code into sending
> passwords or otherwise trust the wrong server in
> inappropriate ways.
>=20
> And those were just the two cases that involved network
> security.
As always, this is simple: if you don't want the system to be
compromised because of these features, don't use them. The SMB plugin
only gets used when you call a smb:// URL, and the FAM plugin is only
used when the fam daemon is running.
> 1. libgnomevfs2-dev is a development package for a commonly
> used library, which means that it often needs to be
> installed by buildds and by anyone working on any related
> or unrelated aspect of any package linked against it.
> This implies that the dependency closure of this package
> should be kept as small and lean as technically feasible,
> even the old version of the package brought in a lot, but
> the new one is even worse.
This is already the case. libgnomevfs2-dev doesn't depend on
libsmbclient-dev nor libfam-dev.
> 2. libgnomevfs2 is a plugin system. The whole point of
> having a plugin system is to allow users to add or remove
> plugin functionality without recompiling. But the new
> libgnomevfs2 packages completely takes away the users
> freedom to do any such thing, by putting all the plugins in
> the Depend-level core packages.
> The previous version of the packages at least gave the
> user one optional choice: Install the -extra package or
> not. But this is still not any user or freedom oriented
> way of packaging a plugin interface.
This is true, but again, nothing forces you to use these plugins. And
these are only client-side libraries, which don't affect the system's
security.
The only real argument here is that we should have finer-grained
depends, but there is no need to use security as an excuse.
Regards,
--=20
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
--=-cXpx+8i/ZU+GA+zcV3+7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBAxG0arSla4ddfhTMRAoSzAKCBG3L/u/RbUwreOoAMpr462lBedwCcDOo6
KuFenUuG/T8Hpbib/UtzISY=
=1Kzy
-----END PGP SIGNATURE-----
--=-cXpx+8i/ZU+GA+zcV3+7--