Bug#252194: libgnomevfs2-common has too many Depends that should be Suggests

Jakob Bohm Jakob Bohm <jbj@image.dk>, 252194@bugs.debian.org
Tue, 8 Jun 2004 05:01:17 +0200 

On Mon, Jun 07, 2004 at 03:26:50PM +0200, Josselin Mouette wrote:
> Le lun 07/06/2004 =E0 00:59, Jakob Bohm a =E9crit :
> > While only the "client" half of the SMB and Kerberos protocols
> >    get installed, these protocols have sufficiently often been
> >    the point of attack in security incidents, that many users
> >    will not want them installed.
> >=20
> > Some well-known attacks against the SMB and Kerberos protocols
> >    are attacks against the client side, typically involving
> >    server spoofing and fooling the client code into sending
> >    passwords or otherwise trust the wrong server in
> >    inappropriate ways.
> >=20
> > And those were just the two cases that involved network
> > security.
>=20
> As always, this is simple: if you don't want the system to be
> compromised because of these features, don't use them. The SMB plugin
> only gets used when you call a smb:// URL, and the FAM plugin is only
> used when the fam daemon is running.
>=20

Typical exploits (usually targeted against Windows, because *n*x
didn't use to be like this) go similar to this: A web page or
html e-mail etc. etc. refers to a url like
smb://fakeserver.badguys.bad/someshare/logo.png, the
overintegrated file viewer/web browser (think
explorer/konqueror) calls the smbclient code implicitly, the
smbclient code sends the users default smb credentials (intended
for local site use) to fakeserver.badguys.bad,
fakeserver.badguys.bad pretends to be old machine that needs
cleartext password, smbclient complies, bad guy gets cleartext
password for lan, bad guy is happy.

> >    1. libgnomevfs2-dev is a development package for a commonly
> >      used library, which means that it often needs to be
> >      installed by buildds and by anyone working on any related
> >      or unrelated aspect of any package linked against it.
> >       This implies that the dependency closure of this package
> >      should be kept as small and lean as technically feasible,
> >      even the old version of the package brought in a lot, but
> >      the new one is even worse.
>=20
> This is already the case. libgnomevfs2-dev doesn't depend on
> libsmbclient-dev nor libfam-dev.

libgnomevfs2-dev deps libgnomevfs2
   libgnomevfs2 deps libgnomevfs2-common
      libgnomevfs2-common deps whole bunch of stuff, including
         libsmbclient and libfam0c102
=20
The observation that triggered this bug report was very real:

I did the usual aptitude update of my sid-chroot.

Aptitude told me I suddenly needed additional network stuff to
install the updated pkgs.

I backtraced the depends with the aptitude r command, and ended
up at the new libsmbclient and the new libgnomevfs2-common.

I decided to purge libgnomevfs2-common, so I could update the rest.

aptitude told me that a large number of packages, including my own
dummy no-fam package and the newly needed kerberos packages, plus
a whole bunch of other packages could now be autoremoved.

>=20
> >    2. libgnomevfs2 is a plugin system.  The whole point of
> >      having a plugin system is to allow users to add or remove
> >      plugin functionality without recompiling.  But the new
> >      libgnomevfs2 packages completely takes away the users
> >      freedom to do any such thing, by putting all the plugins in
> >      the Depend-level core packages.
> >       The previous version of the packages at least gave the
> >      user one optional choice: Install the -extra package or
> >      not.  But this is still not any user or freedom oriented
> >      way of packaging a plugin interface.
>=20
> This is true, but again, nothing forces you to use these plugins. And
> these are only client-side libraries, which don't affect the system's
> security.

Except that those libs are now called automagically if a file
reference matches the applicable regexes.

This is similar to unfiltered mime support in e-mail clients:
Nothing forces you to call the mime handlers for html, wave
audio and executable files, except that they are called
automagically if you receive one of those nasty Virus e-mails.

>=20
> The only real argument here is that we should have finer-grained
> depends, but there is no need to use security as an excuse.
>=20

I am willing to accept dropping of the security tag, but I still
find this kind of needlessly pulling in loads and loads of
unwanted packages to be a real functionality bug.

Here is a simple experiment to measure the size of the problem:

Set up a sid-chroot with just base and apt.

Then apt-get install libgnomevfs2 including all Recommends.

Try to justify why anyone needing the libgnomevfs2.so.2 needs
each of the packages pulled in.

Here are my stats from trying this:

dselect (implicit Recommends):  65 pkgs, dnld  24.8MB, use   87.7MB
apt-get install, no Recommends: 54 pkgs, dnld  23.2MB, use   80.3MB
apt-get install w/Recommends:   63 pkgs, dnld  23.9MB, use   84.6MB
apt-get install w/Suggests     728 pkgs, dnld 520  MB, use 1526  MB
   (Ok, the last line is extreme and unfair...)


--=20
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.