Bug#1005227: gnome-software should not recommend fwupd
inasprecali
inasprecali at disroot.org
Wed Feb 9 13:35:02 GMT 2022
Package: gnome-software
Version: 3.38.1-1
Severity: normal
X-Debbugs-Cc: inasprecali at disroot.org
Dear Maintainer,
When installing new Debian system (stable release 11.2 at the time of
writing) with as little custom options as possible (e.g., changing none of
the ticks in the screen where you're asked which system components to
install), fwupd ends up being installed and its relative services enabled
and running. Specifically, these services are fwupd.service and
fwupd-refresh.timer, and they show up in "systemctl status" and
"systemctl list-timers" respectively.
I ran "aptitude why fwupd" to check why it was installed in the first place
(since it did not appear to be installed with desktop environments other
than GNOME) and found out that the package that was pulling fwupd was
gnome-software, which has a "Recommends" dependency on fwupd.
gnome-software itself ends up being installed together with GNOME as part
of the default install. Since it's a "Recommends" dependency, but not
a "Depends" dependency, it can be removed without an issue.
However, I think that the "Recommends" dependency itself is a significant
problem, because it violates Debian's "stable" release philosophy. This
amounts to upgrading firmware-packages "randomly", through an unaudited
process, effectively leaving the user at the mercy of vendors in the LVFS
program. The worst aspect is that, unlike buggy "regular" software which
one can always uninstall via apt, buggy firmware can brick hardware. In
fact, there are precedents of this happening on Ubuntu, for example:
https://github.com/fwupd/fwupd/issues/655
Therefore, my personal recommendation is to remove the "Recommends"
dependency on fwupd from gnome-software (making it an "Suggests" dependency
at most). In fact, due to the potential issues caused by constant firmware
updates, I might recommend making sure that no package such as fwupd ends
up installed by default (of course, users can always install it manually
if they explicitly choose to do so). Of course, although I explained why
I believe so, this is just my opinion, and I'm open to different suggestions.
Thank you for your time.
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-software depends on:
ii appstream 0.14.4-1
ii apt-config-icons 0.14.4-1
ii dconf-gsettings-backend [gsettings-backend] 0.38.0-2
ii gnome-software-common 3.38.1-1
ii gsettings-desktop-schemas 3.38.0-2
ii libappstream-glib8 0.7.18-1
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-13+deb11u2
ii libcairo2 1.16.0-5
ii libfwupd2 1.5.7-4
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgspell-1-2 1.8.4-1
ii libgtk-3-0 3.24.24-4
ii libgtk3-perl 0.038-1
ii libgudev-1.0-0 234-1
ii libjson-glib-1.0-0 1.6.2-1
ii libmalcontent-0-0 0.10.0-2
ii libpackagekit-glib2-18 1.2.2-2
ii libpolkit-gobject-1-0 0.105-31+deb11u1
ii libsoup2.4-1 2.72.0-2
ii libxmlb1 0.1.15-2
ii packagekit 1.2.2-2
ii software-properties-gtk 0.96.20.2-2.1
Versions of packages gnome-software recommends:
pn fwupd <none>
Versions of packages gnome-software suggests:
pn apt-config-icons-hidpi <none>
ii gnome-software-plugin-flatpak 3.38.1-1
pn gnome-software-plugin-snap <none>
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list