[Pkg-libvirt-maintainers] Bug#768376: Bug#768376: [libvirt-daemon-system]
devel at sumpfralle.de
devel at sumpfralle.de
Wed Jan 26 19:30:37 GMT 2022
Hello,
given the recent CVE-2021-4034 (gaining local root access via "policykit-1"), I
would like to raise this request again: it would be great, if the
libvirt-daemon-system package would reduce its hard dependency ("Depends") on
"policykit-1" to a soft dependency ("Recommends").
If I understand your previous comment correctly, then this is technically
feasible (i.e. "it just works"):
On Tue, 7 Jul 2015 07:15:06 +0200 Guido Günther <agx at sigxcpu.org> wrote:
> I do agree that being able to go without polkit would be nice but a
> similar situation with virt-manger showed that Recommends: are just not
> enough. Many people skip them and then report bugs if you use Recommends
> for a package that's needed in 95% of the installations. I'm just not up
> to handle these.
I understand, that such bug reports can take effort.
But I think, the circumstances changed meanwhile (since 2015): "apt" installs
"Recommends" by default (see `apt-config dump | grep -w Recommends`), thus there
should be only very few users who are manually overriding this setting.
And I think, there is a fair chance, that these users know what they are doing.
The Debian Policy [2] also advises to use "Recommends" in this case.
Please reduce the "Depends" relationship towards "policykit-1" down to
"Recommends".
Thank you for maintaining this package!
Cheers,
Lars
[1] https://www.debian.org/security/2022/dsa-5059
[2] https://www.debian.org/doc/debian-policy/ch-relationships.html
More information about the Pkg-libvirt-maintainers
mailing list