[Pkg-libvirt-maintainers] Bug#768376: Bug#768376: [libvirt-daemon-system]
Andrei POPESCU
andreimpopescu at gmail.com
Sun Jan 30 13:53:34 GMT 2022
On Mi, 26 ian 22, 20:30:37, devel at sumpfralle.de wrote:
> Hello,
>
> given the recent CVE-2021-4034 (gaining local root access via "policykit-1"), I
> would like to raise this request again: it would be great, if the
> libvirt-daemon-system package would reduce its hard dependency ("Depends") on
> "policykit-1" to a soft dependency ("Recommends").
>
> If I understand your previous comment correctly, then this is technically
> feasible (i.e. "it just works"):
>
> On Tue, 7 Jul 2015 07:15:06 +0200 Guido Günther <agx at sigxcpu.org> wrote:
> > I do agree that being able to go without polkit would be nice but a
> > similar situation with virt-manger showed that Recommends: are just not
> > enough. Many people skip them and then report bugs if you use Recommends
> > for a package that's needed in 95% of the installations. I'm just not up
> > to handle these.
>
>
> I understand, that such bug reports can take effort.
> But I think, the circumstances changed meanwhile (since 2015): "apt" installs
> "Recommends" by default (see `apt-config dump | grep -w Recommends`), thus there
> should be only very few users who are manually overriding this setting.
> And I think, there is a fair chance, that these users know what they are doing.
>
> The Debian Policy [2] also advises to use "Recommends" in this case.
>
> Please reduce the "Depends" relationship towards "policykit-1" down to
> "Recommends".
>
> Thank you for maintaining this package!
Yes!
> [1] https://www.debian.org/security/2022/dsa-5059
> [2] https://www.debian.org/doc/debian-policy/ch-relationships.html
This bug came up in a sub-thread on debian-user, also in relation to
DSA-5059:
https://lists.debian.org/debian-user/2022/01/msg01166.html
Just in case it helps, anecdotally I can confirm that at least on
debian-user problems due to missing packages that are only Recommends:
have been both extremely rare in the past years and treated as an
unsupported configuration.
Hope this helps,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20220130/c00d3220/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list