Bug#989307: DSA-4923-1: upgrading libwebkit2gtk-4.0-37 on buster pulls in xdg-desktop-portal
Olaf Meeuwissen
paddy-hack at member.fsf.org
Mon Jun 7 12:52:32 BST 2021
Hi Alberto,
Alberto Garcia writes:
> On Sat, Jun 05, 2021 at 11:45:45AM +0900, Olaf Meeuwissen wrote:
>
>> In the mean time, I'll just `apt purge` the added packages. In my
>> case these were the
>>
>> Package changes:
>> + fuse 2.9.9-1+deb10u1 amd64
>> + libpipewire-0.2-1 0.2.5-1 amd64
>> + xdg-desktop-portal 1.2.0-1 amd64
>> + xdg-desktop-portal-gtk 1.2.0-1 amd64
>
> Yes, these are the actual new dependencies.
Plus whatever these depend on that wasn't already installed. I haven't
really pruned my Recommends: but other folks may have.
> Future security updates and buster backports will Suggest
> xdg-desktop-portal-gtk, although in bullseye it will still be a
> recommendation.
Good. I don't mind packages acquiring Recommends in testing/unstable.
I do mind when that happens in stable-security.
> I don't think there's any better way to have those packages removed
> automatically (certainly not a Conflicts, many people had them
> installed anyway). Apart from a couple of MBs of extra used disk
> space, is there anything particularly worrying you?
Bloat.
Increased attack surface.
As far as libwebkit2gtk-4.0-37 is concerned, it happened and everyone
that cares has to clean up manually. That's too bad.
Just let this be a warning for *all* stable-security packages to pay
some extra attention to changing dependencies. If it's only changing
versions of packages already depended upon, that _probably_ okay. New
packages should raise a red flag.
Hope this helps,
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join
More information about the Pkg-webkit-maintainers
mailing list