Bug#252194: libgnomevfs2-common has too many Depends that should be Suggests

Josselin Mouette 252194@bugs.debian.org, 252194@bugs.debian.org
Mon, 07 Jun 2004 15:26:50 +0200 

--=-cXpx+8i/ZU+GA+zcV3+7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Le lun 07/06/2004 =E0 00:59, Jakob Bohm a =E9crit :
> While only the "client" half of the SMB and Kerberos protocols
>    get installed, these protocols have sufficiently often been
>    the point of attack in security incidents, that many users
>    will not want them installed.
>=20
> Some well-known attacks against the SMB and Kerberos protocols
>    are attacks against the client side, typically involving
>    server spoofing and fooling the client code into sending
>    passwords or otherwise trust the wrong server in
>    inappropriate ways.
>=20
> And those were just the two cases that involved network
> security.

As always, this is simple: if you don't want the system to be
compromised because of these features, don't use them. The SMB plugin
only gets used when you call a smb:// URL, and the FAM plugin is only
used when the fam daemon is running.

>    1. libgnomevfs2-dev is a development package for a commonly
>      used library, which means that it often needs to be
>      installed by buildds and by anyone working on any related
>      or unrelated aspect of any package linked against it.
>       This implies that the dependency closure of this package
>      should be kept as small and lean as technically feasible,
>      even the old version of the package brought in a lot, but
>      the new one is even worse.

This is already the case. libgnomevfs2-dev doesn't depend on
libsmbclient-dev nor libfam-dev.

>    2. libgnomevfs2 is a plugin system.  The whole point of
>      having a plugin system is to allow users to add or remove
>      plugin functionality without recompiling.  But the new
>      libgnomevfs2 packages completely takes away the users
>      freedom to do any such thing, by putting all the plugins in
>      the Depend-level core packages.
>       The previous version of the packages at least gave the
>      user one optional choice: Install the -extra package or
>      not.  But this is still not any user or freedom oriented
>      way of packaging a plugin interface.

This is true, but again, nothing forces you to use these plugins. And
these are only client-side libraries, which don't affect the system's
security.

The only real argument here is that we should have finer-grained
depends, but there is no need to use security as an excuse.

Regards,
--=20
 .''`.           Josselin Mouette        /\./\
: :' :           josselin.mouette@ens-lyon.org
`. `'                        joss@debian.org
  `-  Debian GNU/Linux -- The power of freedom

--=-cXpx+8i/ZU+GA+zcV3+7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBAxG0arSla4ddfhTMRAoSzAKCBG3L/u/RbUwreOoAMpr462lBedwCcDOo6
KuFenUuG/T8Hpbib/UtzISY=
=1Kzy
-----END PGP SIGNATURE-----

--=-cXpx+8i/ZU+GA+zcV3+7--