Package: dpkg-dev Version: 1.10.27 Priority: important Tags: patch [Note: This has happened to me a few times while testing d-i and I had not nailed down the root cause but after my last installation (see installation report sent as bug #301112, I've investigated a bit ] When doing a default installation just selecting the 'Desktop' task, a user will end up with a lot of development packages including gcc, g++, libc6-dev, kernel-headers-dev and lots of other -dev packages. The culprit here might be dpkg-dev, pulled in by aptitude because it's priority standard. Dpkg-dev recomemnds a c-compiler and aptitude happily takes Recommends for the system and downloads all of them: Package: dpkg-dev Priority: standard Section: utils (...) Recommends: c-compiler ^^^^^^^^^^ So gcc is pulled in (Provides: c-compiler) and with it (through dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on and on.. Now, the Debian policy says: standard These packages provide a reasonably small but not too limited character-mode system. This is what will be installed by default if the user doesn't select anything else. It doesn't include many large applications. I fail to see how dpkg-dev fits in that category as most users will _not_ build debian packages at all. The current tasks defined in tasksel (and used by base-config) are: database-server, dns-server, file-server, mail-server, print-server and desktop environments (in different languages) None of those tasks need a C-compiler, nor do they need dpkg-dev at all. Joey Hess removed the debian-devel task a while back (May 2001) with the following changelog: - Killed debian-dev(el) task, since it does not meet our task criteria -- nowhere near 10% of debian users are debian developers (we hope!), and probably not enough regular users will use this package to make up the difference. This is my own package, so I'm willing to be persuaded otherwise, though.. Joey also removed some other development tasks (c-dev, java-dev, python-dev, kernel-compile) in June 2004 too. It certainly does not make sense to me to have desktop systems with a C/C++ compiler and, what's worst, those tools can easily be used by worm writers to have a more efficient worm propagation (as demonstrated by the Slapper worm back in 2002 [1]) Please fix this before the next stable release is made or otherwise we'll end up with lots of users wondering why they have all a C-compiler installed! Regards Javier [1] Please also read "A Slap Upside the Head" http://www.hackinglinuxexposed.com/articles/20020924.html " Minimal Software Installations The worm requires gcc to compile the .bugtraq.c file. If you didn't install gcc, then the worm will fail before even if it managed to break into your web server. Just as you'd turn off a daemon you aren't using, why keep software installed that you don't need? It only gives an attacker another tool that can make the cracking easier. " Patch for this :-) $ diff -u control.orig control --- control.orig 2005-03-24 00:07:37.000000000 +0100 +++ control 2005-03-24 00:08:04.000000000 +0100 @@ -47,7 +47,7 @@ Package: dpkg-dev Section: utils -Priority: standard +Priority: optional Architecture: all Depends: perl5, perl-modules, cpio (>= 2.4.2-2), patch (>= 2.2-1), make, binutils Recommends: c-compiler
Attachment:
signature.asc
Description: Digital signature