[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dpkg-dev: Is this package really Priority: standard (probably the root cause in new Debian systems installing a c-compiler by default)

Package: dpkg-dev
Version: 1.10.27
Priority: important
Tags: patch

[Note: This has happened to me a few times while testing d-i and I had not
nailed down the root cause but after my last installation (see installation
report sent as bug #301112, I've investigated a bit ]

When doing a default installation just selecting the 'Desktop' task, a user 
will end up with a lot of development packages including gcc, g++, 
libc6-dev, kernel-headers-dev and lots of other -dev packages.

The culprit here might be dpkg-dev, pulled in by aptitude because it's 
priority standard. Dpkg-dev recomemnds a c-compiler and aptitude happily 
takes Recommends for the system and downloads all of them:

Package: dpkg-dev
Priority: standard
Section: utils
Recommends: c-compiler

So gcc is pulled in (Provides: c-compiler) and with it (through
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on
and on..

Now, the Debian policy says:

          These packages provide a reasonably small but not too limited
          character-mode system. This is what will be installed by
          default if the user doesn't select anything else. It doesn't
          include many large applications.

I fail to see how dpkg-dev fits in that category as most users will _not_ 
build debian packages at all. The current tasks defined in tasksel (and 
used by base-config) are: database-server, dns-server, file-server, 
mail-server, print-server and desktop environments (in different languages)
None of those tasks need a C-compiler, nor do they need dpkg-dev at all. 
Joey Hess removed the debian-devel task a while back (May 2001) with the 
following changelog:

    - Killed debian-dev(el) task, since it does not meet our task criteria
      -- nowhere near 10% of debian users are debian developers (we hope!),
      and probably not enough regular users will use this package to make
      up the difference. This is my own package, so I'm willing to be
      persuaded otherwise, though..

Joey also removed some other development tasks (c-dev, java-dev, 
python-dev, kernel-compile) in June 2004 too.

It certainly does not make sense to me to have desktop systems with a C/C++
compiler and, what's worst, those tools can easily be used by worm writers
to have a more efficient worm propagation (as demonstrated by the Slapper
worm back in 2002 [1])

Please fix this before the next stable release is made or otherwise we'll 
end up with lots of users wondering why they have all a C-compiler 



[1] Please also read "A Slap Upside the Head"

"   Minimal Software Installations
          The worm requires gcc to compile the .bugtraq.c file. If you
          didn't install gcc, then the worm will fail before even if it
          managed to break into your web server. Just as you'd turn off a
          daemon you aren't using, why keep software installed that you
          don't need? It only gives an attacker another tool that can
          make the cracking easier.

Patch for this :-)

$ diff -u control.orig control
--- control.orig        2005-03-24 00:07:37.000000000 +0100
+++ control     2005-03-24 00:08:04.000000000 +0100
@@ -47,7 +47,7 @@

 Package: dpkg-dev
 Section: utils
-Priority: standard
+Priority: optional
 Architecture: all
 Depends: perl5, perl-modules, cpio (>= 2.4.2-2), patch (>= 2.2-1), make, 
 Recommends: c-compiler

Attachment: signature.asc
Description: Digital signature

Reply to: