Package: dpkg-dev
Version: 1.10.27
Priority: important
Tags: patch
[Note: This has happened to me a few times while testing d-i and I had not
nailed down the root cause but after my last installation (see installation
report sent as bug #301112, I've investigated a bit ]
When doing a default installation just selecting the 'Desktop' task, a user
will end up with a lot of development packages including gcc, g++,
libc6-dev, kernel-headers-dev and lots of other -dev packages.
The culprit here might be dpkg-dev, pulled in by aptitude because it's
priority standard. Dpkg-dev recomemnds a c-compiler and aptitude happily
takes Recommends for the system and downloads all of them:
Package: dpkg-dev
Priority: standard
Section: utils
(...)
Recommends: c-compiler
^^^^^^^^^^
So gcc is pulled in (Provides: c-compiler) and with it (through
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on
and on..
Now, the Debian policy says:
standard
These packages provide a reasonably small but not too limited
character-mode system. This is what will be installed by
default if the user doesn't select anything else. It doesn't
include many large applications.
I fail to see how dpkg-dev fits in that category as most users will _not_
build debian packages at all. The current tasks defined in tasksel (and
used by base-config) are: database-server, dns-server, file-server,
mail-server, print-server and desktop environments (in different languages)
None of those tasks need a C-compiler, nor do they need dpkg-dev at all.
Joey Hess removed the debian-devel task a while back (May 2001) with the
following changelog:
- Killed debian-dev(el) task, since it does not meet our task criteria
-- nowhere near 10% of debian users are debian developers (we hope!),
and probably not enough regular users will use this package to make
up the difference. This is my own package, so I'm willing to be
persuaded otherwise, though..
Joey also removed some other development tasks (c-dev, java-dev,
python-dev, kernel-compile) in June 2004 too.
It certainly does not make sense to me to have desktop systems with a C/C++
compiler and, what's worst, those tools can easily be used by worm writers
to have a more efficient worm propagation (as demonstrated by the Slapper
worm back in 2002 [1])
Please fix this before the next stable release is made or otherwise we'll
end up with lots of users wondering why they have all a C-compiler
installed!
Regards
Javier
[1] Please also read "A Slap Upside the Head"
http://www.hackinglinuxexposed.com/articles/20020924.html
" Minimal Software Installations
The worm requires gcc to compile the .bugtraq.c file. If you
didn't install gcc, then the worm will fail before even if it
managed to break into your web server. Just as you'd turn off a
daemon you aren't using, why keep software installed that you
don't need? It only gives an attacker another tool that can
make the cracking easier.
"
Patch for this :-)
$ diff -u control.orig control
--- control.orig 2005-03-24 00:07:37.000000000 +0100
+++ control 2005-03-24 00:08:04.000000000 +0100
@@ -47,7 +47,7 @@
Package: dpkg-dev
Section: utils
-Priority: standard
+Priority: optional
Architecture: all
Depends: perl5, perl-modules, cpio (>= 2.4.2-2), patch (>= 2.2-1), make,
binutils
Recommends: c-compiler
Attachment:
signature.asc
Description: Digital signature