A general question about options.
Good day everyone.
I have a rather generic questions about dependencies that various
Debian desktop-related packages have, so probably this is the wrong list.
I always assumed, that every "auto-" thing such as auto-configuring,
auto-publishing, auto-discovery and etc. were only an option,
that is required by some (now rather large) group of users.
But as I figured that out, it is impossible even to build some
debian packages without really optional features, provided by
something like avahi set of libraries.
Is it correct to presuppose, that features like auto-discovery
and zero-configuration is the core of every desktop environment/application
and not it's cool options, that can be safely removed when unneeded?
It looks like kdelibs Depends on libavahi-client3, libavahi-common3,
libavahi-qt3-1. It does not Suggest them, to demonstrate that
their usage will improve functionality to a new level.
It says instead, that without all that everything will break.
OMG, is that REALLY true? Is it all correct?
OK, well, I know where that dependencies come from - everything is so
patched, that it does not build now without all that originally optional
auto- features available as headers and libraries.
But features like "auto-discovery of anything" or "auto-configuration
of everything" are only useful to rather specific communities of
unexperienced/lazy users. Is it allowable to think it is a standard requirement
of every possible environment? How well does that perform when something
like SELinux is enabled not only for testing or of curiosity, but also to
prevent ANY possible information leak?
As far as I understand technology like avahi or bonjour, it have a goal to
allow the information leakage (it is termed politely as "sharing" and "publishing")
with minimal effort even for inexperienced users.
Am I wrong on that?
Should I now opt out of Debian, because it's desktop unconditionally Depends on avahi?
Some day in the past I had to opt out of Windows because it was too
obtrusive in it's opinions about almost every aspect of my work.
That days Linux required me to manually configure almost everything,
it was also somehow obtrusive, but anyway, the system was ALL CONFIGURABLE!!!
And that was cool!!! Because I have got a choice to make by myself in the case
I need it (almost all of the time I needed no choice though, but yet not all of the time).
And I loved that all of the time and very much.
Will we have any alternative, any Big Fat Switch to turn off, to remove any crutches,
to say
"Yes, I Know It May Be Hard To Configure That By Myself, But Let Me Do That Anyway"
Maybe some hard-to-install-and-configure Debian GNU/Linux? :)
Or to say "I better concerned on security rather than usability, so I want to
carefully and manually select features, available in the system". That is not too much,
isn't it?
All I ask for is a stub packages, that provide no functionality, but allow
something like konqueror to install and work in a system without real libavahi.
(Well, if all that features are so poorly designed, that it is impossible to build
kdelibs without avahi, let them build and install, with this dirty hack.)
Why? The lesser depenencies - the lesser the risk of potential bugs and ways to exploit.
PS: Looks like Google search on "avahi+security" returns no links to discussion on that subject, but
on the third page there are "Disabling the Avahi daemon - The solution" link, but link DOES NOT WORK...
PPS: Yes, I'm a paranoic. So what?
PPS: Ubuntu Wiki says about zeroconf, that "Attack vectors are limited to the local area network." - but
that is still unacceptable for my tasks and environments. I can't tolerate the idea of making every
desktop application potentially network-facing, even if that is only a local network. Futhermore
I can't tolerate the idea of desktop communicating via loopback with other accounts on the same box.
--
Anonymous Paranoic.
Reply to: