Re: Opt out style recommends

To: debian-devel@lists.debian.org
Subject: Re: Opt out style recommends
From: Russ Allbery <rra@debian.org>
Date: Fri, 08 Apr 2016 18:20:25 -0700
Message-id: <[🔎] 87lh4nlgrq.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20160408233740.GA24954@angband.pl> (Adam Borowski's message of "Sat, 9 Apr 2016 01:37:40 +0200")
References: <[🔎] D68F1898-86E9-40D1-A467-0BF4957883AD@onenetbeyond.org> <[🔎] 87zit4oj3h.fsf@setec.io> <[🔎] 20160408190522.GA26504@angband.pl> <[🔎] 146014507843.2028.6873922028027210378@auryn.jones.dk> <[🔎] 20160408233740.GA24954@angband.pl>

Adam Borowski <kilobyte@angband.pl> writes:

> Like:
> xfce4-power-manager -> upower -> libimobiledevice4 -> usbmuxd

> Is the recommendation from libimobiledevice4 to usbmuxd valid?  Sure it is
> -- the library is useless without the daemon.

> Is the dependency from upower to libimobiledevice4 valid?  It is -- using
> dlopen for every optional feature would require massive amounts of work.

> Is the dependency from xfce4-power-manager to upower valid?  Certainly --
> x-p-m is merely a GUI that needs upower for everything.

> But, wanting to suspend my computer doesn't mean I own an iPod or want a
> daemon that's useless for non-iPod-users!

So, where this goes wrong is the upower -> libimobiledevice4 dependency.
As you say, the dependency is correct (or at least correct-ish): we don't
want to dlopen everything and try to push all those patches upstream.  But
this is the weakest link of this whole chain, yet has the strongest
dependency.

I think a more correct fix would (unfortunately) involve a new binary
package field that we don't currently have: Depends-Shallow (for lack of a
better term) that acts like Depends *except* disables Recommends
processing for anything below the shallow dependencies in the tree.  So if
everything you're installing only Depends-Shallow on libimobiledevice4,
you don't get the recommendation; if anything straight depends on it, you
do.

> And, many maintainers could take this as an attack: "what, my package is
> useless?!?".  Like, openssh-server -> libwrap0 -> tcpd.  I'd say pretty
> much anyone today uses other means for limiting access to ssh; tcpd does
> have near-universal popcon (95.79%!) but protocols listed in its
> description (telnet ftp rsh rlogin finger) and complete dearth of new
> bug reports (it received tons in the past) make me think it's not
> actually used anymore.

I still use tcpd for openssh-server.  (This is not an argument for keeping
the chain, just a data point.)  tcpd, unlike iptables, can whitelist
domains.  It's weak security, but it's good for defense in depth and
making the constant brute force attacks die down a bit.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Opt out style recommends
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Opt out style recommends
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Opt out style recommends
  - From: Tollef Fog Heen <tfheen@err.no>

References:
- Opt out style recommends
  - From: Pirate Praveen <praveen@onenetbeyond.org>
- Re: Opt out style recommends
  - From: Harlan Lieberman-Berg <hlieberman@debian.org>
- Re: Opt out style recommends
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Opt out style recommends
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Opt out style recommends
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: Opt out style recommends
Next by Date: Re: Opt out style recommends
Previous by thread: Re: Opt out style recommends
Next by thread: Re: Opt out style recommends
Index(es):
- Date
- Thread