[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Opt out style recommends

Quoting Russ Allbery (2016-04-09 03:20:25)
> Adam Borowski <kilobyte@angband.pl> writes:
>> Like:
>> xfce4-power-manager -> upower -> libimobiledevice4 -> usbmuxd
>> Is the recommendation from libimobiledevice4 to usbmuxd valid?  Sure 
>> it is -- the library is useless without the daemon.
> So, where this goes wrong is the upower -> libimobiledevice4 
> dependency. As you say, the dependency is correct (or at least 
> correct-ish): we don't want to dlopen everything and try to push all 
> those patches upstream.  But this is the weakest link of this whole 
> chain, yet has the strongest dependency.
> I think a more correct fix would (unfortunately) involve a new binary 
> package field that we don't currently have: Depends-Shallow (for lack 
> of a better term) that acts like Depends *except* disables Recommends 
> processing for anything below the shallow dependencies in the tree.  
> So if everything you're installing only Depends-Shallow on 
> libimobiledevice4, you don't get the recommendation; if anything 
> straight depends on it, you do.

I disagree that we need a new field: Simply lower to at most suggest the 
daemon: It is for the daemon to declare a stronger dependency.

Anyone needing the daemon can install the daemon - you shouldn't expect 
libraries to pull in daemons (just as you shouldn't expect documentation 
to pull in binaries).

>> And, many maintainers could take this as an attack: "what, my package 
>> is useless?!?".  Like, openssh-server -> libwrap0 -> tcpd.  I'd say 
>> pretty much anyone today uses other means for limiting access to ssh; 
>> tcpd does have near-universal popcon (95.79%!) but protocols listed 
>> in its description (telnet ftp rsh rlogin finger) and complete dearth 
>> of new bug reports (it received tons in the past) make me think it's 
>> not actually used anymore.
> I still use tcpd for openssh-server.  (This is not an argument for 
> keeping the chain, just a data point.)  tcpd, unlike iptables, can 
> whitelist domains.  It's weak security, but it's good for defense in 
> depth and making the constant brute force attacks die down a bit.

I agree it is no argument for keeping the chain: Those using tcpd can 
install that - or install a metapackage that depends on or recommends 

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: