Re: Opt out style recommends

To: debian-devel@lists.debian.org
Subject: Re: Opt out style recommends
From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 09 Apr 2016 10:27:20 +0200
Message-id: <[🔎] 146019044094.2028.16459652889294640393@auryn.jones.dk>
In-reply-to: <[🔎] 87lh4nlgrq.fsf@hope.eyrie.org>
References: <[🔎] D68F1898-86E9-40D1-A467-0BF4957883AD@onenetbeyond.org> <[🔎] 87zit4oj3h.fsf@setec.io> <[🔎] 20160408190522.GA26504@angband.pl> <[🔎] 146014507843.2028.6873922028027210378@auryn.jones.dk> <[🔎] 20160408233740.GA24954@angband.pl> <[🔎] 87lh4nlgrq.fsf@hope.eyrie.org>

Quoting Russ Allbery (2016-04-09 03:20:25)
> Adam Borowski <kilobyte@angband.pl> writes:
>> Like:
>> xfce4-power-manager -> upower -> libimobiledevice4 -> usbmuxd
>
>> Is the recommendation from libimobiledevice4 to usbmuxd valid?  Sure 
>> it is -- the library is useless without the daemon.
[...]
> So, where this goes wrong is the upower -> libimobiledevice4 
> dependency. As you say, the dependency is correct (or at least 
> correct-ish): we don't want to dlopen everything and try to push all 
> those patches upstream.  But this is the weakest link of this whole 
> chain, yet has the strongest dependency.
>
> I think a more correct fix would (unfortunately) involve a new binary 
> package field that we don't currently have: Depends-Shallow (for lack 
> of a better term) that acts like Depends *except* disables Recommends 
> processing for anything below the shallow dependencies in the tree.  
> So if everything you're installing only Depends-Shallow on 
> libimobiledevice4, you don't get the recommendation; if anything 
> straight depends on it, you do.

I disagree that we need a new field: Simply lower to at most suggest the 
daemon: It is for the daemon to declare a stronger dependency.

Anyone needing the daemon can install the daemon - you shouldn't expect 
libraries to pull in daemons (just as you shouldn't expect documentation 
to pull in binaries).


>> And, many maintainers could take this as an attack: "what, my package 
>> is useless?!?".  Like, openssh-server -> libwrap0 -> tcpd.  I'd say 
>> pretty much anyone today uses other means for limiting access to ssh; 
>> tcpd does have near-universal popcon (95.79%!) but protocols listed 
>> in its description (telnet ftp rsh rlogin finger) and complete dearth 
>> of new bug reports (it received tons in the past) make me think it's 
>> not actually used anymore.
> 
> I still use tcpd for openssh-server.  (This is not an argument for 
> keeping the chain, just a data point.)  tcpd, unlike iptables, can 
> whitelist domains.  It's weak security, but it's good for defense in 
> depth and making the constant brute force attacks die down a bit.

I agree it is no argument for keeping the chain: Those using tcpd can 
install that - or install a metapackage that depends on or recommends 
it.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to:

Follow-Ups:
- Re: Opt out style recommends
  - From: Sune Vuorela <nospam@vuorela.dk>

References:
- Opt out style recommends
  - From: Pirate Praveen <praveen@onenetbeyond.org>
- Re: Opt out style recommends
  - From: Harlan Lieberman-Berg <hlieberman@debian.org>
- Re: Opt out style recommends
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Opt out style recommends
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Opt out style recommends
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Opt out style recommends
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Opt out style recommends
Next by Date: Re: Opt out style recommends
Previous by thread: Re: Opt out style recommends
Next by thread: Re: Opt out style recommends
Index(es):
- Date
- Thread