[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#528754: closed by Sune Vuorela <debian@pusling.com> (Re: Bug#528754: kdelibs do not build without avahi)

I didn't understand, why you closed the bug. Seriously.
Do you have enough expertise to read the mentioned patch file? (./debian/patches/98_buildprep.diff)
If so, do it. If not, I will try to explain what I am seeing.

So, first, there are the original source package. It builds OK.
There are debianised sources - the added ./debian directory.
That directory contains subdirectory ./patches.
When you build .deb binary packages, you usually run debian/rules
makefile. And it unconditionally applies .diff files from debian/patches
directory (it really doesn't ask you). That's not my modification, that's Debian's.
This report was about Debian package "kdelibs", not upstream's, not my own version.

What is wrong with Debian's modifications to the package.
It removes (otherwise provided by upstream) the option to build without
some questionable and purely optional feature like "dnssd",
that opens additional remote attack vectors, limited to local network.
The files, that come from Debian maintainers (do you represent any of them?),
break configure process if there is no libahavi development files present
on the system.

I have wrote already to the debian desktop mailing list and
was told, that I have a freedom to recompile binary .debs from
sources and without that exactly option.

This report was to inform everyone, that it is no more true for Debian version
of the kdelibs. 
The problem is that:
 1. Original upstream version build and work okay.
 2. My modifications to ./debian/patches/98_buildprep.diff (mostly to ./configure part)
    allow to build and run kdelibs without avahi dependencies and without dnssd,
    that suggests that ./configure script was erroneously broken and without any cause.
    a) Optional usability feature became core part of the package. Cool, but not everyone
       will benefit from that feature.
    b) That feature contradicts security in some way. Well, that is questionable, but you know...
    c) Sometimes it is safer to be able to exclude unneeded functionality from applications.
       Sometimes that is REQUIREMENT.
    d) The optional security feature of being able to compile out the unneeded
       functionality was broken. But there was no real reason for that, except
       lack of expertise or mistype or what?..
    e) That change makes Debian more favorable for inexperienced OR lame users,
       and less favorable for users with special requirements.
Fix that, please.

Steps to reproduce the bug:
  1. apt-get source kdelibs
  2. apt-get build-dep kdelibs
  3. apt-get --purge remove libavahi-client-dev libavahi-common-dev libavahi-qt3-dev
  4. cd kdelibs-3.5.10.dfsg.1
  5. debian/rules binary

The mentioned version will not even start to compile here.

On Fri, May 15, 2009 at 10:09:03AM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the kdelibs package:
> #528754: kdelibs do not build without avahi
> It has been closed by Sune Vuorela <debian@pusling.com>.
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Sune Vuorela <debian@pusling.com> by
> replying to this email.
> -- 
> 528754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528754
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems

> Received: (at 528754-done) by bugs.debian.org; 15 May 2009 09:56:35 +0000
> X-Spam-Bayes: score:0.0000 Tokens: new, 9; hammy, 101; neutral, 55; spammy, 4.
> 	spammytokens:0.995-1--H*RU:sk:1M4tvn-,
> 	0.995-1--HX-Spam-Relays-External:sk:1M4tvn-, 0.995-1--H*r:sk:1M4tvn-,
> 	0.925-+--ever hammytokens:0.000-+--Severity, 0.000-+--H*u:KDE,
> 	0.000-+--H*UA:KDE, 0.000-+--UD:diff, 0.000-+--H*u:4.2.2
> X-Spam-Status: No, score=-6.0 required=4.0 tests=AWL,BAYES_00,HAS_BUG_NUMBER,
> 	MURPHY_DRUGS_REL8 autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02
> Return-path: debian@pusling.com
> Received: from elvira.killmulehill.net ([])
> 	by rietz.debian.org with esmtp (Exim 4.63)
> 	(envelope-from <debian@pusling.com>)
> 	id 1M4tvn-0000jT-EY
> 	for 528754-done@bugs.debian.org; Fri, 15 May 2009 09:42:19 +0000
> Received: by elvira.killmulehill.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
> 	(Exim 4.69)
> 	id 1M4tvj-0007UH-Gn
> 	for 528754-done@bugs.debian.org; Fri, 15 May 2009 09:42:18 +0000
> From: Sune Vuorela <debian@pusling.com>
> To: 528754-done@bugs.debian.org
> Subject: Re: Bug#528754: kdelibs do not build without avahi
> Date: Fri, 15 May 2009 11:42:05 +0200
> On Friday 15 May 2009 11:17:53 root wrote:
> > Package: kdelibs
> > Version: 4:3.5.10.dfsg.1-2
> > Severity: serious
> > Justification: no longer builds from source
> >
> > I have found, that it is not possible to turn off some
> > questionable features, like dnssd.
> > patch debian/patches/98_buildprep.diff makes ./configure
> > fail without libavahi-dev installed.
> you modified the package and then it stopped building?
No. Debian modified the package.
> That's not a bug - and especially not a serious bug, thus closing.
Do you really care? If not, why do you closing the report?
> /Sune
> -- 
> Man, how might I rename a digital ISA file?
> The point is that you neither should ever send the file, nor need to cancel the 
> space bar of a site to a site for loading the hard disk.

> Received: (at submit) by bugs.debian.org; 15 May 2009 09:17:59 +0000
> X-Spam-Bayes: score:0.0000 Tokens: new, 52; hammy, 142; neutral, 48; spammy,
> 	0. spammytokens: hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug,
> 	0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--H*x:3.48
> X-Spam-Status: No, score=-9.7 required=4.0 tests=AWL,BAYES_00,FOURLA,
> 	autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02
> Return-path: bugreporter@udmvt.ru
> Received: from atoll.udmvt.ru ([])
> 	by rietz.debian.org with esmtp (Exim 4.63)
> 	(envelope-from <bugreporter@udmvt.ru>)
> 	id 1M4tYF-0001fJ-1u
> 	for submit@bugs.debian.org; Fri, 15 May 2009 09:17:59 +0000
> Received: from ruber.office.udmvt.ru (ruber.office.udmvt.ru [])
> 	by atoll.udmvt.ru (8.13.6/8.13.6/Izhcom-V1.1e) with SMTP id n4F9HrUp062613
> 	for <submit@bugs.debian.org>; Fri, 15 May 2009 14:17:55 +0500 (SAMST)
> 	(envelope-from bugreporter@udmvt.ru)
> X-Envelope-To:   <submit@bugs.debian.org>
> X-Envelope-From:  bugreporter@udmvt.ru
> Received: (qmail 27995 invoked by uid 0); 15 May 2009 14:17:53 +0500
> From: root <bugreporter@udmvt.ru>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Subject: kdelibs do not build without avahi
> Date: Fri, 15 May 2009 14:17:53 +0500
> Package: kdelibs
> Version: 4:3.5.10.dfsg.1-2
> Severity: serious
> Justification: no longer builds from source
> I have found, that it is not possible to turn off some
> questionable features, like dnssd.
> patch debian/patches/98_buildprep.diff makes ./configure 
> fail without libavahi-dev installed.
> That is true for Debian/unstable users.
> Is that correct, that zeroconf, dnssd, auto-configuration,
> auto-publication, auto-discovery, etc. services are now the core of KDE
> and not the optional usability improvements (sometimes unneeded),
> that opens additional attack vectors (silently)?
> If so, why is it true for Debian and not true for upstream?
> Still, it is possible (by hand-editing patch files) to compile
> debianized kdelibs without extra dependencies on libavahi.
> So here is the additional wishlist:
>  * fix the ./configure, put back or add new --without- and --disable- options
>  * split all the questionable improvements into separate packages
>  * make kdelibs Suggest such features or Recommend, but not Depend on them.
> -- System Information:
> Debian Release: squeeze/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: i386 (i686)
> Kernel: Linux 2.6.18-spg (SMP w/2 CPU cores; PREEMPT)
> Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
> Shell: /bin/sh linked to /bin/bash
> Versions of packages kdelibs depends on:
> ii  kdelibs-data           4:3.5.10.dfsg.1-2 core shared data for all KDE appli
> ii  kdelibs4c2a            4:3.5.10.dfsg.1-2 core libraries and binaries for al
> kdelibs recommends no packages.
> kdelibs suggests no packages.
> -- no debconf information

Reply to: