Bug#895260: kde-cli-tools: Hard dependency on sudo, which weakens system security
Package: kde-cli-tools
Version: 4:5.10.5-2
Severity: important
Dear Maintainer,
kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which
indirectly depends on sudo, making it impossible to upgrade KDE without
creating a serious, unnecessary security risk.
Frankly, I consider it a bug that sudo is available in Debian at all.
Others obviously disagree, but that's no reason to tie unrelated
packages to it like this.
Please move kdesu into its own package, and make it optional again.
In the mean time, others with my concern can mitigate this risk by
neutralizing sudo before installing it. To do that, run the following
command (as root) before installing sudo:
# dpkg-statoverride --add root root 644 /usr/bin/sudo
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages kde-cli-tools depends on:
ii kde-cli-tools-data 4:5.10.5-2
ii kio 5.37.0-2
ii libc6 2.26-6
ii libkf5completion5 5.37.0-2
ii libkf5configcore5 5.37.0-2
ii libkf5configwidgets5 5.37.0-2
ii libkf5coreaddons5 5.37.0-3
ii libkf5i18n5 5.37.0-2
ii libkf5iconthemes5 5.37.0-2
ii libkf5kcmutils5 5.37.0-2
ii libkf5kiocore5 5.37.0-2
ii libkf5kiowidgets5 5.37.0-2
ii libkf5service-bin 5.37.0-2
ii libkf5service5 5.37.0-2
ii libkf5su-bin 5.37.0-2
ii libkf5su5 5.37.0-2
ii libkf5widgetsaddons5 5.37.0-2
ii libkf5windowsystem5 5.37.0-2
ii libqt5core5a 5.9.2+dfsg-9
ii libqt5dbus5 5.9.2+dfsg-9
ii libqt5gui5 5.9.2+dfsg-9
ii libqt5svg5 5.9.2-3
ii libqt5widgets5 5.9.2+dfsg-9
ii libqt5x11extras5 5.9.2-1
ii libstdc++6 7.3.0-1
ii libx11-6 2:1.6.4-3
kde-cli-tools recommends no packages.
kde-cli-tools suggests no packages.
-- no debconf information
Reply to: