Control: reassign -1 src:kdesu Control: severity -1 wishlist Control: retitle -1 Please use the su backend (instead of sudo) by default On Monday, 9 April 2018 01:58:15 CEST Alex Hvostov wrote: > Package: kde-cli-tools > Version: 4:5.10.5-2 > kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which > indirectly depends on sudo, making it impossible to upgrade KDE without > creating a serious, unnecessary security risk. We clearly disagree on considering sudo a security concern. At least, not from the kde packaging point of view. I'm downgrading the severity value to wishlist. >From the packaging point of view, the kdesu links against libkf5su5, thus the hard dependency, that's not a bug in kde-cli-tools. And in turn libkf5su5 uses sudo by default [1]. So, I'm reassigning this bug to src:kdesu. > Frankly, I consider it a bug that sudo is available in Debian at all. > Others obviously disagree, but that's no reason to tie unrelated > packages to it like this. > Please move kdesu into its own package, and make it optional again. The kdesu tool isn't optional, it's even used by kio to handle certain desktop files. > In the mean time, others with my concern can mitigate this risk by > neutralizing sudo before installing it. To do that, run the following > command (as root) before installing sudo: > # dpkg-statoverride --add root root 644 /usr/bin/sudo Or replacing sudo with a locally equivs generated package, or rebuilding libkf5su5 without the sudo dependency and defaulting back to su. Happy hacking, [1]: https://salsa.debian.org/qt-kde-team/kde/kdesu/blob/master/debian/ rules#L10 -- "Brilliant opportunities are cleverly disguised as insolvable problems." -- Gardener's Philosophy "The reverse is also true." -- Corollary Saludos /\/\ /\ >< `/
Attachment:
signature.asc
Description: This is a digitally signed message part.