Re: Uninstalling a package removes other essential packages: What is the best course of action?
On Sun, Feb 13, 2022 at 07:31:58AM +0100, Stella Ashburne wrote:
> Hello Dearie
>
> I am happy to hear from you again and hope that everything's fine with you and your family.
>
> > Sent: Sunday, February 13, 2022 at 6:23 AM
> > From: "David" <bouncingcats@gmail.com>
> > To: "debian-user" <debian-user@lists.debian.org>
> > Subject: Re: Uninstalling a package removes other essential packages: What is the best course of action?
> >
> >
> > But, why do you care? There may be many packages installed
> > that you will never notice that you will never use.
> > Why pick on this one?
> >
> > libthai appears to not occupy much disk space:
> >
> >
> > So there's hardly any win for the effort.
> >
>
> Indeed, you asked a very pertinent question.
>
> "Why pick on this one?", you asked.
>
> It just happens that this file was in my installed Debian. I have checked for other non-English files and found none other than Thai files.
>
> "But, why do you care?" you wondered.
>
> I care because I am worried that it may contain poorly designed code or backdoors that enable root privileges without my explicit intervention. Nobody has bothered to audit the Thai files that I mentioned for integrity and probable malicious activity.
>
> > Alternatively, don't install lxqt-core. Only install what you want.
> > Some ideas here:
> > https://wiki.debian.org/ReduceDebian
> >
> > Naturally this kind of thing takes time and effort which you may
> > or may not find is worthwhile depending on your goals, and
> > what you choose to spend productive time doing.
> >
> You're right. I don't have the time nor the intellectual capacity
> to customize my Debian setup. I'll just have to look for other
> ways to install a custom Debian without foreign-language files.
I think there is a more fundamental issue here, that may call in to
question whether Debian is suitable for you at all.
You focus on "foreign-language files" perhaps because with limited
experience these stand out to you as being worthless to you, so a
prime candidate for removal in the goal of having the most
slimmed-down and therefore secure operating system.
The problem is that this is antithetical to the entire way that
Debian is designed. Since Debian distributes binary packages,
someone at some point has to decide what optional features each
package will have baked into it, and everyone gets those (and all
their dependencies) whether they use those features or not.
Now in some cases the programs themselves can detect at runtime what
features are present and disable those that aren't. This enables the
package maintainer to split up the package into a core package and
several optional packages (might be "Recommends" rather than
"Depends" in Debian parlance). So in that case there is some degree
of control over what features are present.
Also there are some packages that can be compiled in such different
ways that they warrant having different variants with different
compile-time options. For example, there is exim-daemon-light which
does the basic job, but for a more feature-rich experience you'd
want exim-daemon-heavy, which is the same application but with many
extras compiled in and a much bigger dependency list as a result.
But these examples are outliers and most moderately complex packages
in Debian have just one variant and no modularity, so the maintainer
has erred on the side of features and enabled pretty much
everything.
Therefore what I am saying is, Debian starts from a position of
enabling and installing a lot of dependencies that you may never
use, so if you don't like that, you don't like Debian. I am
suggesting that the only reason why this isn't more obvious to you
is that you probably don't notice what (the fictional example)
libfoobarbaz3 might be, but you DO notice libthai and wonder why you
have Thai things on your system. Yet both things have the
possibility to include buggy code that an attacker might leverage.
The task you seem to want to set yourself, that of auditing what is
the minimal software requirement and only installing that, is a big
one. I am not convinced that it's a good use of time and on the
whole the risk proposition of having unused and unaudited code
sitting on your storage isn't that bad especially if you take other
steps to improve security ("defence in depth"). However, it is your
time to use as you please. I am suggesting that if you want to do
this, Debian may not be a great place to start from.
If you want an operating system where you have high levels of
customisation over how each and every package is compiled, such that
you can disable every feature that you don't need, I think you want
a source-based operating system like Gentoo, NixOS or Guix. Or you
could go for one like Arch where the core operating system is quite
small but you can build additional software to your whim:
https://wiki.archlinux.org/title/Arch_Build_System
If that "ports" style of system appeals, then you may even consider
going for something BSD-based like OpenBSD which tries to have a
very small and security-audited base OS, with additional software
compiled and added by the user through ports.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: