Re: Uninstalling a package removes other essential packages: What is the best course of action?

To: debian-user@lists.debian.org
Subject: Re: Uninstalling a package removes other essential packages: What is the best course of action?
From: Kushal Kumaran <kushal@locationd.net>
Date: Tue, 15 Feb 2022 10:51:40 -0800
Message-id: <[🔎] 871r04c69v.fsf@locationd.net>
In-reply-to: <[🔎] trinity-3ccaba99-a77e-487c-8e83-cf3180dd97ed-1644947788405@3c-app-mailcom-bs07> (Stella Ashburne's message of "Tue, 15 Feb 2022 18:56:28 +0100")
References: <[🔎] YgkEGIN2B1lxUJ6e@einval.com> <[🔎] trinity-214894c1-48e8-4f47-b781-5abade512c13-1644834498671@3c-app-mailcom-bs06> <[🔎] 620A4F8D.809@fastmail.fm> <[🔎] trinity-3ccaba99-a77e-487c-8e83-cf3180dd97ed-1644947788405@3c-app-mailcom-bs07>

On Tue, Feb 15 2022 at 06:56:28 PM, Stella Ashburne <rewefie@gmx.com> wrote:
> Hello The Wanderer
>
>> Sent: Monday, February 14, 2022 at 8:48 PM
>> From: "The Wanderer" <wanderer@fastmail.fm>
>> To: debian-user@lists.debian.org
>> Subject: Re: Uninstalling a package removes other essential
>> packages: What is the best course of action?
>>
>>
>> Do you have any reason to believe that it might? As compared to any
>> other random library that Debian provides.
>>
> No, I don't have the technical knowledge to audit libthai. My point is
> that why pull in non-English dependencies for an English-language
> installation....Doing so may increase the chance of attacks by
> hackers.
>
> The argument that an app, library or distro is open source does not
> really mitigate the risks of attacks.
>
> Consider the below decade-old bugs that had been "hiding" in plain sight:
>
> CVE-2016-5195 (Dirty COW)
> CVE-2014-0160 (Heartbleed)
> CVE-2016-8655
> CVE-2017-6074
> CVE-2021-3156 (Baron_Samedit)
>

You'll have to make your case in a bug report on the relevant package
(pango?).  The usual debian position is to enable as many options as
possible, so that the same binary package will work for a wide variety
of users.

If this does not suit your security posture, you'll need to do one or
more of the following:

- take your concerns to the upstream developers (they might need more
  concrete reasons than what you have so far)

- build the packages yourself with the offending features disabled

- uninstall the packages and manage without the additional packages that
  get removed

- isolate the packages you have issues with (and everything that depends
  on them) in separate virtual machines or other isolation mechanisms
  that satisfy your security requirements

- pay someone to audit the codebase so your security needs are met (but
  first check with upstream if they will be willing to act on issues
  discovered during audit; if not you'll need other arrangements).
  Perhaps you could offer to run one or more of the automated tools that
  can help with finding security issues (there are various open-source
  and proprietary tools in this area)

-- 
regards,
kushal

Reply to:

References:
- Re: Uninstalling a package removes other essential packages: What is the best course of action?
  - From: "Andrew M.A. Cater" <amacater@einval.com>
- Re: Uninstalling a package removes other essential packages: What is the best course of action?
  - From: Stella Ashburne <rewefie@gmx.com>
- Re: Uninstalling a package removes other essential packages: What is the best course of action?
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: Uninstalling a package removes other essential packages: What is the best course of action?
  - From: Stella Ashburne <rewefie@gmx.com>

Prev by Date: Issue: Slack no longer shows tray icon
Next by Date: Re: Misremembered
Previous by thread: Re: Uninstalling a package removes other essential packages: What is the best course of action?
Next by thread: Re: Uninstalling a package removes other essential packages: What is the best course of action?
Index(es):
- Date
- Thread