Re: Uninstalling a package removes other essential packages: What is the best course of action?
On Tue, Feb 15 2022 at 06:56:28 PM, Stella Ashburne <rewefie@gmx.com> wrote:
> Hello The Wanderer
>
>> Sent: Monday, February 14, 2022 at 8:48 PM
>> From: "The Wanderer" <wanderer@fastmail.fm>
>> To: debian-user@lists.debian.org
>> Subject: Re: Uninstalling a package removes other essential
>> packages: What is the best course of action?
>>
>>
>> Do you have any reason to believe that it might? As compared to any
>> other random library that Debian provides.
>>
> No, I don't have the technical knowledge to audit libthai. My point is
> that why pull in non-English dependencies for an English-language
> installation....Doing so may increase the chance of attacks by
> hackers.
>
> The argument that an app, library or distro is open source does not
> really mitigate the risks of attacks.
>
> Consider the below decade-old bugs that had been "hiding" in plain sight:
>
> CVE-2016-5195 (Dirty COW)
> CVE-2014-0160 (Heartbleed)
> CVE-2016-8655
> CVE-2017-6074
> CVE-2021-3156 (Baron_Samedit)
>
You'll have to make your case in a bug report on the relevant package
(pango?). The usual debian position is to enable as many options as
possible, so that the same binary package will work for a wide variety
of users.
If this does not suit your security posture, you'll need to do one or
more of the following:
- take your concerns to the upstream developers (they might need more
concrete reasons than what you have so far)
- build the packages yourself with the offending features disabled
- uninstall the packages and manage without the additional packages that
get removed
- isolate the packages you have issues with (and everything that depends
on them) in separate virtual machines or other isolation mechanisms
that satisfy your security requirements
- pay someone to audit the codebase so your security needs are met (but
first check with upstream if they will be willing to act on issues
discovered during audit; if not you'll need other arrangements).
Perhaps you could offer to run one or more of the automated tools that
can help with finding security issues (there are various open-source
and proprietary tools in this area)
--
regards,
kushal
Reply to: