Bug#960133: downgrade dependencies on libgl1-mesa-dri to Recommends:
Package: libglx-mesa0
Version: 18.3.6-2+deb10u1
Control: found -1 19.3.3-1
Severity: wishlist
So far as I can tell, the usage of the DRI modules provided by
libgl1-mesa-dri by libglx-mesa0 is either optional or dependent
on the context. At the very least, circumventing these
dependencies produces no apparent ill effects with the packages
transitionally dependent on libglx-mesa0, such as x11-utils,
xvfb (via libgl1), and so on.
Given that the libgl1-mesa-dri package brings in some 60‒70 MB
of Installed-Size: due to libllvm alone – and also on headless
systems which cannot possibly benefit from having DRI modules
available – could the dependency on libgl1-mesa-dri please be
downgraded to Recommends:?
Background
I’m concerned with, specifically, the amount of runnable code in
the (base) system – and its implications on security. I assume
that /not/ having some package installed is ought to be the
ultimate guarantee that no security flaw in said package is going
to affect a given system. Hence is my interest in minimalistic
Debian installs.
As a workaround, I’ve installed an otherwise empty Provides:
libgl1-mesa-dri package [1], produced with nope.sh [2], like:
$ fakeroot -- nope libgl1-mesa-dri
[1] http://am-1.org/~ivan/dist/no-libgl1-mesa-dri_0.1_all.deb
[2] http://am-1.org/~ivan/src/nope.sh
--
FSF associate member #7257 http://am-1.org/~ivan/
Reply to: