Your message dated Wed, 23 Mar 2005 20:11:10 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#301132: aptitude: should not pull in -dev packages and/or
compilers in a default installation
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Mar 2005 22:55:26 +0000
>From [EMAIL PROTECTED] Wed Mar 23 14:55:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1DEEl3-0005CJ-00; Wed, 23 Mar 2005 14:55:25 -0800
Received: (qmail 610 invoked by uid 1013); 23 Mar 2005 22:55:23 -0000
Date: Wed, 23 Mar 2005 23:55:23 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: aptitude: should not pull in -dev packages and/or compilers in a
default installation
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: aptitude
Version: 0.2.15.8-1
Priority: important
[Note: This has happened to me a few times while testing d-i and I had not
nailed down the root cause but after my last installation (see installation
report sent as bug #301112, I've investigated a bit ]
When doing a default installation just selecting the 'Desktop' task, a user=
=20
will end up with a lot of development packages including gcc, g++,=20
libc6-dev, kernel-headers-dev and lots of other -dev packages.
I believe the culprit here is aptitude, which pulls down Suggests: happily=
=20
trying to be helpful for the end-user (and usually is) but which ends up=20
generating an over-bloated system. It doesn't make sense to have desktop=20
systems with a C/C++ compiler and, what's worst, those tools can easily be=
=20
used by worm writers to have a more efficient worm propagation (as=20
demonstrated by the Slapper worm back in 2002 [1])
Why does aptitude pull in gcc et al. I believe it's because of dpkg-dev.
Package: dpkg-dev
Priority: standard
Section: utils
(...)
Recommends: c-compiler
^^^^^^^^^^
So gcc is pulled in (Provides: c-compiler) and with it (through=20
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on=
=20
and on..
IMHO, aptitude should not have pulled in the c-compiler because of that=20
recommendation. So either the 'standard' priority set for dpkg-dev is=20
wrong (since most users don't actually need this tool) or aptitude should=
=20
avoid from pulling a c-compiler through Recommends:
Actually, I think that aptitude should do for -dev packages exactly the=20
same that it does for -doc packages. Ignore them in Recommends:. This could=
=20
maybe be relaxed a bit if the user is installing a -dev package (so he=20
obviously wants development packages) so how about having a rule saying:=20
"-dev packages are ignored in Recommends: unless selecting a -dev=20
package:"?=20
BTW, I've also noticed this:
Package: apt
(...)
Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc
^^^^^^^^
But since dpkg-dev is suggested then aptitude would not pull it in,=20
correct?
Please fix this before the next stable release is made or otherwise we'll=
=20
end up with lots of users wondering why they have all a C-compiler=20
installed!
Regards
Javier
[1] Please also read "A Slap Upside the Head"
http://www.hackinglinuxexposed.com/articles/20020924.html
" Minimal Software Installations
The worm requires gcc to compile the .bugtraq.c file. If you
didn't install gcc, then the worm will fail before even if it
managed to break into your web server. Just as you'd turn off a
daemon you aren't using, why keep software installed that you
don't need? It only gives an attacker another tool that can
make the cracking easier.
"
--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCQfPai4sehJTrj0oRAnR9AJ9EYUfn5qc+tjUghkmesOl7EVqmmQCeMyC6
PGc/haRckE6090Tx28FMAi8=
=O+bT
-----END PGP SIGNATURE-----
--pf9I7BMVVzbSWLtt--
---------------------------------------
Received: (at 301132-done) by bugs.debian.org; 24 Mar 2005 01:11:26 +0000
>From [EMAIL PROTECTED] Wed Mar 23 17:11:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from f05s05.cac.psu.edu (f05n05.cac.psu.edu) [128.118.141.48]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DEGsf-0006by-00; Wed, 23 Mar 2005 17:11:26 -0800
Received: from jester.burrows.local (pool-141-151-236-206.alt.east.verizon.net
[141.151.236.206])
(authenticated bits=0)
by f05n05.cac.psu.edu (8.13.2/8.13.2) with ESMTP id j2O1BNKG020074
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT)
for <[EMAIL PROTECTED]>; Wed, 23 Mar 2005 20:11:24 -0500
From: Daniel Burrows <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Bug#301132: aptitude: should not pull in -dev packages and/or
compilers in a default installation
Date: Wed, 23 Mar 2005 20:11:10 -0500
User-Agent: KMail/1.7.2
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Message-Id: <[EMAIL PROTECTED]>
Content-Type: multipart/signed;
boundary="nextPart1263892.q3YdeMpJDi";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--nextPart1263892.q3YdeMpJDi
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<sarcasm>Thanks for the slap upside the head</sarcasm>, but aptitude has=
=20
never done anything as stupid as automatically installing Suggested package=
s=20
by default, and in the latest version that option (automatic installation o=
f=20
Suggests) isn't even available precisely because it is pretty much always=20
harmful.
If you don't want certain packages to be installed on a default Debian=20
system, go talk to the debian-installer, tasksel, and ftpmaster teams, as w=
ell=20
as the maintainers of packages that are installed by default (if they have=
=20
inappropriate Depends and/or Recommends lines). I will not modify aptitude=
=20
to second-guess the people who are in charge of configuring the default=20
Debian installation. (if they need more features in order to precisely=20
specify what should be installed, of course, I'm open to that)
Daniel
=2D-=20
/------------------- Daniel Burrows <[EMAIL PROTECTED]> -----------------=
=2D\
| Apostrophes are not a warning that a =
|
| word is about to end in an "s". =
|
\------------ Evil Overlord, Inc: http://www.eviloverlord.com -------------=
=2D/
--nextPart1263892.q3YdeMpJDi
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCQhO1ch6xsM7kSXgRAlptAJ9SyHM2eK2q6exafk4JdfM9tfmuMgCghx8g
0AyAjfrHpitzuQEymv2FoL8=
=sTYF
-----END PGP SIGNATURE-----
--nextPart1263892.q3YdeMpJDi--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
