> > Hi Jörg,
> Unlike cups, which hardly makes sense without a daemon, saned is not > absolutely necessary. > That is exactly why we should split it out as a separate package. The user should be able to choose not to install saned, without that choice preventing the user from running scanimage. I would very kindly point out that Fedora and Red Hat do split these out as separate packages. Also, saned is not activated by default during installation. So I don't see > any problem in the installation, even from a security point of view. > That is not the reality of how organizations approach security though. Even if the daemon is not activated, it may still be a compliance issue to have a daemon with a known vulnerability present on the system at all. It is best to not install daemons that are never used, in order to reduce the amount of time spent applying security updates to unused software. This also did not address my point about Debian-based Docker containers which use scanimage, such as scanservjs. Containers often try to include only the minimum software required, and typically they do not even have systemd or any init system. As in bug #987800, I therefore see no reason for splitting. > I am in the process of submitting a merge request for the Debian packaging files. Could you kindly keep this bug open, and let's take a look at that once I submit it? Thank you, David
