Package: kde-cli-tools
Version: 4:5.10.5-2
Severity: important

Dear Maintainer,

kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which
indirectly depends on sudo, making it impossible to upgrade KDE without
creating a serious, unnecessary security risk.

Frankly, I consider it a bug that sudo is available in Debian at all.
Others obviously disagree, but that's no reason to tie unrelated
packages to it like this.

Please move kdesu into its own package, and make it optional again.

In the mean time, others with my concern can mitigate this risk by
neutralizing sudo before installing it. To do that, run the following
command (as root) before installing sudo:

# dpkg-statoverride --add root root 644 /usr/bin/sudo

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kde-cli-tools depends on:
ii  kde-cli-tools-data    4:5.10.5-2
ii  kio                   5.37.0-2
ii  libc6                 2.26-6
ii  libkf5completion5     5.37.0-2
ii  libkf5configcore5     5.37.0-2
ii  libkf5configwidgets5  5.37.0-2
ii  libkf5coreaddons5     5.37.0-3
ii  libkf5i18n5           5.37.0-2
ii  libkf5iconthemes5     5.37.0-2
ii  libkf5kcmutils5       5.37.0-2
ii  libkf5kiocore5        5.37.0-2
ii  libkf5kiowidgets5     5.37.0-2
ii  libkf5service-bin     5.37.0-2
ii  libkf5service5        5.37.0-2
ii  libkf5su-bin          5.37.0-2
ii  libkf5su5             5.37.0-2
ii  libkf5widgetsaddons5  5.37.0-2
ii  libkf5windowsystem5   5.37.0-2
ii  libqt5core5a          5.9.2+dfsg-9
ii  libqt5dbus5           5.9.2+dfsg-9
ii  libqt5gui5            5.9.2+dfsg-9
ii  libqt5svg5            5.9.2-3
ii  libqt5widgets5        5.9.2+dfsg-9
ii  libqt5x11extras5      5.9.2-1
ii  libstdc++6            7.3.0-1
ii  libx11-6              2:1.6.4-3

kde-cli-tools recommends no packages.

kde-cli-tools suggests no packages.

-- no debconf information

Reply via email to