Re: [DNG] Ascii packages with dependency on libsystemd0 ?

[Klaus Ethgen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

Am Di den  2. Jan 2018 um 10:11 schrieb Mike Tubby:
> Over the new year holiday I decided to debootstrap ascii on to our ARM-based
> vehicle router and have it working, which is good, however when installing
> openssh-server I notice that it pulled in libsystemd0:

Yes, and it has some insecurity patches that was refused by upstream and
even the debian maintainer himself is not sure anymore if it was a good
idea.

If you wish, you can use my debian-security repo to get a recompiled
version without systemd and without that patch above. You can, of course
also build them yourself, I have the full sources over there.

deb ftp://tschil.ethgen.ch/pub/debian-security ceres unofficial-secured
deb-src ftp://tschil.ethgen.ch/pub/debian-security ceres unofficial-secured

Regards
   Klaus
- -- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlpLYJYACgkQpnwKsYAZ
9qy7RQv+Lcks7COx29fmQFGrxfMcTwN5hvWrlT4qOyaQFtGoliqbimHndaCLdXcl
rP/3FCDmPOBZWgPsWE6FRS3bA1/Jmf+0KF4ufp5tr2UNgfso30Hfho0nAgP18AJA
ByGNN0qEpr3OUEt5LhujQznb7+GIEQ+HqD9s65r5usxu3HJVhLNrjSmHefbWmf6J
MEzHIDn1r5lrQ4/Y4XpuK5/ayaOmYWym6dHCSEv07i+Q7ktpidS6rKAjVFnHOaaA
NUDK5wex05PERQWsjPJB6IlgeqAFrfQl6osTEbVASB1RA6bmn/YAj6W99G3hBa0r
BFFymRuRHMUXXSZUC14ZB0cJEiFt3Mj72MqCMpPf8X+rY6sgNdcJJb3imMhxfRu+
+hN6pn7/5atGW+cPKvje6RUQADX60ZEpzTQ5P7U50hKTcD9GcOAcfuO8Be/h0LXA
ugLUBr+7qOhIfxaGFmT1/cltCezeAm5jKZq8RvsslUa0Yf4VyzB7HyNLx2LJay06
GHc1DABS
=9BPi
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Ascii packages with dependency on libsystemd0 ?

[KatolaZ]

On Tue, Jan 02, 2018 at 09:11:45AM +, Mike Tubby wrote:

[cut]

>   libxext6 libxmuu1 ncurses-term openssh-client openssh-server
>   openssh-sftp-server ucf xauth
> 0 upgraded, 20 newly installed, 0 to remove and 2 not upgraded.
> Need to get 3847 kB of archives.
> After this operation, 14.5 MB of additional disk space will be used.
> Do you want to continue? [Y/n]
> 
> I'm not sure whether this is expected behavior for a system without systemd
> or not?
> 

There is no reason to fork (and maintain) a package just to remove a
dependency on a library that cannot be called or used. The plan for
Devuan Beowulf (ASCII+1) is to include a shim that Provides:
libsystemd.

HND

KatolaZ


-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Ascii packages with dependency on libsystemd0 ?

[Mike Tubby]

On 1/2/2018 9:27 AM, Irrwahn wrote:

Mike Tubby wrote on 02.01.2018 10:11:

All,

Over the new year holiday I decided to debootstrap ascii on to our ARM-based 
vehicle router and have it working, which is good, however when installing 
openssh-server I notice that it pulled in libsystemd0:

[...]

   libkrb5support0 *libsystemd0* libx11-6 libx11-data libxau6 libxcb1 libxdmcp6

[...]


I'm not sure whether this is expected behavior for a system without systemd or 
not?

This is AIUI perfectly fine, as libsystemd0 is (for the
time being) a kind of stub library that is used in cases
where systemd is not installed. IIRC, the consensus on
this list, after some debate, was that it does no harm
in and of itself, and allowing it in actually takes the
burden of the Devuan developers/maintainers to fork every
single Debian package that has even the ever so slightest
dependency on systemd.


That's what I thought might be the case.



Nonetheless, IMVHO, it should be closely monitored for the
foreseeable future for any indications of non-trivial code
sneaking in there.


Perhaps package libsystemd0 should be a wrapper for another package 
called libsystemd-compat or libsystemd-shim with any real functionality 
in the second package built from the ground up so that entanglement into 
non-trival systemd related code is spotted/avoided ...




TL;DR: On a full-blown Devuan desktop system you probably
cannot easily avoid it, but its (mostly ;o) harmless.


H ... 'mostly' harmless ;-)




Best regards,
Urban



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Ascii packages with dependency on libsystemd0 ?

[Irrwahn]

Mike Tubby wrote on 02.01.2018 10:11:
> All,
> 
> Over the new year holiday I decided to debootstrap ascii on to our ARM-based 
> vehicle router and have it working, which is good, however when installing 
> openssh-server I notice that it pulled in libsystemd0:
[...]
>   libkrb5support0 *libsystemd0* libx11-6 libx11-data libxau6 libxcb1 libxdmcp6
[...]

> I'm not sure whether this is expected behavior for a system without systemd 
> or not?

This is AIUI perfectly fine, as libsystemd0 is (for the 
time being) a kind of stub library that is used in cases 
where systemd is not installed. IIRC, the consensus on 
this list, after some debate, was that it does no harm 
in and of itself, and allowing it in actually takes the 
burden of the Devuan developers/maintainers to fork every 
single Debian package that has even the ever so slightest 
dependency on systemd.

Nonetheless, IMVHO, it should be closely monitored for the 
foreseeable future for any indications of non-trivial code 
sneaking in there.

TL;DR: On a full-blown Devuan desktop system you probably 
cannot easily avoid it, but its (mostly ;o) harmless.

Best regards,
Urban

-- 
Sapere aude!


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Ascii packages with dependency on libsystemd0 ?

[Mike Tubby]

All,

Over the new year holiday I decided to debootstrap ascii on to our 
ARM-based vehicle router and have it working, which is good, however 
when installing openssh-server I notice that it pulled in libsystemd0:


root@orac:/# apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  krb5-locales libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 libsystemd0 libx11-6 libx11-data libxau6 libxcb1 
libxdmcp6
  libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server ucf 
xauth

Suggested packages:
  krb5-doc krb5-user keychain libpam-ssh monkeysphere ssh-askpass 
molly-guard

  rssh ufw
Recommended packages:
  libpam-systemd
The following NEW packages will be installed:
  krb5-locales libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 *libsystemd0* libx11-6 libx11-data libxau6 libxcb1 
libxdmcp6

  libxext6 libxmuu1 ncurses-term openssh-client openssh-server
  openssh-sftp-server ucf xauth
0 upgraded, 20 newly installed, 0 to remove and 2 not upgraded.
Need to get 3847 kB of archives.
After this operation, 14.5 MB of additional disk space will be used.
Do you want to continue? [Y/n]

I'm not sure whether this is expected behavior for a system without 
systemd or not?



Mike

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng