Bug#895260: kde-cli-tools: Hard dependency on sudo, which weakens system security
Control: reassign -1 src:kdesu Control: severity -1 wishlist Control: retitle -1 Please use the su backend (instead of sudo) by default On Monday, 9 April 2018 01:58:15 CEST Alex Hvostov wrote: > Package: kde-cli-tools > Version: 4:5.10.5-2 > kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which > indirectly depends on sudo, making it impossible to upgrade KDE without > creating a serious, unnecessary security risk. We clearly disagree on considering sudo a security concern. At least, not from the kde packaging point of view. I'm downgrading the severity value to wishlist. >From the packaging point of view, the kdesu links against libkf5su5, thus the hard dependency, that's not a bug in kde-cli-tools. And in turn libkf5su5 uses sudo by default [1]. So, I'm reassigning this bug to src:kdesu. > Frankly, I consider it a bug that sudo is available in Debian at all. > Others obviously disagree, but that's no reason to tie unrelated > packages to it like this. > Please move kdesu into its own package, and make it optional again. The kdesu tool isn't optional, it's even used by kio to handle certain desktop files. > In the mean time, others with my concern can mitigate this risk by > neutralizing sudo before installing it. To do that, run the following > command (as root) before installing sudo: > # dpkg-statoverride --add root root 644 /usr/bin/sudo Or replacing sudo with a locally equivs generated package, or rebuilding libkf5su5 without the sudo dependency and defaulting back to su. Happy hacking, [1]: https://salsa.debian.org/qt-kde-team/kde/kdesu/blob/master/debian/ rules#L10 -- "Brilliant opportunities are cleverly disguised as insolvable problems." -- Gardener's Philosophy "The reverse is also true." -- Corollary Saludos /\/\ /\ >< `/ signature.asc Description: This is a digitally signed message part.
Bug#895260: kde-cli-tools: Hard dependency on sudo, which weakens system security
Package: kde-cli-tools Version: 4:5.10.5-2 Severity: important Dear Maintainer, kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which indirectly depends on sudo, making it impossible to upgrade KDE without creating a serious, unnecessary security risk. Frankly, I consider it a bug that sudo is available in Debian at all. Others obviously disagree, but that's no reason to tie unrelated packages to it like this. Please move kdesu into its own package, and make it optional again. In the mean time, others with my concern can mitigate this risk by neutralizing sudo before installing it. To do that, run the following command (as root) before installing sudo: # dpkg-statoverride --add root root 644 /usr/bin/sudo -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kde-cli-tools depends on: ii kde-cli-tools-data4:5.10.5-2 ii kio 5.37.0-2 ii libc6 2.26-6 ii libkf5completion5 5.37.0-2 ii libkf5configcore5 5.37.0-2 ii libkf5configwidgets5 5.37.0-2 ii libkf5coreaddons5 5.37.0-3 ii libkf5i18n5 5.37.0-2 ii libkf5iconthemes5 5.37.0-2 ii libkf5kcmutils5 5.37.0-2 ii libkf5kiocore55.37.0-2 ii libkf5kiowidgets5 5.37.0-2 ii libkf5service-bin 5.37.0-2 ii libkf5service55.37.0-2 ii libkf5su-bin 5.37.0-2 ii libkf5su5 5.37.0-2 ii libkf5widgetsaddons5 5.37.0-2 ii libkf5windowsystem5 5.37.0-2 ii libqt5core5a 5.9.2+dfsg-9 ii libqt5dbus5 5.9.2+dfsg-9 ii libqt5gui55.9.2+dfsg-9 ii libqt5svg55.9.2-3 ii libqt5widgets55.9.2+dfsg-9 ii libqt5x11extras5 5.9.2-1 ii libstdc++67.3.0-1 ii libx11-6 2:1.6.4-3 kde-cli-tools recommends no packages. kde-cli-tools suggests no packages. -- no debconf information