Your message dated Wed, 3 Jan 2007 04:36:58 -0800
with message-id <[EMAIL PROTECTED]>
and subject line priority change on your package(s)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: dpkg-dev
Version: 1.10.27
Priority: important
Tags: patch

[Note: This has happened to me a few times while testing d-i and I had not
nailed down the root cause but after my last installation (see installation
report sent as bug #301112, I've investigated a bit ]

When doing a default installation just selecting the 'Desktop' task, a user 
will end up with a lot of development packages including gcc, g++, 
libc6-dev, kernel-headers-dev and lots of other -dev packages.

The culprit here might be dpkg-dev, pulled in by aptitude because it's 
priority standard. Dpkg-dev recomemnds a c-compiler and aptitude happily 
takes Recommends for the system and downloads all of them:

Package: dpkg-dev
Priority: standard
Section: utils
(...)
Recommends: c-compiler
            ^^^^^^^^^^ 

So gcc is pulled in (Provides: c-compiler) and with it (through
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on
and on..

Now, the Debian policy says:

   standard
          These packages provide a reasonably small but not too limited
          character-mode system. This is what will be installed by
          default if the user doesn't select anything else. It doesn't
          include many large applications.

I fail to see how dpkg-dev fits in that category as most users will _not_ 
build debian packages at all. The current tasks defined in tasksel (and 
used by base-config) are: database-server, dns-server, file-server, 
mail-server, print-server and desktop environments (in different languages)
None of those tasks need a C-compiler, nor do they need dpkg-dev at all. 
Joey Hess removed the debian-devel task a while back (May 2001) with the 
following changelog:

    - Killed debian-dev(el) task, since it does not meet our task criteria
      -- nowhere near 10% of debian users are debian developers (we hope!),
      and probably not enough regular users will use this package to make
      up the difference. This is my own package, so I'm willing to be
      persuaded otherwise, though..

Joey also removed some other development tasks (c-dev, java-dev, 
python-dev, kernel-compile) in June 2004 too.

It certainly does not make sense to me to have desktop systems with a C/C++
compiler and, what's worst, those tools can easily be used by worm writers
to have a more efficient worm propagation (as demonstrated by the Slapper
worm back in 2002 [1])

Please fix this before the next stable release is made or otherwise we'll 
end up with lots of users wondering why they have all a C-compiler 
installed!


Regards

Javier

[1] Please also read "A Slap Upside the Head"
http://www.hackinglinuxexposed.com/articles/20020924.html

"   Minimal Software Installations
          The worm requires gcc to compile the .bugtraq.c file. If you
          didn't install gcc, then the worm will fail before even if it
          managed to break into your web server. Just as you'd turn off a
          daemon you aren't using, why keep software installed that you
          don't need? It only gives an attacker another tool that can
          make the cracking easier.
"

Patch for this :-)

$ diff -u control.orig control
--- control.orig        2005-03-24 00:07:37.000000000 +0100
+++ control     2005-03-24 00:08:04.000000000 +0100
@@ -47,7 +47,7 @@

 Package: dpkg-dev
 Section: utils
-Priority: standard
+Priority: optional
 Architecture: all
 Depends: perl5, perl-modules, cpio (>= 2.4.2-2), patch (>= 2.2-1), make, 
binutils
 Recommends: c-compiler

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
In fixing bug #301138, several packages have been lowered to optional priority 
from standard priority, reflecting that our "standard" user is not a developer, 
and should not have a development environment installed.

If you're on the cc list, your package(s) have been affected.  Here's the 
complete list of packages:

bin86
binutils
binutils-hppa64
bison
flex
g++
g++-4.1
g++-4.2
gcc
gcc-4.1
gcc-4.1-hppa64
gcc-4.2
gcc-4.2-hppa64
gdb
linux-kernel-headers
make
manpages-dev
cpp
cpp-4.1
cpp-4.2
libc6-dev
libc6-dev-s390x
libc6-dev-sparc64
libc6.1-dev
libstdc++6-4.1-dev
libstdc++6-4.2-dev
dpkg-dev

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to