23.01.2017 10:55, Rob J. Epping wrote: > Hi, > > qemu 1:2.8+dfsg-1 has hit jessie-backorts. > > With the fix for bug #839695 my server now wants to install 67 X11/GTK > related new packages. This is on a headless server where this is just > more atack surface, i.e. less security. > > Would it be possible to make the X11/GTK stuff optional? Maybe by > creating 2 binary versions for example a -gtk and a -nox version.
Please see #813658 . In brief, being a 20+ years paranoic sysadmin myself, I don't see it being a security treat. Either we fix all needed X client libs to not depend on X itself (ie, being split into a headless and headful part), or we live with this. People want features even on a headless server (eg, 3d support via spice), -- this will bring half of X anyway. So making just display optional doesn't work. Thanks, /mjt
