On Sun, Sep 06, 2020 at 09:48:26AM +0200, Helmut Grohne wrote: > Package: base-passwd > Version: 3.5.47 > Severity: wishlist > > Hi Colin, > > I was again looking into how essential could be trimmed further and I > stumbled into adduser. Technically, adduser is not transitively > essential. However, apt (which isn't essential) currently depends on > adduser. I consider apt essential for any practical purpose though, so > I'd argue that adduser is kinda defacto essential. > > So if we want to remove adduser from a minimal installation, we'd have > apt stop depending on it. Now apt uses it for the obvious thing: adding > an _apt user. Given that this user will be present on practically all > Debian systems, what would you think about adding _apt to base-passwd?
+1 from my side. > > The adduser package has an installed size of 849KB. This is about 1% of > an essential chroot (depending on how far you trim it by other means). > > Doing so is not entirely trivial though. _apt is already present on > Debian systems and it owns at least /var/cache/apt/archives/partial. > Changing the uid to a static allocation may be impossible. On the other > hand, libapt always chowns it to _apt, so maybe changing the uid is > indeed harmless. I've Cced deity to get an answer here. I'm mostly just worried about users using file:/ or copy:/ methods and having given _apt access to them, they'd break. I think it'd be best if we don't change existing _apt users, but only dealt with new systems for now. I mean we could prompt users about changing the uid > > Then technically, we'd add _apt to base-passwd and make apt.postinst > skip the adduser call if _apt is present. apt can then "Depends: > base-passwd (>= ...) | adduser" and have a smooth transition. > > A possible risk of this change is that other packages will suddenly > become rc-buggy for missing a dependency on adduser as adduser is > presently defacto essential. They are RC-buggy already. There are real systems not using apt; e.g. people build application containers where they remove apt in the final step. > > Another benefit of this change (if a static uid is allocated) is that we > improve reproducible installations where currently uids may depend on > configuration order. +1 -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
