Bug#768376: [Pkg-libvirt-maintainers] Bug#768376: [libvirt-daemon-system]

Sun, 30 Jan 2022 05:57:18 -0800 

On Mi, 26 ian 22, 20:30:37, de...@sumpfralle.de wrote:
> Hello,
> 
> given the recent CVE-2021-4034 (gaining local root access via "policykit-1"), 
> I
> would like to raise this request again: it would be great, if the
> libvirt-daemon-system package would reduce its hard dependency ("Depends") on
> "policykit-1" to a soft dependency ("Recommends").
> 
> If I understand your previous comment correctly, then this is technically
> feasible (i.e. "it just works"):
> 
> On Tue, 7 Jul 2015 07:15:06 +0200 Guido Günther <a...@sigxcpu.org> wrote:
> > I do agree that being able to go without polkit would be nice but a
> > similar situation with virt-manger showed that Recommends: are just not
> > enough. Many people skip them and then report bugs if you use Recommends
> > for a package that's needed in 95% of the installations. I'm just not up
> > to handle these.
> 
> 
> I understand, that such bug reports can take effort.
> But I think, the circumstances changed meanwhile (since 2015): "apt" installs
> "Recommends" by default (see `apt-config dump | grep -w Recommends`), thus 
> there
> should be only very few users who are manually overriding this setting.
> And I think, there is a fair chance, that these users know what they are 
> doing.
> 
> The Debian Policy [2] also advises to use "Recommends" in this case.
> 
> Please reduce the "Depends" relationship towards "policykit-1" down to
> "Recommends".
> 
> Thank you for maintaining this package!

Yes!
 
> [1] https://www.debian.org/security/2022/dsa-5059
> [2] https://www.debian.org/doc/debian-policy/ch-relationships.html

This bug came up in a sub-thread on debian-user, also in relation to 
DSA-5059:

https://lists.debian.org/debian-user/2022/01/msg01166.html

Just in case it helps, anecdotally I can confirm that at least on 
debian-user problems due to missing packages that are only Recommends: 
have been both extremely rare in the past years and treated as an 
unsupported configuration.

Hope this helps,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser

Attachment: signature.asc
Description: PGP signature

Reply via email to