On Mi, 26 ian 22, 20:30:37, de...@sumpfralle.de wrote: > Hello, > > given the recent CVE-2021-4034 (gaining local root access via "policykit-1"), > I > would like to raise this request again: it would be great, if the > libvirt-daemon-system package would reduce its hard dependency ("Depends") on > "policykit-1" to a soft dependency ("Recommends"). > > If I understand your previous comment correctly, then this is technically > feasible (i.e. "it just works"): > > On Tue, 7 Jul 2015 07:15:06 +0200 Guido Günther <a...@sigxcpu.org> wrote: > > I do agree that being able to go without polkit would be nice but a > > similar situation with virt-manger showed that Recommends: are just not > > enough. Many people skip them and then report bugs if you use Recommends > > for a package that's needed in 95% of the installations. I'm just not up > > to handle these. > > > I understand, that such bug reports can take effort. > But I think, the circumstances changed meanwhile (since 2015): "apt" installs > "Recommends" by default (see `apt-config dump | grep -w Recommends`), thus > there > should be only very few users who are manually overriding this setting. > And I think, there is a fair chance, that these users know what they are > doing. > > The Debian Policy [2] also advises to use "Recommends" in this case. > > Please reduce the "Depends" relationship towards "policykit-1" down to > "Recommends". > > Thank you for maintaining this package!
Yes! > [1] https://www.debian.org/security/2022/dsa-5059 > [2] https://www.debian.org/doc/debian-policy/ch-relationships.html This bug came up in a sub-thread on debian-user, also in relation to DSA-5059: https://lists.debian.org/debian-user/2022/01/msg01166.html Just in case it helps, anecdotally I can confirm that at least on debian-user problems due to missing packages that are only Recommends: have been both extremely rare in the past years and treated as an unsupported configuration. Hope this helps, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature