Package: chromium Followup-For: Bug #1005230 Hi, I ship chromium in prisons, where we extremely do not want unprivileged users to be able to add new drivers (fuse) and applications (flatpak/bubblewrap/xdg-desktop-portal). [*]
The fix for #1005230 added indirect dependencies on fuse and bubblewrap. The error report for #1005230 only specifically mentioned GTK3. Are these other "portal" dependencies *really* needed now? If they are needed, I can deal with it. If they aren't needed, is it feasible to define the hard dependencies more precisely? Or downgrade xdg-desktop-portal to a Recommends? (I repackage a few things in-house like linux and vlc, but I'm frankly too scared to try that with chromium.) As a sanity-check, I see that libwebkit2gtk-4.0-37 needs bubblewrap (but not fuse), and firefox-esr needs neither. [*] I have a bunch of other layers to block these, but "libfuse* isn't even installed" is really nice layer to have. e.g. detainee kernels have CONFIG_FUSE_FS disabled (though CONFIG_USER_NS is enabled due to systemd). -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-0.bpo.2-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chromium-common depends on: ii libc6 2.31-13+deb11u2 ii libstdc++6 10.2.1-6 ii libx11-6 2:1.7.2-1 ii libxext6 2:1.3.3-1.1 ii x11-utils 7.7+5 ii xdg-utils 1.1.3-4.1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages chromium-common recommends: pn chromium-sandbox <none> ii fonts-liberation 1:1.07.4-11 ii gnome-shell [notification-daemon] 3.38.6-1~deb11u1 ii libgl1-mesa-dri 20.3.5-1 ii libu2f-udev 1.1.10-3 ii notification-daemon 3.20.0-4 ii system-config-printer 1.5.14-1 ii upower 0.99.11-2