On Mon, Jun 07, 2021 at 08:52:32PM +0900, Olaf Meeuwissen wrote: > >> Package changes: > >> + fuse 2.9.9-1+deb10u1 amd64 > >> + libpipewire-0.2-1 0.2.5-1 amd64 > >> + xdg-desktop-portal 1.2.0-1 amd64 > >> + xdg-desktop-portal-gtk 1.2.0-1 amd64 > > > > Yes, these are the actual new dependencies. > > Plus whatever these depend on that wasn't already installed.
This is the complete list of extra dependencies pulled by xdg-desktop-portal-gtk on a clean buster system with libwebkit2gtk-4.0-37 but no other recommended packages installed. The following NEW packages will be installed: fuse libfuse2 libpipewire-0.2-1 xdg-desktop-portal xdg-desktop-portal-gtk > > Future security updates and buster backports will Suggest > > xdg-desktop-portal-gtk, although in bullseye it will still be a > > recommendation. > > Good. I don't mind packages acquiring Recommends in testing/unstable. > I do mind when that happens in stable-security. I understand, but note that although in this particular case it shouldn't have been a Recommends, we cannot guarantee that in general. The WebKit packages in Debian follow the upstream stable branches and like all other major browser engines they have frequent security updates. > Bloat. > Increased attack surface. Using xdg-desktop-portal-gtk is actually a consequence of the webkit processes now running inside a sandbox for security reasons, so there is a trade-off between not using the sandbox at all or using the sandbox but recommending (not depending on) the portals. I chose the latter. > Just let this be a warning for *all* stable-security packages to > pay some extra attention to changing dependencies. If it's only > changing versions of packages already depended upon, that _probably_ > okay. New packages should raise a red flag. It was taken into account, and that one of the reasons why it was downgraded to a recommendation (it was initially a dependency). Regards, Berto
