Hi Alberto, Alberto Garcia writes:
> On Mon, Jun 07, 2021 at 08:52:32PM +0900, Olaf Meeuwissen wrote: >> >> Package changes: >> >> + fuse 2.9.9-1+deb10u1 amd64 >> >> + libpipewire-0.2-1 0.2.5-1 amd64 >> >> + xdg-desktop-portal 1.2.0-1 amd64 >> >> + xdg-desktop-portal-gtk 1.2.0-1 amd64 >> > >> > Yes, these are the actual new dependencies. >> >> Plus whatever these depend on that wasn't already installed. > > This is the complete list of extra dependencies pulled > by xdg-desktop-portal-gtk on a clean buster system with > libwebkit2gtk-4.0-37 but no other recommended packages installed. > > The following NEW packages will be installed: > fuse libfuse2 libpipewire-0.2-1 xdg-desktop-portal xdg-desktop-portal-gtk > >> > Future security updates and buster backports will Suggest >> > xdg-desktop-portal-gtk, although in bullseye it will still be a >> > recommendation. >> >> Good. I don't mind packages acquiring Recommends in testing/unstable. >> I do mind when that happens in stable-security. > > I understand, but note that although in this particular case it > shouldn't have been a Recommends, we cannot guarantee that in general. > The WebKit packages in Debian follow the upstream stable branches > and like all other major browser engines they have frequent security > updates. Thanks for the additional info. I understand that Debian's decision to follow upstreams for selected packages (all of them browser related IIRC) because backporting security fixes was not feasible may occasionally trigger installation of a new library package. That's fine. >> Bloat. >> Increased attack surface. > > Using xdg-desktop-portal-gtk is actually a consequence of the webkit > processes now running inside a sandbox for security reasons, so there > is a trade-off between not using the sandbox at all or using the > sandbox but recommending (not depending on) the portals. I chose the > latter. I see. Perhaps that could have been communicated in NEWS.Debian. Then at least I might have seen it explained during the upgrade. Even if I had opted not to include the Recommends:, I would have been able to make up my mind about adding them or not. Just a thought. >> Just let this be a warning for *all* stable-security packages to >> pay some extra attention to changing dependencies. If it's only >> changing versions of packages already depended upon, that _probably_ >> okay. New packages should raise a red flag. > > It was taken into account, and that one of the reasons why it was > downgraded to a recommendation (it was initially a dependency). Again, thanks for the extra info. -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join
