Hi Ansgar! On Sat, Jan 06, 2024 at 07:50:47PM +0100, Ansgar wrote: > That doesn't help much unless one takes special care. This is what > installing python3-poetry in a Podman container looks like: > [...] > > Now try not to install an init system, dbus, ... in a application > container wanting to use python3-poetry to install some Python > application. > > And this still doesn't ensure that: > 1. dbus is actually running in the context where python3-secretstorage is > used, > 2. the Dbus interface python3-secretstorage wants to talk to is actually > provided by a service > > (For 2. it doesn't even have a Depends: gnome-keyring | alternatives > either which is inconsistent with the dependency on Dbus...)
gnome-keyring | alternatives is in Recommends, not in Depends. The reason for that is because someone may want to use secretstorage with a different server that is not listed there, and we do not have a virtual package name that any such implementation can provide (like e.g. notification-daemon is provided by 14 different packages). > Also it's unknown whether that is actually useful or not (as python3- > secretstorage is just a library that could not be relevant at all as > the application's user might not actually want to manage secrets via > keepassxc). > > It seems excessive to *always* require all of this to be installed for > *any* use of python3-poetry (which can optionally use python3- > secretstorage if that is even required). bash doesn't depend on gnome- > terminal either just because one needs some terminal to run it in ;-) I think python3-secretstorage is completely useless without D-Bus. So maybe this dependency chain should be cut at a higher level, e.g. between python3-keyring and python3-secretstorage. I am also the uploader of python3-keyring, so we can discuss it here. I can suggest two solutions: 1. Replace python3-keyring → python3-secretstorage Depends with Recommends. 2. Keep it Depends, but add some alternatives, e.g. python3-secretstorage | python3-keyrings.alt. Will any of that work for you? Some background: python3-keyring has different backends. In Debian, the following may be relevant: - The Secret Service backend (using python3-secretstorage). The major implementations of Secret Service interface are GNOME Keyring, KWallet and KeePassXC. - The legacy KWallet D-Bus backend (KWallet supports Secret Service in recent versions, so the usefulness of it is limited). - File-based backends provided by python3-keyrings.alt. The plain-text file backend is insecure and not recommended; the encrypted file backend is using getpass() to get the password so it can be used in CLI applications, but less useful in GUI ones. See also some related discussion in this Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/python-secretstorage/+bug/2041695 -- Dmitry Shachnev
signature.asc
Description: PGP signature
