Package: aptitude Version: 0.2.15.8-1 Priority: important [Note: This has happened to me a few times while testing d-i and I had not nailed down the root cause but after my last installation (see installation report sent as bug #301112, I've investigated a bit ]
When doing a default installation just selecting the 'Desktop' task, a user
will end up with a lot of development packages including gcc, g++,
libc6-dev, kernel-headers-dev and lots of other -dev packages.
I believe the culprit here is aptitude, which pulls down Suggests: happily
trying to be helpful for the end-user (and usually is) but which ends up
generating an over-bloated system. It doesn't make sense to have desktop
systems with a C/C++ compiler and, what's worst, those tools can easily be
used by worm writers to have a more efficient worm propagation (as
demonstrated by the Slapper worm back in 2002 [1])
Why does aptitude pull in gcc et al. I believe it's because of dpkg-dev.
Package: dpkg-dev
Priority: standard
Section: utils
(...)
Recommends: c-compiler
^^^^^^^^^^
So gcc is pulled in (Provides: c-compiler) and with it (through
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on
and on..
IMHO, aptitude should not have pulled in the c-compiler because of that
recommendation. So either the 'standard' priority set for dpkg-dev is
wrong (since most users don't actually need this tool) or aptitude should
avoid from pulling a c-compiler through Recommends:
Actually, I think that aptitude should do for -dev packages exactly the
same that it does for -doc packages. Ignore them in Recommends:. This could
maybe be relaxed a bit if the user is installing a -dev package (so he
obviously wants development packages) so how about having a rule saying:
"-dev packages are ignored in Recommends: unless selecting a -dev
package:"?
BTW, I've also noticed this:
Package: apt
(...)
Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc
^^^^^^^^
But since dpkg-dev is suggested then aptitude would not pull it in,
correct?
Please fix this before the next stable release is made or otherwise we'll
end up with lots of users wondering why they have all a C-compiler
installed!
Regards
Javier
[1] Please also read "A Slap Upside the Head"
http://www.hackinglinuxexposed.com/articles/20020924.html
" Minimal Software Installations
The worm requires gcc to compile the .bugtraq.c file. If you
didn't install gcc, then the worm will fail before even if it
managed to break into your web server. Just as you'd turn off a
daemon you aren't using, why keep software installed that you
don't need? It only gives an attacker another tool that can
make the cracking easier.
"
signature.asc
Description: Digital signature
