Quoting Russ Allbery (2016-04-09 03:20:25) > Adam Borowski <kilob...@angband.pl> writes: >> Like: >> xfce4-power-manager -> upower -> libimobiledevice4 -> usbmuxd > >> Is the recommendation from libimobiledevice4 to usbmuxd valid? Sure >> it is -- the library is useless without the daemon. [...] > So, where this goes wrong is the upower -> libimobiledevice4 > dependency. As you say, the dependency is correct (or at least > correct-ish): we don't want to dlopen everything and try to push all > those patches upstream. But this is the weakest link of this whole > chain, yet has the strongest dependency. > > I think a more correct fix would (unfortunately) involve a new binary > package field that we don't currently have: Depends-Shallow (for lack > of a better term) that acts like Depends *except* disables Recommends > processing for anything below the shallow dependencies in the tree. > So if everything you're installing only Depends-Shallow on > libimobiledevice4, you don't get the recommendation; if anything > straight depends on it, you do.
I disagree that we need a new field: Simply lower to at most suggest the daemon: It is for the daemon to declare a stronger dependency. Anyone needing the daemon can install the daemon - you shouldn't expect libraries to pull in daemons (just as you shouldn't expect documentation to pull in binaries). >> And, many maintainers could take this as an attack: "what, my package >> is useless?!?". Like, openssh-server -> libwrap0 -> tcpd. I'd say >> pretty much anyone today uses other means for limiting access to ssh; >> tcpd does have near-universal popcon (95.79%!) but protocols listed >> in its description (telnet ftp rsh rlogin finger) and complete dearth >> of new bug reports (it received tons in the past) make me think it's >> not actually used anymore. > > I still use tcpd for openssh-server. (This is not an argument for > keeping the chain, just a data point.) tcpd, unlike iptables, can > whitelist domains. It's weak security, but it's good for defense in > depth and making the constant brute force attacks die down a bit. I agree it is no argument for keeping the chain: Those using tcpd can install that - or install a metapackage that depends on or recommends it. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
