Debian Bug report logs - #301138
[Priorities] Development packages should be priority 'optional' (not 'standard')

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <ftpmaster@ftp-master.debian.org>;

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Wed, 23 Mar 2005 23:33:48 UTC

Severity: normal

Done: Ryan Murray <rmurray@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>:
Bug#301138; Package dpkg-dev. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>, debian-boot@lists.debian.org
Subject: dpkg-dev: Is this package really Priority: standard (probably the root cause in new Debian systems installing a c-compiler by default)
Date: Thu, 24 Mar 2005 00:14:10 +0100
[Message part 1 (text/plain, inline)]
Package: dpkg-dev
Version: 1.10.27
Priority: important
Tags: patch

[Note: This has happened to me a few times while testing d-i and I had not
nailed down the root cause but after my last installation (see installation
report sent as bug #301112, I've investigated a bit ]

When doing a default installation just selecting the 'Desktop' task, a user 
will end up with a lot of development packages including gcc, g++, 
libc6-dev, kernel-headers-dev and lots of other -dev packages.

The culprit here might be dpkg-dev, pulled in by aptitude because it's 
priority standard. Dpkg-dev recomemnds a c-compiler and aptitude happily 
takes Recommends for the system and downloads all of them:

Package: dpkg-dev
Priority: standard
Section: utils
(...)
Recommends: c-compiler
            ^^^^^^^^^^ 

So gcc is pulled in (Provides: c-compiler) and with it (through
dependancies) bison, flex, make, autoconf, gdb, libc-dev (libc6-dev) and on
and on..

Now, the Debian policy says:

   standard
          These packages provide a reasonably small but not too limited
          character-mode system. This is what will be installed by
          default if the user doesn't select anything else. It doesn't
          include many large applications.

I fail to see how dpkg-dev fits in that category as most users will _not_ 
build debian packages at all. The current tasks defined in tasksel (and 
used by base-config) are: database-server, dns-server, file-server, 
mail-server, print-server and desktop environments (in different languages)
None of those tasks need a C-compiler, nor do they need dpkg-dev at all. 
Joey Hess removed the debian-devel task a while back (May 2001) with the 
following changelog:

    - Killed debian-dev(el) task, since it does not meet our task criteria
      -- nowhere near 10% of debian users are debian developers (we hope!),
      and probably not enough regular users will use this package to make
      up the difference. This is my own package, so I'm willing to be
      persuaded otherwise, though..

Joey also removed some other development tasks (c-dev, java-dev, 
python-dev, kernel-compile) in June 2004 too.

It certainly does not make sense to me to have desktop systems with a C/C++
compiler and, what's worst, those tools can easily be used by worm writers
to have a more efficient worm propagation (as demonstrated by the Slapper
worm back in 2002 [1])

Please fix this before the next stable release is made or otherwise we'll 
end up with lots of users wondering why they have all a C-compiler 
installed!


Regards

Javier

[1] Please also read "A Slap Upside the Head"
http://www.hackinglinuxexposed.com/articles/20020924.html

"   Minimal Software Installations
          The worm requires gcc to compile the .bugtraq.c file. If you
          didn't install gcc, then the worm will fail before even if it
          managed to break into your web server. Just as you'd turn off a
          daemon you aren't using, why keep software installed that you
          don't need? It only gives an attacker another tool that can
          make the cracking easier.
"

Patch for this :-)

$ diff -u control.orig control
--- control.orig        2005-03-24 00:07:37.000000000 +0100
+++ control     2005-03-24 00:08:04.000000000 +0100
@@ -47,7 +47,7 @@

 Package: dpkg-dev
 Section: utils
-Priority: standard
+Priority: optional
 Architecture: all
 Depends: perl5, perl-modules, cpio (>= 2.4.2-2), patch (>= 2.2-1), make, 
binutils
 Recommends: c-compiler

[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `dpkg-dev' to `ftp.debian.org'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: patch Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #14 received at 301138-quiet@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 301138-quiet@bugs.debian.org, debian-boot@lists.debian.org
Cc: control@bugs.debian.org
Subject: Reassigning priorities issue to ftp.debian.org
Date: Thu, 24 Mar 2005 01:10:48 +0100
[Message part 1 (text/plain, inline)]
reassign 301138 ftp.debian.org
tags 301138 - patch
thanks

Actually, reviewing previous bugs this issue has been brought up in several
occassions. I've found similar issues in bugs 270676 246357 272406 and
272586

Reviewing the problem it seems it boils down to priorities being set too
high for development-only packages that have no place in server or desktop
workstations. Aptitude installs all of these in a standard task-targeted
installation so either aptitude needs to be fixed, base-config needs to
tell it not to install them or the priorities of the following packages
need to be reviewed.

The following packages are Priority: standard and are usually used only in 
development-oriented environments:

gdb
gcc-3.3
dpkg-dev
libc6-dev
cpp-3.3
manpages-dev
flex
g++
linux-kernel-headers
bin86
cpp
gcc
g++-3.3
bison
make
libstdc++5-3.3-dev

Although some of our users might install them (specially if building the 
Linux kernel, rebuilding Debian packages, or building upstream sources), 
but that's hardly "all" of Debian users.

Actually, based on the popcon stats which are, arguably, biased (because
popcon is installed by default with sarge systems, which will get gcc by
default too). We can see this:

Package: dpkg                            6407    68   294     0
Package: cpp                             4528   857  1080     0
Package: make                            3524  1486  1480     0
Package: gcc-3.3                         2957  1008  1315     1
Package: gcc                             2950  1446  1847     0
Package: cpp-3.3                         2697  1238  1495     0
Package: libc6-dev                       2537  1769  1898     0
Package: linux-kernel-headers            2328  1593  1505     0
Package: g++                             1814  2005  1797     0
Package: dpkg-dev                        1619  2004  2427     0
Package: g++-3.3                         1534  1490  1792     0
Package: gdb                             1423  3655   290     0
Package: bison                           1414  3268   224     1
Package: flex                            1172  3389   237     0
Package: libstdc++5-3.3-dev              1122  1645  2048     0
Package: bin86                            681  3189   121     1
Package: manpages-dev                       0     0     0  4940

So, hardly 46% of our users have gcc installed, and hardly 25% have g++
installed, users with the full environment Standard: priority is forcing
into new installations amounts to 10% of our current users.

I think the priorities of all those packages should be adjusted in order to 
prevent all that from being installed in stock systems. If needed be, those 
packages could be included into a -dev task in tasksel for people that want 
a development system "out of the box"

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `ftp.debian.org' to `ftp.debian.org'. Request was from Scott James Remnant <scott@netsplit.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #23 received at 301138@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 301138@bugs.debian.org, control@bugs.debian.org
Subject: Note: Some standard packages are _large_ applications
Date: Sat, 2 Apr 2005 01:45:57 +0200
severity 301138 serious
thanks

Actually, reviewing this bug severity and policy I believe the current 
priority for the packages stated in the bug report is plain wrong as 
current policy says:

"   standard
          These packages provide a reasonably small but not too limited
          character-mode system. This is what will be installed by
          default if the user doesn't select anything else. It doesn't
          include many large applications.
"

I do believe most of the following qualify as "large applications"?

Package                    Size
------------------------+--------

gdb                     2,766,822
gcc-3.3                 1,570,284
dpkg-dev                  166,800
libc6-dev               2,531,564
cpp-3.3                 1,391,346
manpages-dev            1,081,408
flex                      257,678
g++                         1,384 (Note: virtual package)
linux-kernel-headers    1,377,022
bin86                      82,090
cpp                        29,446
gcc                         4,896 (Note: virtual package)
g++-3.3                 1,778,880
bison                     702,830
make                      366,138
libstdc++5-3.3-dev        774,982

Some of those are not applications, but data that does not make sense to
install _unless_ you want the applications themselves (i.e. gcc and
libc6-dev )

Regards

Javier

PS: And if dpkg-deve is not also removed from 'standard' since it 
"Recommends" a c-compiler default installation will also pull in all that 
unnecessary stuff.



Severity set to `serious'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #30 received at 301138@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 301138@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Note: Some standard packages are _large_ applications
Date: Mon, 11 Apr 2005 18:52:16 +0200
severity 301138 normal
thanks

On Sat, Apr 02, 2005 at 01:45:57AM +0200, Javier Fernández-Sanguino Peña wrote:
> severity 301138 serious
> thanks
> 
> Actually, reviewing this bug severity and policy I believe the current 
> priority for the packages stated in the bug report is plain wrong as 
> current policy says:

Right, but this is not a release critical issue, and now isn't the best
time to look at this. I'll bring this up on some appropriate mailinglist
after Sarge is released.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #35 received at 301138@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: 301138@bugs.debian.org
Subject: Re: Note: Some standard packages are _large_ applications
Date: Mon, 11 Apr 2005 18:57:01 +0200
[Message part 1 (text/plain, inline)]
On Mon, Apr 11, 2005 at 06:52:16PM +0200, Jeroen van Wolffelaar wrote:
> severity 301138 normal
> thanks
> 
> On Sat, Apr 02, 2005 at 01:45:57AM +0200, Javier Fernández-Sanguino Peña wrote:
> > severity 301138 serious
> > thanks
> > 
> > Actually, reviewing this bug severity and policy I believe the current 
> > priority for the packages stated in the bug report is plain wrong as 
> > current policy says:
> 
> Right, but this is not a release critical issue, and now isn't the best

Not being RC does not make this bug of normal severity, it does violate 
policy (OK, it depends on how you interpret policy)

> time to look at this. I'll bring this up on some appropriate mailinglist
> after Sarge is released.

Can't the package severity be fixed before release? I think a lot of people 
would appreciate it.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Severity set to `normal'. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #42 received at 301138@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Cc: 301138@bugs.debian.org
Subject: Re: Note: Some standard packages are _large_ applications
Date: Mon, 11 Apr 2005 19:10:44 +0200
On Mon, Apr 11, 2005 at 06:57:01PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Mon, Apr 11, 2005 at 06:52:16PM +0200, Jeroen van Wolffelaar wrote:
> > Right, but this is not a release critical issue, and now isn't the best
> > time to look at this. I'll bring this up on some appropriate mailinglist
> > after Sarge is released.
> 
> Can't the package severity be fixed before release? I think a lot of people 
> would appreciate it.

standard and up packages are frozen now, for a good reason: any change
might introduce unintended changes/bugs.

This change would only cause less diskspace to be used in certain
situations, which isn't anywhere near as important as tons of other,
real, issues in Debian packages atm.

So: no. This is not something to change while the base system is frozen,
but more in the beginning of a release cycle.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#301138; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #47 received at 301138@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: 301138@bugs.debian.org
Subject: Re: Note: Some standard packages are _large_ applications
Date: Mon, 11 Apr 2005 21:34:10 +0200
[Message part 1 (text/plain, inline)]
On Mon, Apr 11, 2005 at 07:10:44PM +0200, Jeroen van Wolffelaar wrote:
> 
> standard and up packages are frozen now, for a good reason: any change
> might introduce unintended changes/bugs.

Overrides files don't imply changes in the packages themselves. That's 
actually what some release manager sugested.

> This change would only cause less diskspace to be used in certain
> situations, which isn't anywhere near as important as tons of other,
> real, issues in Debian packages atm.

It is an issue and has been brought up a number of times. We (in Debian) 
don't weight issues one against another, priorities in bugs are not 
relative, but absolute. 

> So: no. This is not something to change while the base system is frozen,
> but more in the beginning of a release cycle.

Unfortunately, this "bug" (actually, a change in aptitude that would pull 
these in) was introduced after the base system was frozen, so there was no 
way anyone could have anticipated this.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Ryan Murray <rmurray@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 301138-done@bugs.debian.org (full text, mbox):

From: Ryan Murray <rmurray@debian.org>
To: 301138-done@bugs.debian.org
Cc: bin86@packages.debian.org, binutils@packages.debian.org, glibc@packages.debian.org, bison@packages.debian.org, flex@packages.debian.org, gdb@packages.debian.org, gcc@packages.debian.org, make@packages.debian.org, linux-kernel-headers@packages.debian.org, dpkg-dev@packages.debian.org, manpages-dev@packages.debian.org
Subject: priority change on your package(s)
Date: Wed, 3 Jan 2007 04:36:58 -0800
[Message part 1 (text/plain, inline)]
In fixing bug #301138, several packages have been lowered to optional priority from standard priority, reflecting that our "standard" user is not a developer, and should not have a development environment installed.

If you're on the cc list, your package(s) have been affected.  Here's the complete list of packages:

bin86
binutils
binutils-hppa64
bison
flex
g++
g++-4.1
g++-4.2
gcc
gcc-4.1
gcc-4.1-hppa64
gcc-4.2
gcc-4.2-hppa64
gdb
linux-kernel-headers
make
manpages-dev
cpp
cpp-4.1
cpp-4.2
libc6-dev
libc6-dev-s390x
libc6-dev-sparc64
libc6.1-dev
libstdc++6-4.1-dev
libstdc++6-4.2-dev
dpkg-dev

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 01:47:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:01:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.