Adam Borowski <kilob...@angband.pl> writes: > Like: > xfce4-power-manager -> upower -> libimobiledevice4 -> usbmuxd
> Is the recommendation from libimobiledevice4 to usbmuxd valid? Sure it is > -- the library is useless without the daemon. > Is the dependency from upower to libimobiledevice4 valid? It is -- using > dlopen for every optional feature would require massive amounts of work. > Is the dependency from xfce4-power-manager to upower valid? Certainly -- > x-p-m is merely a GUI that needs upower for everything. > But, wanting to suspend my computer doesn't mean I own an iPod or want a > daemon that's useless for non-iPod-users! So, where this goes wrong is the upower -> libimobiledevice4 dependency. As you say, the dependency is correct (or at least correct-ish): we don't want to dlopen everything and try to push all those patches upstream. But this is the weakest link of this whole chain, yet has the strongest dependency. I think a more correct fix would (unfortunately) involve a new binary package field that we don't currently have: Depends-Shallow (for lack of a better term) that acts like Depends *except* disables Recommends processing for anything below the shallow dependencies in the tree. So if everything you're installing only Depends-Shallow on libimobiledevice4, you don't get the recommendation; if anything straight depends on it, you do. > And, many maintainers could take this as an attack: "what, my package is > useless?!?". Like, openssh-server -> libwrap0 -> tcpd. I'd say pretty > much anyone today uses other means for limiting access to ssh; tcpd does > have near-universal popcon (95.79%!) but protocols listed in its > description (telnet ftp rsh rlogin finger) and complete dearth of new > bug reports (it received tons in the past) make me think it's not > actually used anymore. I still use tcpd for openssh-server. (This is not an argument for keeping the chain, just a data point.) tcpd, unlike iptables, can whitelist domains. It's weak security, but it's good for defense in depth and making the constant brute force attacks die down a bit. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
