On Tue, Feb 15 2022 at 06:56:28 PM, Stella Ashburne <rewe...@gmx.com> wrote: > Hello The Wanderer > >> Sent: Monday, February 14, 2022 at 8:48 PM >> From: "The Wanderer" <wande...@fastmail.fm> >> To: debian-user@lists.debian.org >> Subject: Re: Uninstalling a package removes other essential >> packages: What is the best course of action? >> >> >> Do you have any reason to believe that it might? As compared to any >> other random library that Debian provides. >> > No, I don't have the technical knowledge to audit libthai. My point is > that why pull in non-English dependencies for an English-language > installation....Doing so may increase the chance of attacks by > hackers. > > The argument that an app, library or distro is open source does not > really mitigate the risks of attacks. > > Consider the below decade-old bugs that had been "hiding" in plain sight: > > CVE-2016-5195 (Dirty COW) > CVE-2014-0160 (Heartbleed) > CVE-2016-8655 > CVE-2017-6074 > CVE-2021-3156 (Baron_Samedit) >
You'll have to make your case in a bug report on the relevant package (pango?). The usual debian position is to enable as many options as possible, so that the same binary package will work for a wide variety of users. If this does not suit your security posture, you'll need to do one or more of the following: - take your concerns to the upstream developers (they might need more concrete reasons than what you have so far) - build the packages yourself with the offending features disabled - uninstall the packages and manage without the additional packages that get removed - isolate the packages you have issues with (and everything that depends on them) in separate virtual machines or other isolation mechanisms that satisfy your security requirements - pay someone to audit the codebase so your security needs are met (but first check with upstream if they will be willing to act on issues discovered during audit; if not you'll need other arrangements). Perhaps you could offer to run one or more of the automated tools that can help with finding security issues (there are various open-source and proprietary tools in this area) -- regards, kushal
