Bug#839695: 67 X11/GTK related packages on a headless server

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#839695: 67 X11/GTK related packages on a headless server

Rob J. Epping-3
Hi,

qemu 1:2.8+dfsg-1 has hit jessie-backorts.

With the fix for bug #839695 my server now wants to install 67 X11/GTK
related new packages. This is on a headless server where this is just
more atack surface, i.e. less security.

Would it be possible to make the X11/GTK stuff optional? Maybe by
creating 2 binary versions for example a -gtk and a -nox version.

GRTNX,
RobJE

Reply | Threaded
Open this post in threaded view
|

Bug#839695: 67 X11/GTK related packages on a headless server

Michael Tokarev
23.01.2017 10:55, Rob J. Epping wrote:

> Hi,
>
> qemu 1:2.8+dfsg-1 has hit jessie-backorts.
>
> With the fix for bug #839695 my server now wants to install 67 X11/GTK
> related new packages. This is on a headless server where this is just
> more atack surface, i.e. less security.
>
> Would it be possible to make the X11/GTK stuff optional? Maybe by
> creating 2 binary versions for example a -gtk and a -nox version.

Please see #813658 .

In brief, being a 20+ years paranoic sysadmin myself, I don't see it
being a security treat. Either we fix all needed X client libs to
not depend on X itself (ie, being split into a headless and headful
part), or we live with this.

People want features even on a headless server (eg, 3d support via
spice), -- this will bring half of X anyway. So making just display
optional doesn't work.

Thanks,

/mjt

Reply | Threaded
Open this post in threaded view
|

Bug#839695: 67 X11/GTK related packages on a headless server

Rob J. Epping-3
Hi

On 01/23/2017 09:31 AM, Michael Tokarev wrote:

> 23.01.2017 10:55, Rob J. Epping wrote:
>> Hi,
>>
>> qemu 1:2.8+dfsg-1 has hit jessie-backorts.
>>
>> With the fix for bug #839695 my server now wants to install 67 X11/GTK
>> related new packages. This is on a headless server where this is just
>> more atack surface, i.e. less security.
>>
>> Would it be possible to make the X11/GTK stuff optional? Maybe by
>> creating 2 binary versions for example a -gtk and a -nox version.
>
> Please see #813658 .
>
> In brief, being a 20+ years paranoic sysadmin myself, I don't see it
> being a security treat. Either we fix all needed X client libs to
> not depend on X itself (ie, being split into a headless and headful
> part), or we live with this.
>
> People want features even on a headless server (eg, 3d support via
> spice), -- this will bring half of X anyway. So making just display
> optional doesn't work.
Let me be the voice of other people who do not need any graphical stuff.
For me personally, I only run headless virtual machines on a headless
server and do not want to install all the additional libraries.

As an example, some people want vim with GTK support and some don't.
So there is a bunch of vim packages available.

I guess what I want put forward is that I like to have a choice here,
similar to vim-nox and vim-gtk.

> Thanks,
>
> /mjt

THNX && GRTNX,
RobJE




signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#839695: 67 X11/GTK related packages on a headless server

Michael Tokarev
23.01.2017 15:12, Rob J. Epping wrote:

> Let me be the voice of other people who do not need any graphical stuff.
> For me personally, I only run headless virtual machines on a headless
> server and do not want to install all the additional libraries.
>
> As an example, some people want vim with GTK support and some don't.
> So there is a bunch of vim packages available.
>
> I guess what I want put forward is that I like to have a choice here,
> similar to vim-nox and vim-gtk.

As I already said multiple times, first, we need not one but EIGHT new
packages like this (for each of qemu-system-foo variant), and second,
even for headless, people want 3d gpu support, which brings all this
X stuff back again.

Sorry but this is not a solution. And sure thing I considered it
multiple times.

Thanks,

/mjt