GNU bug report logs -
#43851
[PATCH] gnu: sudo: Depend on python-minimal instead of python.
Previous Next
Reported by: Jan Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 7 Oct 2020 17:05:01 UTC
Severity: normal
Tags: patch
Done: Jan Nieuwenhuizen <janneke <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43851 in the body.
You can then email your comments to 43851 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Wed, 07 Oct 2020 17:05:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jan Nieuwenhuizen <janneke <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 07 Oct 2020 17:05:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Depending on python pulls in X11:
--8<---------------cut here---------------start------------->8---
$ guix graph --path sudo libx11
sudo <at> 1.9.3p1
python <at> 3.8.2
tk <at> 8.6.10
libx11 <at> 1.6.9
--8<---------------cut here---------------end--------------->8---
which is unfortunate, especially for the Hurd.
However...do we really want to extend sudo with eh, a large programming
language that has a more impressive CVE list than a lovely tiny language
such as, say Guile? ;)
Greetings,
Janneke
[0001-gnu-sudo-Depend-on-python-minimal-instead-of-python.patch (text/x-patch, inline)]
From e28a7f0679cc70f48f2583b2f3fe5f9a1984d6cc Mon Sep 17 00:00:00 2001
From: "Jan (janneke) Nieuwenhuizen" <janneke <at> gnu.org>
Date: Wed, 7 Oct 2020 18:49:29 +0200
Subject: [PATCH] gnu: sudo: Depend on python-minimal instead of python.
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
* gnu/packages/admin.scm (sudo)[inputs]: Use python-minimal instead of
python.
---
gnu/packages/admin.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index e62a145614..399c55a080 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1499,7 +1499,7 @@ system administrator.")
("linux-pam" ,linux-pam)
,@(if (%current-target-system)
'()
- `(("python" ,python)))
+ `(("python" ,python-minimal)))
("zlib" ,zlib)))
(home-page "https://www.sudo.ws/")
(synopsis "Run commands as root")
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
[Message part 3 (text/plain, inline)]
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Wed, 07 Oct 2020 21:19:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 43851 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Good evening Janneke,
Jan Nieuwenhuizen 写道:
> Depending on python pulls in X11:
It only depends on Python because I wasn't [consciously] aware of
the existence of python-minimal. Your patch LGTM.
> However...do we really want to extend sudo with eh, a large
> programming
> language
I enabled Python support in sudo because it exists for the same
reason that Guile does.
If we want a less hackable sudo - certainly a defensible position
- that's fine by me. If we do, then yes, I think Python is
reasonable considering the alternative (C).
> that has a more impressive CVE list than a lovely tiny language
> such as, say Guile? ;)
Python has a more impressive almost-anything than Guile so that
means nothing.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Thu, 08 Oct 2020 07:04:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 43851 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Janneke,
On Wed, 07 Oct 2020 19:04:27 +0200
Jan Nieuwenhuizen <janneke <at> gnu.org> wrote:
> Depending on python pulls in X11:
>
> --8<---------------cut here---------------start------------->8---
> $ guix graph --path sudo libx11
> sudo <at> 1.9.3p1
> python <at> 3.8.2
> tk <at> 8.6.10
> libx11 <at> 1.6.9
> --8<---------------cut here---------------end--------------->8---
>
> which is unfortunate, especially for the Hurd.
>
> However...do we really want to extend sudo with eh, a large programming
> language that has a more impressive CVE list than a lovely tiny language
> such as, say Guile? ;)
I am very much in favor of not having unnecessary dependencies in things
which are suid root. Also, there already IS PAM support in sudo, and
PAM has modules--so why have yet another weird new mechanism? For auditing,
there is auditd (even in Guix already).
Furthermore, it makes updating sudo more brittle.
Also, we removed when cross-compiling already, pointing to other problems.
Please remove the python dependency entirely.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 17:19:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 43851 <at> debbugs.gnu.org (full text, mbox):
Tobias Geerinckx-Rice writes:
Hello Tobias,
> Jan Nieuwenhuizen 写道:
>> Depending on python pulls in X11:
>
> It only depends on Python because I wasn't [consciously] aware of the
> existence of python-minimal. Your patch LGTM.
>
>> However...do we really want to extend sudo with eh, a large
>> programming
>> language
>
> I enabled Python support in sudo because it exists for the same reason
> that Guile does.
Yes, hackability/extensibility makes sense and is good in general...
> If we want a less hackable sudo - certainly a defensible position -
> that's fine by me. If we do, then yes, I think Python is reasonable
> considering the alternative (C).
...but in this case, yes, a less hackable sudo is what I'm certainly
leaning towards.
Danny Milosavljevic writes:
> I am very much in favor of not having unnecessary dependencies in things
> which are suid root. Also, there already IS PAM support in sudo, and
> PAM has modules--so why have yet another weird new mechanism? For auditing,
> there is auditd (even in Guix already).
> Furthermore, it makes updating sudo more brittle.
> Also, we removed when cross-compiling already, pointing to other problems.
> Please remove the python dependency entirely.
@Tobias: would you please revert/remove the Python addition to sudo (or
else discuss some more with others?).
>> that has a more impressive CVE list than a lovely tiny language
>> such as, say Guile? ;)
>
> Python has a more impressive almost-anything than Guile so that means
> nothing.
Yeah, Python is amazing.
Greetings,
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 18:16:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 43851 <at> debbugs.gnu.org (full text, mbox):
Hello Tobias!
Tobias Geerinckx-Rice <me <at> tobias.gr> writes:
> Good evening Janneke,
>
> Jan Nieuwenhuizen 写道:
>> Depending on python pulls in X11:
>
> It only depends on Python because I wasn't [consciously] aware of the
> existence of python-minimal. Your patch LGTM.
>
>> However...do we really want to extend sudo with eh, a large
>> programming
>> language
>
> I enabled Python support in sudo because it exists for the same reason
> that Guile does.
>
> If we want a less hackable sudo - certainly a defensible position -
> that's fine by me. If we do, then yes, I think Python is reasonable
> considering the alternative (C).
What kind of uses does the Python bindings provide? If we don't have any
use for it, I think it may be better to let the dependency go
altogether, to keep sudo as small and secure as possible.
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 18:49:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 43851 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Heyho Maxim,
Maxim Cournoyer 写道:
> What kind of uses does the Python bindings provide?
They're not bindings in the way I understand the term; more like a
plug-in interface that allows you to implement security policies
beyond the rudimentary ‘sudoers’ format (or writing a C extension
*shudder*). Basically: what we would have used Guile for :-)
The rest of the world uses Python.
However, PAM is not relevant to the discussion & served only to
confuse.
> If we don't have any use for it, I think it may be better to let
> the
> dependency go altogether, to keep sudo as small and secure as
> possible.
I don't think sudo is either, nor does the presence of Python
affect that meaningfully. But let's stop this pointless
discussion since removing it helps the Hurd progress. That's
enough.
The Hurd is a lot more exciting than the removal of sudo Python
support -- and actually *will* improve security!
\o/,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:27:02 GMT)
Full text and
rfc822 format available.
Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
On Fri, 9 Oct 2020 at 20:49, Tobias Geerinckx-Rice via Guix-patches
via <guix-patches <at> gnu.org> wrote:
> I don't think sudo is either, nor does the presence of Python
> affect that meaningfully. But let's stop this pointless
> discussion since removing it helps the Hurd progress. That's
> enough.
>
> The Hurd is a lot more exciting than the removal of sudo Python
> support -- and actually *will* improve security!
I agree that supporting Hurd is more important than supporting
hypothetical users using hypothetically sudo with Python. :-)
Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
(without). Or any other name.
Cheers,
simon
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:27:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:45:02 GMT)
Full text and
rfc822 format available.
Message #29 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
zimoun 写道:
> I agree that supporting Hurd is more important than supporting
> hypothetical users using hypothetically sudo with Python. :-)
I'm not hypothetical! I'm a real boy!
> Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
> (without). Or any other name.
I suggested as much on #guix so it is by definition an excellent
suggestion.
Janneke?
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:45:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Jan Nieuwenhuizen <janneke <at> gnu.org>:
You have taken responsibility.
(Fri, 09 Oct 2020 19:49:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jan Nieuwenhuizen <janneke <at> gnu.org>:
bug acknowledged by developer.
(Fri, 09 Oct 2020 19:49:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 43851-done <at> debbugs.gnu.org (full text, mbox):
Tobias Geerinckx-Rice writes:
Hello!
> Maxim Cournoyer 写道:
>> If we don't have any use for it, I think it may be better to let the
>> dependency go altogether, to keep sudo as small and secure as
>> possible.
>
> I don't think sudo is either, nor does the presence of Python affect
> that meaningfully. But let's stop this pointless discussion since
> removing it helps the Hurd progress. That's enough.
>
> The Hurd is a lot more exciting than the removal of sudo Python
> support -- and actually *will* improve security!
Thanks all, I've removed the python dependency from sudo; pushed to
master as 165e0918da54643bfaf9a6cb6b866f8692e9f8f9.
Greetings,
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:54:02 GMT)
Full text and
rfc822 format available.
Message #40 received at submit <at> debbugs.gnu.org (full text, mbox):
Tobias Geerinckx-Rice writes:
Hi!
> zimoun 写道:
>> I agree that supporting Hurd is more important than supporting
>> hypothetical users using hypothetically sudo with Python. :-)
>
> I'm not hypothetical! I'm a real boy!
>
>> Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
>> (without). Or any other name.
>
> I suggested as much on #guix so it is by definition an excellent
> suggestion.
>
> Janneke?
Oops, I missed that and just pushed Python removal. I would suggest
sudo-with-python; but I'm fine with sudo-minimal too.
Greetings,
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Information forwarded
to
guix-patches <at> gnu.org:
bug#43851; Package
guix-patches.
(Fri, 09 Oct 2020 19:54:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 07 Nov 2020 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 227 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.