GNU bug report logs - #43851
[PATCH] gnu: sudo: Depend on python-minimal instead of python.

Previous Next

Package: guix-patches;

Reported by: Jan Nieuwenhuizen <janneke <at> gnu.org>

Date: Wed, 7 Oct 2020 17:05:01 UTC

Severity: normal

Tags: patch

Done: Jan Nieuwenhuizen <janneke <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 43851 <at> debbugs.gnu.org (full text, mbox):

From: Jan Nieuwenhuizen <janneke <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 43851 <at> debbugs.gnu.org
Subject: Re: [bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead
 of python.
Date: Fri, 09 Oct 2020 19:18:44 +0200

Tobias Geerinckx-Rice writes:

Hello Tobias,

> Jan Nieuwenhuizen 写道:
>> Depending on python pulls in X11:
>
> It only depends on Python because I wasn't [consciously] aware of the
> existence of python-minimal.  Your patch LGTM.
>
>> However...do we really want to extend sudo with eh, a large
>> programming
>> language
>
> I enabled Python support in sudo because it exists for the same reason
> that Guile does.

Yes, hackability/extensibility makes sense and is good in general...

> If we want a less hackable sudo - certainly a defensible position -
> that's fine by me.  If we do, then yes, I think Python is reasonable
> considering the alternative (C).

...but in this case, yes, a less hackable sudo is what I'm certainly
leaning towards.

Danny Milosavljevic writes:

> I am very much in favor of not having unnecessary dependencies in things
> which are suid root.  Also, there already IS PAM support in sudo, and
> PAM has modules--so why have yet another weird new mechanism?  For auditing,
> there is auditd (even in Guix already).

> Furthermore, it makes updating sudo more brittle.

> Also, we removed when cross-compiling already, pointing to other problems.

> Please remove the python dependency entirely.

@Tobias: would you please revert/remove the Python addition to sudo (or
else discuss some more with others?).

>> that has a more impressive CVE list than a lovely tiny language
>> such as, say Guile? ;)
>
> Python has a more impressive almost-anything than Guile so that means
> nothing.

Yeah, Python is amazing.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
This bug report was last modified 4 years and 281 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.