#743870 Excessive dependencies required on upgrade

Package:
lcdproc
Source:
lcdproc
Description:
LCD display driver daemon and clients
Submitter:
Chris Boot
Date:
2021-10-10 15:12:03 UTC
Severity:
minor
Tags:
#743870#5
Date:
2014-04-07 16:44:47 UTC
From:
To:
Dear maintainer,

The version of lcdproc currently in sid depends on two new packages:
- libconfig-model-lcdproc-perl (>= 2.040)
- libconfig-model-perl (>= 2.037)

Together, these are responsible for pulling in 53 PERL packages as dependencies
of lcdproc on my system. I feel that this is excessive, especially considering
the relatively minor functionality that these packages provide (namely, to
be able to upgrade the configuration file on package upgrades).

For example:

frost bootc # aptitude --simulate --without-recommends install lcdproc/sid
The following NEW packages will be installed:
  libalgorithm-c3-perl{a} libanyevent-perl{a} libb-hooks-endofscope-perl{a}
  libcarp-assert-more-perl{a} libcarp-assert-perl{a} libclass-c3-perl{a}
  libclass-data-inheritable-perl{a} libclass-load-perl{a}
  libclass-load-xs-perl{a} libclone-perl{a} libcommon-sense-perl{a}
  libconfig-model-lcdproc-perl{a} libconfig-model-perl{a}
  libdata-optlist-perl{a} libdevel-globaldestruction-perl{a}
  libdevel-stacktrace-perl{a} libev-perl{a} libeval-closure-perl{a}
  libexception-class-perl{a} libfile-homedir-perl{a} libfile-slurp-perl{a}
  libfile-which-perl{a} libhash-merge-perl{a} libjson-perl{a}
  liblist-moreutils-perl{a} liblog-log4perl-perl{a}
  libmodule-implementation-perl{a} libmodule-runtime-perl{a} libmoose-perl{a}
  libmouse-perl{a} libmousex-nativetraits-perl{a}
  libmousex-strictconstructor-perl{a} libmro-compat-perl{a}
  libnamespace-autoclean-perl{a} libnamespace-clean-perl{a}
  libpackage-deprecationmanager-perl{a} libpackage-stash-perl{a}
  libpackage-stash-xs-perl{a} libparams-classify-perl{a} libparams-util-perl{a}
  libparse-recdescent-perl{a} libpath-class-perl{a} libpod-pom-perl{a}
  libsub-exporter-perl{a} libsub-exporter-progressive-perl{a}
  libsub-identify-perl{a} libsub-install-perl{a} libsub-name-perl{a}
  libtask-weaken-perl{a} libtext-diff-perl{a} libtry-tiny-perl{a}
  libvariable-magic-perl{a} libyaml-perl{a}
The following packages will be upgraded:
  lcdproc
The following packages are RECOMMENDED but will NOT be installed:
  fuse lcdproc-extra-drivers libasync-interrupt-perl libclass-c3-xs-perl
  libclass-method-modifiers-perl libconfig-model-tkui-perl
  libdevel-lexalias-perl libdevel-partialdump-perl libfuse-perl libguard-perl
  libipc-shareable-perl libjson-xs-perl liblog-dispatch-perl
  libyaml-libyaml-perl libyaml-syck-perl
1 packages upgraded, 53 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,189 kB of archives. After unpacking 10.8 MB will be used.
Do you want to continue? [Y/n/?]
Would download/install/remove packages.

Can this functionality please be made optional at the very least?

Thanks,
Chris

#743870#10
Date:
2014-04-09 18:14:05 UTC
From:
To:
Hello

ok. many packages are installed, but you don't need to worry about them. I
don't understand why you consider this is a problem.

It is. You will be asked whether to allow automatic upgrade or not.

All the best

#743870#17
Date:
2014-04-10 12:22:45 UTC
From:
To:
I consider this a problem because it's a lot of packages that simply are
not going to be used on these systems. A number of drivers are split
into the lcdproc-extra-drivers package to avoid all users having to
install large parts of X11, I think it would be kind to users to allow
them not to install a large number of optional packages.

Could the config model packages be turned into a Recommends rather than
a Depends, so that they don't have to be installed at all?

It's really helpful to those of us who would like to maintain as minimal
a system as possible. For example, I'd like to use lcdproc on a firewall
system, and keeping the attack surface as small as possible is a common
goal for this type of system.

Thanks,
Chris

#743870#22
Date:
2014-04-21 19:12:06 UTC
From:
To:
[ re-sent because I forgot to cc the BTS ]

Yes. A few MB of disks are wasted. Even on ARM system running on a SD card,
this is no longer a problem.

In this case, the large part of X11 are some X libraries which also weight a
few MB (no more than 10). This package split made sense a few years ago on
enbedded system where 32MB flash was a big deal.

Thanks to your mail, I've realised it's not worth the effort. I'll remove this
split the next time there's a problem around this hack.

It's also kind to user not to offer them a choice when the 2 alternatives have
no significant differences.

Technically, yes. But this dependency is injected by dh_cme_upgrade. This
would mean adding yet another option to the configuration file of
dh_cme_upgrade, adding documentation and explaining pro and cons of the
choice. This would make automatic config upgrade more complex for no real
added value.

Then, some documentation would need to be written for the end user so he can
make an informed decision, and recover from a wrong choice.

All this work for what ? saving a few MB not worth a cent on an SD card ?

None of these package will leave a running process. I don't see the relation
between the installed files and having a more vulnerable system.

All the best

#743870#27
Date:
2015-04-30 16:00:39 UTC
From:
To:
I would like to second this bug report. I also find the perl dependencies required for "cme"
are excessive and should be moved from Depends to Recommends at the very least in lcdproc. I
don't see any concern as above with attack surface or the minimal disk space, but I do think
that cme and it's dependencies are incorrectly required as part of lcdproc when they are
certainly not required to utilize lcdproc in any way or build it from the upstream source
tarball.
 
I'm also concerned about the removal of /etc/LCDd.conf as a Debian conffile from the lcdproc  
package. I understand that it is against Debian policy to have a maintainer script modify a
dpkg managed conffile (which is the obvious goal of cme), but should the user not choose not
to use cme to manage the configuration via the install prompt in apt/dpkg, the only copy of
the needed configuration in order to get lcdproc to do anything useful is buried down in
/usr/share/doc/lcdproc/LCDd.conf.gz, and no indication of this fact is given to the end user
at install time. To the naive user who has never installed lcdproc before, they would not know
to look for this file there instead of the Debian standard location of /etc/, as was
previously managed by dpkg.
 
As a solution to both of these issues, it seems that it would make a lot of sense to
separately package "cme" and set "libconfig-model-lcdproc-perl" only as a Recommends or
ideally, imo, a Suggests instead of Depends for lcdproc. Obvously, you would then set "cme" as
a Depends on "libconfig-model-lcdproc-perl", so that you could actually make use of the
suggested package. You would also need to restore /etc/LCDd.conf as a dpkg conffile, so that
it retains all of the benefits of being managed by dpkg.
 
Then, at install time for lcdproc, if libconfig-model-lcdproc-perl is (or is going to be)
installed, prompt the user if they would like to use cme to manage the configuration. If they
select yes, inform them that after the installation is complete, to modify the configuration
by running "cme edit lcdproc" (or whatever command) and let cme overwrite the default config
file in /etc/LCDd.conf. If they select "no" to management, then the correct file is already in
/etc/LCDd.conf and the user can manage the file in the traditional manner. There is no
certainly no Debian restriction that I know of on having an external program modify a dpkg-tagged conffile
after the dpkg transaction is complete, only that it not be done at install time. Samba’s SWAT
works (worked?) in this manner quite successfully, and it seems would be a good model to
emulate.
 
I'm sure I'm missing some fine nuance of Debian packaging with the above idea, but that would
be the basic workflow for the package installation. This would solve the problem of "too many
dependencies" as reported in this bug report as well as giving the users the option to not use
cme if they should so desire.
 

#743870#32
Date:
2015-05-01 12:57:15 UTC
From:
To:
Le jeudi 30 avril 2015 18:00:39, vous avez écrit :

That's a valid point. I'll modify the message shown to user to specify where
to find the original configuration file.
libconfig-model-perl has changed.

Regarding the dependendies, I have to consider 2 scenario:
- if cme is recommended or suggested, people may get upgrade problem
  with lcdproc because they forgot to install cme (or removed it by mistake).
-  if cme is required, some people don't like having more packages installed.

I think the first scenario is a usability concern and harder to recover from.
The second problem is more subjective.

Hence cme will stay a required dependency.
is a conffile and cannot be modified by a script. That's why LCDd.conf landed in
/usr/share/doc .

All the best

#743870#37
Date:
2015-05-01 20:55:45 UTC
From:
To:

#743870#44
Date:
2021-10-10 15:09:04 UTC
From:
To:
-- 
Hello,
I'm Prof. Dr Diane, please a huge amount of payment was made into your
account. as soon as your respond is noted the payment confirmation
slip will immediately send to you.  please do not hesitate to reply as
soon as you receive this message. awaiting your urgent reply please.
Best regards
Prof. Dr Diane