On Mon, 24 Jun 2019 12:24:50 +0930 Simon Lees <sflees@suse.de> wrote:
On 24/06/2019 02:59, Stasiek Michalski wrote:
On nie, cze 23, 2019 at 7:19 PM, Christian Boltz <opensuse@cboltz.de> wrote:
Hello,
Am Sonntag, 23. Juni 2019, 01:46:09 CEST schrieb Felix Miata:
Stefan Brüns composed on 2019-06-22 19:16 (UTC+0200): > Felix Miata wrote:
>> Problem: ghostscript-9.27-2.3.i586 requires apparmor-abstractions, >> but this ...
>> Solution 3: remove lock to allow installation of >> apparmor-abstractions-2.13.2-9.2.noarch[OSS] Solution 4: break >> ghostscript-9.27-2.3.i586 by ignoring some of its dependencies >> Choose from above solutions by number or skip, retry or cancel >> [1/2/3/4/s/r/c] (c): 4 Applying solution 4 > > The correct choice matching upstream openSUSE would have been (3). > You chose On the contrary, if apparmo* is not already installed, there is no reason I can imagine to introduce apparmor-* as a consequence of an update to another app that that particular installation has no use for (ghostscript).
There's a reason for this dependency - since some months, we have an AppArmor profile for ghostscript and it's helper scripts (ps2pdf etc.). Yes. technically ghostscript also works without the AppArmor profile, but you'll lack protection against evil files that trigger executing another program unintentionally. I'm probably biased on this ;-) but I'd argue that something that makes ghostscript more secure clearly qualifies for a "Requires".
Wouldn't it be better to split the package into apparmor addon and do Suppliments: (apparmor and ghostscript) over that? I don't really see a reason why ghostscript itself should require apparmor, if the user doesn't have it already installed.
Remember that default packages, especially the ones that aren't required for proper functionality of the system, might not be installed on user's system.
I agree this is probably a much better way to achieve pretty much the same result
It isn't. Ghostscript needs apparmor to be reasonably secure. A security flaw pointed out in ghostscript was fixed by writing this apparmor profile. For it to be effective you need apparmor even if you did not have it to start with. That's are requirement in my book. If you really know what you are doing you can use ghostscript without apparmor but that's not what the default should be regardless of installing recommends or not. Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org