Web lists-archives.com

Re: Reducing the attack surface caused by Berkeley DB...


On 1/26/18 11:39 AM, David Kalnischkies wrote:
> On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote:
> > In practice, Berkeley DB is a core component of most *nix distros.
> > Debian popcon indicates that libdb5.3 is installed on ~80% of the
> > computers which report to popcon.
> I wonder how many of this ~80% is only due to having installed
> apt-utils (99.83%) for apt-extracttemplates (which is responsible for
> having many debconf questions before the installation process starts).
Indeed. The weight of apt-utils (#65 popcon by_inst), and even more so
of libpam-modules (#5 !), in libdb5.3's popularity is probably pretty
high. Even if both of those dependencies went away, libdb5.3 would
remain quite popular anyway due to Perl, Python (2 and 3), and others.

> Anyway, the only util in apt-utils making use of libdb is
> apt-ftparchive which a) isn't used much in Debian – but by some
> derivatives¹ and b) can operate without the backing of a db, but you
> don't want to run a large archive without it.
Could that program conceivably be split to another package ?
This also goes for libpam-modules, where pam_userdb.so is the only user
of libdb5.3.
Of course, I probably don't foresee all of the consequences of such
changes - maybe splits are harder to perform on essential packages, to
begin with ?

> Famous last words, but I doubt there is anything libdb does for
> ftparchive which couldn't be done by any other database, so switching
> shouldn't be too hard database-wise…
> Finding someone performing the daunting task of actually switching
> code, documentation and existing databases over on the other hand… I
> at least don't see me enthusiastically raising my arm crying "let me,
> let me, …".
Heh. Neither do I see myself for such a task :)
Miriam's suggestion (BTW: thanks Miriam for some Debian packaging
example I used years ago at work) makes sense.