[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Jan Nieuwenhuizen]

[-- Attachment #1: Type: text/plain, Size: 491 bytes --]

Hi,

Depending on python pulls in X11:

--8<---------------cut here---------------start------------->8---
$ guix graph --path sudo libx11
sudo@1.9.3p1
python@3.8.2
tk@8.6.10
libx11@1.6.9
--8<---------------cut here---------------end--------------->8---

which is unfortunate, especially for the Hurd.

However...do we really want to extend sudo with eh, a large programming
language that has a more impressive CVE list than a lovely tiny language
such as, say Guile? ;)

Greetings,
Janneke


[-- Attachment #2: 0001-gnu-sudo-Depend-on-python-minimal-instead-of-python.patch --]
[-- Type: text/x-patch, Size: 1124 bytes --]

From e28a7f0679cc70f48f2583b2f3fe5f9a1984d6cc Mon Sep 17 00:00:00 2001
From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Date: Wed, 7 Oct 2020 18:49:29 +0200
Subject: [PATCH] gnu: sudo: Depend on python-minimal instead of python.
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

* gnu/packages/admin.scm (sudo)[inputs]: Use python-minimal instead of
python.
---
 gnu/packages/admin.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index e62a145614..399c55a080 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1499,7 +1499,7 @@ system administrator.")
        ("linux-pam" ,linux-pam)
        ,@(if (%current-target-system)
              '()
-             `(("python" ,python)))
+             `(("python" ,python-minimal)))
        ("zlib" ,zlib)))
     (home-page "https://www.sudo.ws/")
     (synopsis "Run commands as root")
-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


[-- Attachment #3: Type: text/plain, Size: 152 bytes --]


-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Tobias Geerinckx-Rice via Guix-patches via]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

Good evening Janneke,

Jan Nieuwenhuizen 写道：
> Depending on python pulls in X11:

It only depends on Python because I wasn't [consciously] aware of 
the existence of python-minimal.  Your patch LGTM.

> However...do we really want to extend sudo with eh, a large 
> programming
> language

I enabled Python support in sudo because it exists for the same 
reason that Guile does.

If we want a less hackable sudo - certainly a defensible position 
- that's fine by me.  If we do, then yes, I think Python is 
reasonable considering the alternative (C).

> that has a more impressive CVE list than a lovely tiny language
> such as, say Guile? ;)

Python has a more impressive almost-anything than Guile so that 
means nothing.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Danny Milosavljevic]

[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]

Hi Janneke,

On Wed, 07 Oct 2020 19:04:27 +0200
Jan Nieuwenhuizen <janneke@gnu.org> wrote:

> Depending on python pulls in X11:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix graph --path sudo libx11
> sudo@1.9.3p1
> python@3.8.2
> tk@8.6.10
> libx11@1.6.9
> --8<---------------cut here---------------end--------------->8---
> 
> which is unfortunate, especially for the Hurd.
> 
> However...do we really want to extend sudo with eh, a large programming
> language that has a more impressive CVE list than a lovely tiny language
> such as, say Guile? ;)

I am very much in favor of not having unnecessary dependencies in things
which are suid root.  Also, there already IS PAM support in sudo, and
PAM has modules--so why have yet another weird new mechanism?  For auditing,
there is auditd (even in Guix already).

Furthermore, it makes updating sudo more brittle.

Also, we removed when cross-compiling already, pointing to other problems.

Please remove the python dependency entirely.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Jan Nieuwenhuizen]

Tobias Geerinckx-Rice writes:

Hello Tobias,

> Jan Nieuwenhuizen 写道：
>> Depending on python pulls in X11:
>
> It only depends on Python because I wasn't [consciously] aware of the
> existence of python-minimal.  Your patch LGTM.
>
>> However...do we really want to extend sudo with eh, a large
>> programming
>> language
>
> I enabled Python support in sudo because it exists for the same reason
> that Guile does.

Yes, hackability/extensibility makes sense and is good in general...

> If we want a less hackable sudo - certainly a defensible position -
> that's fine by me.  If we do, then yes, I think Python is reasonable
> considering the alternative (C).

...but in this case, yes, a less hackable sudo is what I'm certainly
leaning towards.

Danny Milosavljevic writes:

> I am very much in favor of not having unnecessary dependencies in things
> which are suid root.  Also, there already IS PAM support in sudo, and
> PAM has modules--so why have yet another weird new mechanism?  For auditing,
> there is auditd (even in Guix already).

> Furthermore, it makes updating sudo more brittle.

> Also, we removed when cross-compiling already, pointing to other problems.

> Please remove the python dependency entirely.

@Tobias: would you please revert/remove the Python addition to sudo (or
else discuss some more with others?).

>> that has a more impressive CVE list than a lovely tiny language
>> such as, say Guile? ;)
>
> Python has a more impressive almost-anything than Guile so that means
> nothing.

Yeah, Python is amazing.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Maxim Cournoyer]

Hello Tobias!

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Good evening Janneke,
>
> Jan Nieuwenhuizen 写道：
>> Depending on python pulls in X11:
>
> It only depends on Python because I wasn't [consciously] aware of the
> existence of python-minimal.  Your patch LGTM.
>
>> However...do we really want to extend sudo with eh, a large
>> programming
>> language
>
> I enabled Python support in sudo because it exists for the same reason
> that Guile does.
>
> If we want a less hackable sudo - certainly a defensible position -
> that's fine by me.  If we do, then yes, I think Python is reasonable
> considering the alternative (C).

What kind of uses does the Python bindings provide? If we don't have any
use for it, I think it may be better to let the dependency go
altogether, to keep sudo as small and secure as possible.

Thanks,

Maxim

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Tobias Geerinckx-Rice via Guix-patches via]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

Heyho Maxim,

Maxim Cournoyer 写道：
> What kind of uses does the Python bindings provide?

They're not bindings in the way I understand the term; more like a 
plug-in interface that allows you to implement security policies 
beyond the rudimentary ‘sudoers’ format (or writing a C extension 
*shudder*).  Basically: what we would have used Guile for :-)

The rest of the world uses Python.

However, PAM is not relevant to the discussion & served only to 
confuse.

> If we don't have any use for it, I think it may be better to let 
> the
> dependency go altogether, to keep sudo as small and secure as 
> possible.

I don't think sudo is either, nor does the presence of Python 
affect that meaningfully.  But let's stop this pointless 
discussion since removing it helps the Hurd progress.  That's 
enough.

The Hurd is a lot more exciting than the removal of sudo Python 
support -- and actually *will* improve security!

\o/,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[zimoun]

On Fri, 9 Oct 2020 at 20:49, Tobias Geerinckx-Rice via Guix-patches
via <guix-patches@gnu.org> wrote:

> I don't think sudo is either, nor does the presence of Python
> affect that meaningfully.  But let's stop this pointless
> discussion since removing it helps the Hurd progress.  That's
> enough.
>
> The Hurd is a lot more exciting than the removal of sudo Python
> support -- and actually *will* improve security!

I agree that supporting Hurd is more important than supporting
hypothetical users using hypothetically sudo with Python. :-)

Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
(without).  Or any other name.

Cheers,
simon

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Tobias Geerinckx-Rice via Guix-patches via]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

zimoun 写道：
> I agree that supporting Hurd is more important than supporting
> hypothetical users using hypothetically sudo with Python. :-)

I'm not hypothetical!  I'm a real boy!

> Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
> (without).  Or any other name.

I suggested as much on #guix so it is by definition an excellent 
suggestion.

Janneke?

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

bug#43851: [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Jan Nieuwenhuizen]

Tobias Geerinckx-Rice writes:

Hello!

> Maxim Cournoyer 写道：
>> If we don't have any use for it, I think it may be better to let the
>> dependency go altogether, to keep sudo as small and secure as
>> possible.
>
> I don't think sudo is either, nor does the presence of Python affect
> that meaningfully.  But let's stop this pointless discussion since
> removing it helps the Hurd progress.  That's enough.
>
> The Hurd is a lot more exciting than the removal of sudo Python
> support -- and actually *will* improve security!

Thanks all, I've removed the python dependency from sudo; pushed to
master as 165e0918da54643bfaf9a6cb6b866f8692e9f8f9.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com

[bug#43851] [PATCH] gnu: sudo: Depend on python-minimal instead of python.

[Jan Nieuwenhuizen]

Tobias Geerinckx-Rice writes:

Hi!

> zimoun 写道：
>> I agree that supporting Hurd is more important than supporting
>> hypothetical users using hypothetically sudo with Python. :-)
>
> I'm not hypothetical!  I'm a real boy!
>
>> Why not have 2 packages: 'sudo' (with Python) and 'sudo-minimal'
>> (without).  Or any other name.
>
> I suggested as much on #guix so it is by definition an excellent
> suggestion.
>
> Janneke?

Oops, I missed that and just pushed Python removal.  I would suggest
sudo-with-python; but I'm fine with sudo-minimal too.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com