Closed Geass-LL closed 1 year ago
dvdhrm
commented
1 year ago I can see the appeal of not having to track dbus-daemon security reports, but I think this proposal puts a lot of the burden on dbus-broker. Wouldn't the easier approach be to extract libdbus into its own repository and make dbus-daemon use it?
bluca
commented
1 year ago We are slowsly switching mainstream distributions to split the dbus-daemon package, so that only the libraries (and/or tools) can be installed. This should be the case for fedora/debian/ubuntu, so it should already be possible in these distributions to avoid installing dbus-daemon at all and just install dbus-broker, barring old dependencies that need to be updated (but vendoring code here wouldn't help in those cases either). It seems a much better path to pursue to me, vendoring a third party library here sounds overkill.
Geass-LL
commented
1 year ago We are slowsly switching mainstream distributions to split the dbus-daemon package, so that only the libraries (and/or tools) can be installed.
It's great to hear that. Tracking the updates of both dbus and dbus-broker seems the only way for me now. I'll close this issue, thanks for your reply.
Hello. We want to remove all dbus components from our system (dbus-daemon, dbus-libs and some dbus-tools), and only use dbus-broker instead. dbus-daemon and dbus-tools can be removed safely, but dbus-libs can't. There are many softwares use libdbus. After checking the source code of dbus, I found libdbus can be built only from codes in
dbus-1.1x/dbusdirectory, which means we can integrate libdbus into dbus-broker very easily. We want to do this, because as downstream linux distribution, after integrating, we can only maintain very small part of dbus code, and many dbus vulnerabilities/bugs can remain unfixed. Please take a consideration, thanks for your time.