From Bugzilla Helper: User-Agent: Opera/7.11 (Windows NT 5.0; U) [en] Description of problem: When I tried to install the new cups package I noticed that it requires dbus. Is there a specific reason for this? Requiring dbus also means that cups will require XFree86-libs, which in turn will require XFree86-libs-data, XFree86-Mesa-libGL and fontconfig, since dbus requires XFree86 libs to be installed (and XFree86-libs requires these RPM:s). I do not wish to have X (or the X libraries) installed on a server in the future. The dbus requirement is something Red Hat has decided to add since it is not present (as far as I can see) in the original cups distribution. The cupsd daemon is now linked agains dbus. Has the dbus package been audited? cupsd runs as root, atleast it did in version 1.1.17... Does the dbus libraries itself require X-libs or is it just the helper programs? Version-Release number of selected component (if applicable): cups-1.1.19-8-i386.rpm How reproducible: Always Steps to Reproduce: 1. Download cups-1.1.19-8.i386.rpm 2. rpm -Uvh cups-1.1.19-8.i386.rpm 3. Actual Results: Requirements on cups-libs-1.1.19-8.i386.rpm and dbus where show. Expected Results: Only requirements for cups-libs-1.1.19-8.i386.rpm Additional info:
DBUS is used for helping the desktop print icon do its job. hp: plans for auditing it?
dbus doesn't require xlib, but there are extra libs/tools in the dbus package that do. I can split the dbus package apart. cups will actually run without dbus, just won't send out the notifications. So one approach might be to just don't list that dependency and add the dep to desktop-printing instead. dbus hasn't been audited yet but runs as a completely nonprivileged user (owns no files on the filesystem, has no shell), only listens on local sockets, and is written in a paranoid/security-aware fashion. Still it is true that *if* the dbus daemon is running, and you crack dbus in a couple of different places, you may be able to break into the cups daemon (if you already have a local account; dbus adds no remote risk that I'm aware of).
The dependency is for the shared library libdbus-1.so.0; it's not something listed in the spec file. It might be a good thing to split out whatever requires libX11.so* from the dbus binary RPM, to avoid cups requiring it transitively.
This has been done now I think.