From Bugzilla Helper:
User-Agent: Opera/7.11 (Windows NT 5.0; U) [en]
Description of problem:
When I tried to install the new cups package I noticed that it requires dbus. Is
there a specific reason for this?
Requiring dbus also means that cups will require XFree86-libs, which in turn
will require XFree86-libs-data, XFree86-Mesa-libGL and fontconfig, since dbus
requires XFree86 libs to be installed (and
XFree86-libs requires these RPM:s).
I do not wish to have X (or the X libraries) installed on a server in the
The dbus requirement is something Red Hat has decided to add since it is not
present (as far as I can see) in the original cups distribution. The cupsd
daemon is now linked agains dbus.
Has the dbus package been audited? cupsd runs as root, atleast it did in
Does the dbus libraries itself require X-libs or is it just the helper programs?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Download cups-1.1.19-8.i386.rpm
2. rpm -Uvh cups-1.1.19-8.i386.rpm
Actual Results: Requirements on cups-libs-1.1.19-8.i386.rpm and dbus where
Expected Results: Only requirements for cups-libs-1.1.19-8.i386.rpm
DBUS is used for helping the desktop print icon do its job.
hp: plans for auditing it?
dbus doesn't require xlib, but there are extra libs/tools in the dbus package
that do. I can split the dbus package apart.
cups will actually run without dbus, just won't send out the notifications. So
one approach might be to just don't list that dependency and add the dep to
dbus hasn't been audited yet but runs as a completely nonprivileged user (owns
no files on the filesystem, has no shell), only listens on local sockets, and
is written in a paranoid/security-aware fashion. Still it is true that *if*
the dbus daemon is running, and you crack dbus in a couple of different places,
you may be able to break into the cups daemon (if you already have
a local account; dbus adds no remote risk that I'm aware of).
The dependency is for the shared library libdbus-1.so.0; it's not something
listed in the spec file.
It might be a good thing to split out whatever requires libX11.so* from the dbus
binary RPM, to avoid cups requiring it transitively.
This has been done now I think.