I’m not talking about YaST auto-resolving dependencies for me or the auto-updater checking for patches… sometimes, when I start up the Software Management portion of YaST, there will be a package or two marked for installation. Today, for example, it wants ksshaskpass. This is 11.2 64-bit. (I know I’m bucking the trend of 11.3 questions, but I’m hoping you can overlook that.)
Is this behavior expected? I don’t think I ever noticed it prior to 11.2. Has anyone else noticed this weirdness?
This does happen from time to time.
I generally go with it…
Glad to know it’s not just me, but that kind of behavior from a program that runs with root privilege really makes me antsy. Who knows what unwanted packages I’ve overlooked and installed along with my selected packages. Anyone know what the cause is? Couldn’t this be a real security issue?
Couldn’t this be a real security issue?
Not if you are the admin and know your sources.
This is perfectly normal behaviour if you use the Live-CDs and then go to Software Management before Online Update; anything which would be a recommended update in Online update appears in Software Management.
Caf4926: That assumes that only malware can compromise your security. Any additional package is an additional potential security bug, any unwanted package could lead to a misconfiguration or the enabling of an unexpected service. I trust my sources, but I wouldn’t let them administer my workstation blindly.
john_hudson: That’s good to know, but doesn’t apply in this situation. This is an installed system, and the packages are ones that don’t show up in online update.
:)…:)really
I realize it sounds paranoid, but most computer security involves cultivating a well-informed sense of paranoia. Think of it this way – you trust the people who maintain your repositories. But would you trust me to select some packages from those repositories and install them on your workstation without telling you? Maybe I’d pick something innocuous, maybe I’d pick a server, maybe I’d pick a slightly out of date package with some known bugs, or a piece of software it is illegal to possess in your home country. The point is, you don’t know what I picked, or even that I did it.
Since I don’t know the mechanism of this bug, and no one has volunteered one, I am essentially in the situation of having a stranger secretly install packages to my workstation.
Admittedly, I can check for auto-selected stuff every time I run the package management software, but who knows how long this went on before I realized, and how do I know it’s not happening when I run an auto-update?
If you run auto-update you get what is feed to you. If you are really concerned about security and this bothers you never run auto-update.
As said if you install from a CD you do not get the “full” Opensuse package. You should install these recommender packages. But it is up to you simply mark them not to be installed. You can always install them when you find out you really did need them.
Thanks for the info gogalthorp, but I believe you are misreading the situation. Just to clarify:
Does this describe the same situation you are talking about?
On Mon, 19 Jul 2010 20:16:02 GMT, novelgazer
<novelgazer@no-mx.forums.opensuse.org> wrote:
>
>Thanks for the info gogalthorp, but I believe you are misreading the
>situation. Just to clarify:
>
>1. I installed from DVD.
>2. Sometimes when I run Software Management, before I select
>packages to install, there are packages already selected.
>3. These packages are not dependencies of the software I have
>installed or am about to install.
>4. These packages are not updates. That is, they do not appear in the
>auto-update widget or in the system update utility in YaST.
>
>Does this describe the same situation you are talking about?
I normally see a lot of packages marked as “keep”. This is stuff
already installed on my system. Or are you talking about something
else?
On 17/07/10 08:16, novelgazer wrote:
>
> Glad to know it’s not just me, but that kind of behavior from a program
> that runs with root privilege really makes me antsy. Who knows what
> unwanted packages I’ve overlooked and installed along with my selected
> packages. Anyone know what the cause is? Couldn’t this be a real
> security issue?
>
>
Is this the installation of “recommends” as opposed to dependencies? If
so, a previous thread suggested editing /etc/zypp/zypp.conf (set
solver.onlyRequires = true) and/or /etc/zyppzypper.conf (set
installRecommends = no) to disable such installations.
I did this when installing an English dictionary caused a “recommended”
installation of (what seemed to be) all available dictionaries 
–
PeeGee
Asus m/b M2V-MX SE, AMD LE1640, 2GB, openSUSE 11.2/11.0 x86_64 dual boot
On 2010-07-19 20:16 GMT novelgazer wrote:
>
> Thanks for the info gogalthorp, but I believe you are misreading the
> situation. Just to clarify:
>
> 1. I installed from DVD.
> 2. Sometimes when I run Software Management, before I select
> packages to install, there are packages already selected.
> 3. These packages are not dependencies of the software I have
> installed or am about to install.
> 4. These packages are not updates. That is, they do not appear in
> the auto-update widget or in the system update utility in YaST.
>
> Does this describe the same situation you are talking about?
Yes, I have seen that exact situation. I don’t know why.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Minas Tirith))