Just a quick question about xz and xz-libs

yes for sure, but this should be a weak dep then

I opened a PR. maybe Server, IOT and CoreOS need it to be enabled then. Or Everything needs its own preset.

For that to work gnome should also support it. It would be bad if the user goes to the setting page, tries to configure ssh and it crashes settings or even worse: silently fails.

Having it installed isn’t that bad, the server just shouldn’t be enabled by default. The openssh package also contains the client, something that many people use.

That is provided by openssh-clients. The server is provided by openssh-server. You can remove the latter if you don’t want it.

2 Likes

Thanks for correcting me! Sounds like openssh-server could be removed then, as long as gnome settings doesn’t break.

That PR affects minimal installation making it unreachable over network by default, which is debatable from a usability standpoint.

Moreover, for this sort of RCE malware, it doesn’t even matter whether SSH is installed or not, as the payload can be delivered in client mode if not included directly in the infected library.

I would say these would be server use cases, but yes that is the case.