Hi

I noticed that Fedora 42 was released and their docker images lack a
'awk' tool. Debian trixie images ship with 'mawk' pre-installed right
now. While I'm not convinced the removal game is necessarily a good
one, I can see that it does have some advantages. Is it possible to
drop 'mawk' from the set of default tools in trixie? If not, what are
the blockers? What is the method to find out what the blockers are?

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgBRxYUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFosrSAQCioG/Q+DBX STZgXg3npqd43RSSlklk3ae34r8ihWsiwwEAyShdNnp85U8rr9wO8Mhj1Uww+ieE NNXr3npJL4x0Bg4=
=APvw
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Josefsson <[email protected]> writes:

I noticed that Fedora 42 was released and their docker images lack a
'awk' tool. Debian trixie images ship with 'mawk' pre-installed right
now. While I'm not convinced the removal game is necessarily a good
one, I can see that it does have some advantages. Is it possible to
drop 'mawk' from the set of default tools in trixie? If not, what are
the blockers? What is the method to find out what the blockers are?

awk is in the essential set in Debian, so this would be a very substantial amount of work. See the Pre-Depends in base-files, which is there to make
some awk implementation essential while still allowing the user to switch between implementations.

--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 17 Apr 2025 at 19:41, Santiago Vila <[email protected]> wrote:

Installed size of mawk is 263 MB which is really small for today's standards.

Isn't that bad for the Debian minimal images for containers?

I'm not too familiar with how we generate our container images but I can see mawk there and Debian is used on most official container images of other projects.

Cheers,


--
Samuel Henrique <samueloph>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 17/4/25 a las 20:27, Russ Allbery escribió:

Simon Josefsson <[email protected]> writes:

I noticed that Fedora 42 was released and their docker images lack a
'awk' tool. Debian trixie images ship with 'mawk' pre-installed right
now. While I'm not convinced the removal game is necessarily a good
one, I can see that it does have some advantages. Is it possible to
drop 'mawk' from the set of default tools in trixie? If not, what are
the blockers? What is the method to find out what the blockers are?

awk is in the essential set in Debian, so this would be a very substantial amount of work. See the Pre-Depends in base-files, which is there to make some awk implementation essential while still allowing the user to switch between implementations.

Indeed. As James Troup once said, we made perl to be part of the essential set, and not doing the same with good old awk would be criminal.

Installed size of mawk is 263 MB which is really small for today's standards.

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 08:40:42PM +0200, Santiago Vila wrote:

Installed size of mawk is 263 MB which is really small for today's standards.

KB rather than MB, thankfully!

--
Colin Watson (he/him) [[email protected]]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 11:27:22AM -0700, Russ Allbery wrote:

awk is in the essential set in Debian, so this would be a very substantial >amount of work.

{Docker image comaintainer hat on}

This is right. More specifically -- the Debian docker images are (intentionally) -- "just" `debootstrap --variant=minbase`.

Changing what packages are "pre-installed" with the Docker image is not
a negotiation that we wanted to have in isolation as the people who keep
the image current. Our goal was to have an image that wasn't unique (or suprising) to a Debian project member -- rather, IMVHO, the package(s)
should be added or removed from the minbase set via our usual
conventions.

This has come up from time to time (in the form of some people asking to 'please install X', or 'why did Y go away') -- but the result and push
to sync these two ecosystems (debootstrap and the image) is something I believe to be correct, and don't have any real intention of changing as
of right now.

If we want to drop something from the Docker image -- that's great! I'd
love that. It's just something we'd have to work through the usual
process of changing priority, deps, or what have you. Which -- I will
note -- benefits the whole operating system on all platforms, not just
one container image (this is the way).

paultag

--
⢀⣴⠾⠻⢶⣦⠀ Paul Tagliamonte <paultag>
⣾⠁⢠⠒⠀⣿⡁ https://people.debian.org/~paultag | https://pault.ag/
⢿⡄⠘⠷⠚⠋ Debian, the universal operating system.
⠈⠳⣄⠀⠀ 4096R / FEF2 EB20 16E6 A856 B98C E820 2DCD 6B5D E858 ADF3

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEE8rctyP6kE7DHa+fOytLPCmgIXzIFAmgBW7EACgkQytLPCmgI XzKbGwgAhQzHeKJurM5Bp7j7HW8/rFlgnxjfm5W+0TCnlV/N5wPS7rSEWGe+roy1 qsFTb8mAd+MidHfklqi0ljFO4PuYY64iu5os2Ji5DHJc2IdIuVtZMX6IamW9eT2X lVkLfLW2mu5/RS5g/lbq7Qhy8CBi+6Ne3a3Y1v+PCO2F6Dzud6qsAW5w+QLfo0s9 NwgPxU632Pz00JD7daXS0y/EZo+5T/tprrKZ88lr8WpX0JynfYB1ZLkPbXXgTX8t RvNSqeGqpTfgv2QRbxgLXXyXPNjZrb4FczCn8I02+piZgksVV8sg6cJAGQnPNMSe Mo6rMzRI/sqyZ2jOS5g5ukcEm3Fr3g==
=ddID
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 17/4/25 a las 21:03, Colin Watson escribió:

On Thu, Apr 17, 2025 at 08:40:42PM +0200, Santiago Vila wrote:

Installed size of mawk is 263 MB which is really small for today's standards.

KB rather than MB, thankfully!

Big oops! I wonder how small they want images to be to
consider 263 KB unbearable.

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Josefsson wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While
I'm not convinced the removal game is necessarily a good one, I can
see that it does have some advantages. Is it possible to drop 'mawk'
from the set of default tools in trixie? If not, what are the
blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is
combining a couple of steps, and we'd do better to separate those steps.

One is "should we make dependencies on awk explicit, rather than having
them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the
former would have a lot of value independently. And with the former
done, we'd have the opportunity to *consider* the latter on a
case-by-case basis, with rationales like "if packages A and B didn't use
awk, then we'd simplify bootstrapping", or "if packages B and C didn't
use awk, it'd be possible for XYZ useful class of minimal systems/containers/VMs to not need it installed".

Given some amount of agreement that it had value, and that the downsides
were low, we could consider *starting* to list dependencies on awk (by
way of virtual packages to allow selecting implementation) explicitly,
rather than leaving them implicit via Essential. A quick look at /var/lib/dpkg/info suggests that not *that* many maintainer scripts use
it even on a full desktop system, and a look at /usr/bin and /usr/sbin
suggests that while there are various things using it, they tend to come
in a few broad categories (e.g. developer-oriented scripts) and *mostly*
be higher in the stack (e.g. mostly not essential things themselves). (A notable exception is tzselect, which makes extensive use of awk, but
while that's in the essential package libc-bin, it does not itself seem
like an essential tool and could potentially be in a higher-level
package itself.)

Based on that, it seems like it would not be *especially* hard to
*declare dependencies* on awk, which would not in any way a commitment
towards *systematically eliminating* those dependencies. Having those dependencies declared would then make it feasible to consider avoiding
it in *some* especially valuable cases, and conversely would allow folks building container/VM/embedded images to know when they actually need
it.

In general, I think this is roughly the right approach for any proposed
work on the Essential set, with the first step being to declare
dependencies explicitly.

- Josh Triplett

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 03:51:15PM -0400, Paul Tagliamonte wrote:

On Thu, Apr 17, 2025 at 11:27:22AM -0700, Russ Allbery wrote:

awk is in the essential set in Debian, so this would be a very substantial amount of work.

{Docker image comaintainer hat on}

This is right. More specifically -- the Debian docker images are (intentionally) -- "just" `debootstrap --variant=minbase`.

Changing what packages are "pre-installed" with the Docker image is not a negotiation that we wanted to have in isolation as the people who keep
the image current. Our goal was to have an image that wasn't unique (or suprising) to a Debian project member -- rather, IMVHO, the package(s)
should be added or removed from the minbase set via our usual conventions.

This has come up from time to time (in the form of some people asking to 'please install X', or 'why did Y go away') -- but the result and push to sync these two ecosystems (debootstrap and the image) is something I believe to be correct, and don't have any real intention of changing as of right
now.

If we want to drop something from the Docker image -- that's great! I'd love that. It's just something we'd have to work through the usual process of changing priority, deps, or what have you. Which -- I will note -- benefits the whole operating system on all platforms, not just one container image (this is the way).

Co-sign all of that, with the addition of the following interesting
links:

- https://salsa.debian.org/debian/grow-your-ideas/-/issues/20
(where shrinking is discussed before / still)

- https://github.com/debuerreotype/docker-debian-artifacts/blob/949bf2c69b0888b62fe78dd45d02b74a7ddf64e2/trixie/rootfs.manifest
(the current set of packages in the "debian:trixie" image)

♥,
- Tianon
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4

(please keep me CC'd in any replies; I don't subscribe to -devel)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtC9oGQB/APiONk/UA2qcJb81fdQFAmgBeiAACgkQA2qcJb81 fdROwhAAp0jkXEROBKhZXF7Sf+WfQ+tpyW7b+OKjAmgVtFPESfExlL/ZuyuAUPG7 KFNkKKCkwG+yGESMkC/WXnq3NuOuCgWL3wkFNSUglyPu5AEkvpjFmtt+GGgD0vto jUp6GHuPilHlYti5S2z3aKdgwJ3xHMvzJDZ6mpKjSuyiLmRbJd4dklXCeiSQqCOB bBu73IugEYZm/KyjqRtHYKql2esVg9/j3ZcQyh2hojNSvVRw05MyHlaDS0jA5GGB tiCbGAhFtrQ2vSLNnq5ufEQK+8sR0/EIDLfsmgwoGnqAz1t8i/gNwU0ZTfCwt/Sl 3IqMD1dc/fTY6CVSGlYAZp49idFX4KJJHrro0du/WGSLEVIh07Ay1KT+vGW2bTx3 ZbIfsxFWEKGh8FX8E3ouNh1EOxN7cPYo6zZh8bM1ZthkxFF646qGbNbKw1dACrV2 Efi1HlM5nYxIMGUjp20Q9Gp2NEODk8t5s98VqRCzw6zYG3mIbcDLgd6VzSKPrAXn 23uleupxyVngrimZmvEqmwr3hrI8hZB0wsse1qnw0Vs/aP+hD754bRsm3e85GZru m9HEfp9IHZzIC/jG8wkCy1d0DebDm/udsIxF8Imi4sHcbkpHKIGOVmlnI6NCAtsJ PmXMpjX4i98svQMQY/SEeGiHek50jpNY1fyBz3uPIjkT9J+ije8=
=LOKQ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Thu 17 Apr 2025 at 03:51pm -04, Paul Tagliamonte wrote:

Our goal was to have an image that wasn't unique (or suprising) to a
Debian project member -- rather, IMVHO, the package(s) should be added
or removed from the minbase set via our usual conventions.

This makes sense.

In this vein, I wish that our minimal install was POSIX sh-compatible.
It currently isn't, because m4 isn't included (and maybe some other
things). In fact, even on a regular Debian desktop install, m4 isn't
there unless you explicitly install it.

m4 is the only way POSIX.1-2017 defines to safely create a temporary
file (outside of writing and compiling a C program). I think the newer
POSIX standard has not improved on this particular point.

Removing awk from default installs would move us further away from that.

I don't know how common my view is, but I think making sure that all
POSIX sh-compatible scripts could be guaranteed to run without
compatibility hacks on any *BSD, macOS or Debian-based system would be fantastically useful (at least FreeBSD and macOS already have the full
POSIX sh suite out-of-the-box; I would assume the other BSDs do too).

I think the implementation of this does not need to be "Essential: yes",
btw. Making it possible to be even smaller is fine too. I'm talking
about defaults -- and I think that includes default/official container
images.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgBoHEZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQC5WD/wJUcgWdEfM9wLqRWH9fyCT y0kB5HsiVcE3Vf+kks24m4ujEm9tYnX/r7wqITlfKNISRov84vo0MV5SuEHnm2Aq ipvm21vJ05vgmVm4jw+w+Vad10cwbmLt2er18vpsAg9x4IASRLK1PPipKlf19Den rGS6j6Blt2t7+p4eSsWibWe0ua8JXJHjMQL0NKjOVCNTbfwdW4AtM8GS+Hoi1VQP +NbHU4ZgejYn5bJLTzcK48CabUz4dusfbLrDFDmuGs/5NYC8IAYl7cgrq6hMDl1m Rga+uqpecww25mEz41FjO78eUnXlo0SQKzz7iNl5Yc6+REo4QmskKuJsxu/yC9QX Jme9b9dbiVq4qMDP5LEpWGjugEOOpp8C9W3Y93fmIFNcup3KQNArNhJj/ihEIPms rHGeYRslPM++rUR1RsFm95eqn2my7GaebA8Q3Wjv3Gj0/M06L0Bi3tGTUpa3ATvC LFLdYNrnvz8GX91Nob3n5r97XdPJIBqxv1qrvC2BAp2riVVGVa3AO+MniwszPm/J IwwFn+2dOWMVy6arwCCMoHL2ITpve1zx7Nks+awI9gs+sT5fzzgrjoIWMtIeTHrE yXc/ebtGqc0+93Y4JiqLtZdEsvygsPny85mp0LBTY+4U4dCgiD0HNcR/HA7JQXho x8YoAuOnkJLXg/xOtuZ2mQ=3rZ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usen

Hello,

On Thu 17 Apr 2025 at 08:02pm -05, Richard Laager wrote:

So, personally, I think getting mktemp(1) added to POSIX would be
better for portability in the long run anyway.

Eventually. POSIX.1-2017 is going to be the thing to target for a long
time, I think.

GNU m4 doesn't follow POSIX strictly, unfortunately.

See these workarounds for both the potential lack of m4 and the lack of
GNU m4 behaving POSIXly:

https://sources.debian.org/src/consfigurator/1.2.3-1/src/connection.lisp/#L305

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgB9qEZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQAJBD/wNieBu5GDORG0MVb/bLvXP iNn14rgRQIHyhvU9fYISrg7++D2wzYc2SIq+eHYfAXIsTKc1+biicyFqC2Uhcx2D urDit3Nx0EuyJtxpBzMZt++PTv8YUfk8bBPtVaKyi+cB2t9jGfQ8rD8mMVhnDein 68m5XUMsPHTCh2j24WPraBwCFmaLpllqj9fW1QAbdNiTdcHo9UWNzYj+j91klVhr p3YTxQcFhm3Gemb++tDwTQDwOglTGgLh88YNrsJ1gGTa18Xluh4LSk2Q0mqUYS7Q vUuj+wfSDoXD8aG6brYLSCr2YK0RaUVeMHM2gP64rYnum5Cj3kJttdaIDl+HCRNq fC0VpmVoRKgfGany+ICFsJsq+sbs0MI/ec/gtx+y8LYbYBpZEj5U8okHHVv8n9M6 NEW24hXtZWpjmnkOulwAOmt6Pt9Tvvm/59MSz1ND6fmZYeCEmw0C7E7UWZPk/SOD tFjpTzX12Gaa40qopkbp/18LZTsxfg3DxfnTAcynRGtW5P/pbrP/SO1Gb0n1UeU9 7jTIygIjm0F7rW56/SjvocjSOp2nx9ImuMif8oQ/AjL+lfWQoiyKjUKaaWdc0JAM nQQpzcwhP0pOg61OXS8vZKrzkhSmdYVqbfCEDHCtea4LefNe5A5T+KEDvAS2QIxR mbvl/j9zzpI80bAn01vINg=�zE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usen

Hi Simon,

On Thu, Apr 17, 2025 at 08:23:18PM +0200, Simon Josefsson wrote:

I noticed that Fedora 42 was released and their docker images lack a
'awk' tool. Debian trixie images ship with 'mawk' pre-installed right
now. While I'm not convinced the removal game is necessarily a good
one, I can see that it does have some advantages. Is it possible to
drop 'mawk' from the set of default tools in trixie? If not, what are
the blockers? What is the method to find out what the blockers are?

shrinking essential/minbase/container images generally is a worthwhile
goal as you saw from existing replies. What is not as useful is asking
"can we drop XXX?" with little context, because (as others indicated)
this is a ton of work. The way to advance these matters is doing
research.

One of the first aspects is what "dropping" means. Typical answers:
* Removing "Essential: yes"
* e2fsprogs, mount and a few more used to be essential.
* Removing dependencies
* apt (not essential, but close) used to depend on adduser.
* Reducing the Priority value
* We've been debating this for ifupdown.
* Removing dependencies within the build-essential set
* I recently proposed removing libcrypt-dev from build-essential.

In this case, the immediate meaning must be getting it out of essential. However, that does not move it out of container images, which incurs
further work and also raises the user impact (see Sean's mail).

Next, there is a question of what we gain. Essential weighs in at
roughly 100MB (depending on how you count it). So regarding awk, we're
talking about a size reduction of about 0.3%. For comparison, being able
to substitute toybox for coreutils has the potential to reduce more than
10% of size. Removing bash (keeping dash) would be around 7%. Whilst
those other gains are significantly higher, their impact and effort also
is. Picking a sensible candidate is the difficult part here.

It leads us to analyzing the effort and impact. Being in the essential
set means that dependencies are not spelled out. So the first step is
locating those dependencies. As we will likely not be able to audit
Debian's source code for awk uses in a reasonable amount of time,
empirical methods are likely needed.
* Rebuild the archive with awk dropped and see what fails
* Consider using reproducible builds to additionally see what packages
change as a result of dropping awk (for those that happen to be
reproducible)
* Search for awk usage in maintainer scripts
https://binarycontrol.debian.net/?q=awk&path=unstable%2F.*%2Fp
Note that postrm scripts cannot express dependencies and need to be
rewritten without awk. It also means that if you assume people to
always purge their packages, we may remove awk in forky+1 at best if
we manage to fix all postrm in forky.
* Download all Debian binary packages and search for awk uses in the
installed files using regular expressions.
* Run autopkgtests with awk removed

Doing this is a ton of work. Doing that work and presenting the results
is what makes "can we drop awk?" a useful question as it answers the
cost part.

This is not meant to discourage you. Quite to the contrary. Reducing
implicit software dependencies has lots of other benefits such as easing architecture bootstrapping and a smaller trusted computing base. It is a
topic you cannot do in a spare evening though.

For instance, I'd like to propose making coreutils substitutable in
essential like awk is substitutable. However, that question is not
presently "useful" in the sense that it lacks a sound implementation.
I've been pondering this with Jochen and Johannes back in W�rzburg and
now Julian has picked up the question and arrived at a promising
prototype based on feedback from Guillem. I hope that we are discussing coreutils soon, but that discussion will be so much more useful when it
comes with a prototype and an impact analysis.

Helmut

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 18, 2025 at 02:52:17PM +0800, Sean Whitton wrote:

On Thu 17 Apr 2025 at 08:02pm -05, Richard Laager wrote:

So, personally, I think getting mktemp(1) added to POSIX would be
better for portability in the long run anyway.

Eventually. POSIX.1-2017 is going to be the thing to target for a long
time, I think.

I think POSIX is mostly a relic, and not worth worrying about except as
one of many inputs. Too many mistakes were made too early on, and it's
just too late to get everyone to agree on a common standard because real
world implementations diverged in too many ways. If someone wants to
make a program that works reliably across platforms sh isn't the right
tool in 2025. (And I say that as someone who quotes POSIX regularly: it
has value for things like choosing amongst a set of possible
implementations, but not for making assumptions about what will work in
the real world.)

GNU m4 doesn't follow POSIX strictly, unfortunately.

Very few things do. POSIX itself has been trying harder to reflect
reality in areas where nobody wanted to follow the standard, but then
you're left with the problem that there's no straightforward way to
discover which version of the standard a particular tool is using.

See these workarounds for both the potential lack of m4 and the lack of
GNU m4 behaving POSIXly:

I'm curious what modern platform doesn't have mktemp; is this more than
an academic question?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 08:23:18PM +0200, Simon Josefsson wrote:

Is it possible to drop 'mawk' from the set of default tools in trixie?

Regardless of the practical and important questions others raised on why
and how to actually do it, no change like this could be done responsibly
at this point of the trixie release cycle. We just entered the second
part of the freeze (soft freeze) last Tuesday April 15th.

Or, did you mean forkie?

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmgCVZAACgkQ/A2xu81G C95Mwg/9GO4df/zL0YpINRYiMe//3G+ChlMJS2GwwyCEJjMytdVcqx6SPWrbAdQO ZHOOMWnoaRk7QssT+hoLzMBTjNa8rCBVQILitXcksQdumXZDXAztm/83q+3pWZ3z MIXRGOy8ewyo6nk5DjwL+j8cwn8KK5pNgc2qIku/J3RYNOdL5+lwnysCwDxpZiH3 PKdJV4pJWeCM6KP4sugEGAT7wR0uWc5f/qcYchPdyFu13hV0XwkyhBBh5Lwo3opo HapP5biO5cJ60fwA5o04DQNjiWpzfBV52OuD5dzegn6eRx728inORjVb08M27Rpg 1DfV7gFD/onq8QJuutQTAzzEUrckt6UkIcPkXAz4f3UcSkSYwsVW8UPDudzf6yz0 eTf2oEmXM3Z/8tLTvc9fR6bJtP5f8BiZX4iNGy4Dg+dAtHPeHvJDALdKfl0mf8U6 Bfal2ZJCNcPQN9cl2cMNZjRKNE/YJTOmbyPHdqfvfClFMftHJCycSYZmmzSJXgPG rmmTCnDfJKmDOR0BK3Zlc9ghyzUGueCxJCV3vPYi5qvSb7GhAL4Z4nfY3PgqWqeN v3nHECdUEVexY8+ld/WvvUMTx3mW3dRxIUcHHSnf3XLdJL4oPSYlJyKVNg6KAL7U eMa+h3TNBbWxZ3PWJd+AE1LeKQF/cN+Q9GrItDJedhupIyHeSOk=
=3X/g
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu Apr 17, 2025 at 7:23 PM BST, Simon Josefsson wrote:

I noticed that Fedora 42 was released and their docker images lack a
'awk' tool.

They likely lack perl, as well. Most/all awk usage in maintainer scripts
could probably be replaced with perl. But, if you are in the minimizing
game, perhaps you'd rather remove perl from the essential set? A
substantially harder project.

--
Please do not CC me for listmail.

👱🏻 Jonathan Dowland
✎ [email protected]
🔗 https://jmtd.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Fri 18 Apr 2025 at 08:18am -04, Michael Stone wrote:

On Fri, Apr 18, 2025 at 02:52:17PM +0800, Sean Whitton wrote:

On Thu 17 Apr 2025 at 08:02pm -05, Richard Laager wrote:

So, personally, I think getting mktemp(1) added to POSIX would be
better for portability in the long run anyway.

Eventually. POSIX.1-2017 is going to be the thing to target for a long >>time, I think.

I think POSIX is mostly a relic, and not worth worrying about except as one of
many inputs. Too many mistakes were made too early on, and it's just too late to get everyone to agree on a common standard because real world implementations diverged in too many ways. If someone wants to make a program that works reliably across platforms sh isn't the right tool in 2025. (And I say that as someone who quotes POSIX regularly: it has value for things like choosing amongst a set of possible implementations, but not for making assumptions about what will work in the real world.)

I have interpreted scripts that I want to run on any FreeBSD and Debian machine, because they are part of my OS bootstrapping. What else is
there than POSIX sh for this? Therefore, it's still relevant.

I'm curious what modern platform doesn't have mktemp; is this more than an academic question?

I don't know. There are other things that you want awk for if you are
doing pure POSIX sh scripting; mkstemp is just an example.

--
Sean Whitton

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sean Whitton <[email protected]> writes:

Hello,

On Fri 18 Apr 2025 at 08:18am -04, Michael Stone wrote:

On Fri, Apr 18, 2025 at 02:52:17PM +0800, Sean Whitton wrote:

On Thu 17 Apr 2025 at 08:02pm -05, Richard Laager wrote:

So, personally, I think getting mktemp(1) added to POSIX would be
better for portability in the long run anyway.

Eventually. POSIX.1-2017 is going to be the thing to target for a long >>>time, I think.

I think POSIX is mostly a relic, and not worth worrying about except as one of
many inputs. Too many mistakes were made too early on, and it's just too late
to get everyone to agree on a common standard because real world
implementations diverged in too many ways. If someone wants to make a program
that works reliably across platforms sh isn't the right tool in 2025. (And I >> say that as someone who quotes POSIX regularly: it has value for things like >> choosing amongst a set of possible implementations, but not for making
assumptions about what will work in the real world.)

I have interpreted scripts that I want to run on any FreeBSD and Debian machine, because they are part of my OS bootstrapping. What else is
there than POSIX sh for this? Therefore, it's still relevant.

I think some reasonable subset of POSIX sh is all you can/should assume
these days, everything else needs to be documented and installed as dependencies. Even (what used to be) common tools like awk, cmp, diff,
join have disappeared from various distributions. Guix proved that a /bin/sh-only approach is possible and usable.

I have mixed feelings about this minimization pattern -- it is often
combined with replacing copyleft software with non-copyleft
implementations (GPL -> LGPL/MIT) -- but I can't deny that I find
minimal containers really useful.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgDppIUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoh1uAPwKTQOSUrs2 BomIie1cyP0hoNOicQns+pC26kXthecvrgEA1mOdXP6WYImDQWr1JLs07odQnqEt 30D/uKJxYwvqLw4=
=ziqq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 18, 2025 at 10:17:12PM +0100, Jonathan Dowland wrote:

They likely lack perl, as well. Most/all awk usage in maintainer
scripts could probably be replaced with perl. But, if you are in the >minimizing game, perhaps you'd rather remove perl from the essential
set? A substantially harder project.

If the goal is a minimal container image, why use debian at all vs a distribution optimized for that purpose? Running alpine without perl is
already a solved problem...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 19, 2025 at 08:05:54PM +0800, Sean Whitton wrote:

I have interpreted scripts that I want to run on any FreeBSD and Debian >machine, because they are part of my OS bootstrapping. What else is
there than POSIX sh for this? Therefore, it's still relevant.

With that requirement, what you really want to know is how to write a
script that works on FreeBSD and Debian--which POSIX can't tell you.
(Neither of those is POSIX certified or fully compliant.) POSIX might be
a starting point, but you'll have to read man pages and figure out the discrepencies. If you're stuck doing that anyway, I seriously question
the value of artificially limiting yourself to what unix tools did 30 or
40 years ago--newer tools or options often let you accomplish tasks much
more efficiently. Maybe it would be worth avoiding those if POSIX really
did let you write once and run anywhere...but it doesn't.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Sat 19 Apr 2025 at 09:40am -04, Michael Stone wrote:

On Sat, Apr 19, 2025 at 08:05:54PM +0800, Sean Whitton wrote:

I have interpreted scripts that I want to run on any FreeBSD and Debian >>machine, because they are part of my OS bootstrapping. What else is
there than POSIX sh for this? Therefore, it's still relevant.

With that requirement, what you really want to know is how to write a script that works on FreeBSD and Debian--which POSIX can't tell you. (Neither of those is POSIX certified or fully compliant.) POSIX might be a starting point,
but you'll have to read man pages and figure out the discrepencies. If you're stuck doing that anyway, I seriously question the value of artificially limiting yourself to what unix tools did 30 or 40 years ago--newer tools or options often let you accomplish tasks much more efficiently. Maybe it would be worth avoiding those if POSIX really did let you write once and run anywhere...but it doesn't.

This just hasn't been my experience. You don't need perfect
compatibility (or certification). By restricting myself to the POSIX specifications of sh, awk, find, grep and sed, I've profitably written
several non-trivial programs that work correctly on any FreeBSD install
and any Debian install that wasn't specifically engineered to be
minimal.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgDuVgZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQH7bD/0S+GB2FoqZ3M2UL1UmLQ3R WBwkOQzWRkI50MWoyto6G/BeL9ZiSYMmGiRYSpbbBYlMv4rx6Q65JXN7QKLBVerh jDd4/mb0/hhNMTQH6v0K4zPEAUbt4zaHWHUiRDO6Tbm28IP6QVXedas5vejuxfzP L5na8+R63pW4fHKoxqM2hyfX02P55N/SQWZTsVWdX+A86Rcp20dX7buYdR6cTjSV a1usaWtnW+1k7gzJsd343yI3qRj7qoXMK0l3w32hqDm/qfHm1aTg4QICMFS5gD/2 SimBFdrVtcy8oeFWC/uxsHyjBjPujTnV8M/Q6AE5quhUoGRAmc9bs/mXLThE1HLT at4BmGN7QjLyJ9ak8ANOdKVxpf7Dupu02G3oJTiPaKEjPeRC4VoCEaFGeOvS0PNl erP4FDEItJ3jM1dSBNof1dBk9h2byWTpBbDyhY4l01mXbiG/y5TMzftRilJi7nTe G6ihR+I3ewH7gubmcd9VTvc7L27RWM1wFTumug7ouXNf2bT/4dwQmxQcFlezY6u2 BTfk4IJH5kGwGFJmUq9yrFp+yS4lK14XhG99sx+SmHgu8Mq/Lu4FS4JMc89ikbkx r9rBKkI1TTiFpTW6VNVM6VTYVY1Rhn3pUHGF5WFqAErIsrnfYtRl5Uvt9IIViR9R sKG4DULlD2ELL8iBhW1FNA==H1Nw
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

* Michael Stone <[email protected]> [250419 15:47]:

On Fri, Apr 18, 2025 at 10:17:12PM +0100, Jonathan Dowland wrote:

They likely lack perl, as well. Most/all awk usage in maintainer
scripts could probably be replaced with perl. But, if you are in the >>minimizing game, perhaps you'd rather remove perl from the essential
set? A substantially harder project.

If the goal is a minimal container image, why use debian at all vs a >distribution optimized for that purpose? Running alpine without perl
is already a solved problem...

This is true for a lot of things Debian is used for. As an example:
GNOME desktop users could also use Fedora, and the work of
maintaining GNOME in Debian would be saved.

People like to use Debian for a lot of different reasons. Very large
and very small installs are "just" usecases too. When there are enough
people interested (and so on...) in it, it will happen.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 19, 2025 at 10:55:20PM +0800, Sean Whitton wrote:

This just hasn't been my experience. You don't need perfect
compatibility (or certification). By restricting myself to the POSIX >specifications of sh, awk, find, grep and sed, I've profitably written >several non-trivial programs that work correctly on any FreeBSD install
and any Debian install that wasn't specifically engineered to be
minimal.

You happened to pick two of the most compatible OSs--it's not hard to be portable between linux & freebsd *by accident* as there's a long history
of cross-pollination between them. (E.g., coreutils routinely looks to
see what parameters freebsd used when implementing a new feature.)
Expand the problem set to include running on SunOS and AIX and OSX and
QNX and ... and the problem becomes much harder. But if you don't care
about all those oddballs, why limit yourself to POSIX--whose point was
to try to enable that degree of cross-platform interoperability? Stick
to the intersection between linux + freebsd and you instantly get access
to all kinds of wonderful modern things like mktemp without having to
wait for POSIX to tell you it's ok. Conversely, if you expect POSIX from
debian you're going to be disappointed now and then. E.g., POSIX gave up
on trying to unify all the incompatible versions of tar/cpio and created
a new standard archive utility named pax. Which works fine on many non-certified but POSIX-curious OSs like FreeBSD, OSX, OpenIndiana, etc
etc, but you won't find it on a standard debian install. It's just one
of those things where regardless of what standard you are writing to,
you still need to check to see how reality matches the standard.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Apr 19, Michael Stone <[email protected]> wrote:

If the goal is a minimal container image, why use debian at all vs a >distribution optimized for that purpose? Running alpine without perl
is already a solved problem...

Because I want to use a real libc, for a start.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCaAPHxgAKCRDLPsM64d7X gRYPAP9Oy0In4VVyzTpLyM6uXdFPCGrrKRoKBnqcXAk58xsOVgEAw+k0+bj9ysFI F7kq3VYRRlB0+/CrcXXM7s1z9CTmoAc=
=4cW3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 19, 2025 at 04:09:53PM +0200, Chris Hofstaedtler wrote:

* Michael Stone <[email protected]> [250419 15:47]:

If the goal is a minimal container image, why use debian at all vs a >>distribution optimized for that purpose? Running alpine without perl
is already a solved problem...

This is true for a lot of things Debian is used for. As an example:
GNOME desktop users could also use Fedora, and the work of
maintaining GNOME in Debian would be saved.

No, that's not the same at all. Debian is a general purpose OS that can
form the foundation for a lot of variants. But, that flexibility has a
cost, and the cost is size & complexity. /var/lib/apt and /var/lib/dpkg
alone are the size of a minimal linux distribution, without even
accounting for actual executables. You can shrink the minimal set by
making some components replaceable, but for a general purpose OS that
implies the 60k update-alternatives program plus /etc/alternatives plus /var/lib/dpkg/alternatives--all to support reconfiguration that won't
ever happen in a container image. If size alone is the driving
requirement, a general purpose OS like Debian (or Fedora, etc.) isn't
the right starting point.

You *can* build a really small container based on debian by starting
with udebs and ditching package management/interactive
configuration/etc. (Or, many debian container guides advocate a generous
use of rm -rf to get rid of a lot of that stuff after the fact.)
But in that context I don't see the relevance in talking about trimming
stuff from a normal debian base install because the target isn't a
normal debian base install.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Stone wrote:

Debian is a general purpose OS that can form the foundation for a lot
of variants. But, that flexibility has a cost, and the cost is size & complexity. /var/lib/apt and /var/lib/dpkg alone are the size of a
minimal linux distribution, without even accounting for actual
executables. You can shrink the minimal set by making some components replaceable, but for a general purpose OS that implies the 60k update-alternatives program plus /etc/alternatives plus /var/lib/dpkg/alternatives--all to support reconfiguration that won't
ever happen in a container image.

Omitting whole directories like /var/lib/dpkg and /var/lib/apt (for
finalized containers that will never get more packages installed atop
them), or /usr/share/{doc,info,man,locale} (for most containers) is straightforward and easy, and any container optimizing for size starts
there.

And the extra symlinks in `/etc/alternatives` don't take much size; I
agree you don't need update-alternatives, but then, you also don't
strictly need the entire dpkg and apt packages, if you're already
omitting their files under /var/lib.

Omitting other packages is harder, and more error-prone. And that's the
area where `Essential` makes it much harder. If there were explicit dependencies, it'd be a matter of carefully pruning the DAG, rather than
a matter of carefully manually checking what has an unststated
dependency on what.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I
agree you don't need update-alternatives, but then, you also don't
strictly need the entire dpkg and apt packages, if you're already
omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers,
apt and dpkg will not be used and just take up space. Guix packs
(containers) doesn't get Guix installed unless you specify that as a
package you want to have installed (which is usually not necessary), so something like this should be possible.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgE0OkUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFokqXAQD8A29POmWN z/LS6oOUBjnYQro0p2R5aCn/OW9cIJFPnQEAr9VYK5kSLc0XjoIQS9NMCKLnwFtN XkUVbvYLXX0PKQE=
=wdlo
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 20 Apr 2025 at 12:48:08 +0200, Simon Josefsson wrote:

has anyone considered if Debian should have official containers
without apt and dpkg?

What would those containers be useful for? I would have expected that in
any use-case for a container without apt and dpkg, what you would really
want is whatever "payload" packages are the actual purpose of the
container (for example that might be a database or a web server), plus
the Essential set, minus dpkg and any other Essential packages that are unnecessary for the use-case - but on the way to preparing that, you'd temporarily need apt and dpkg, in order to install the "payload". It
isn't really feasible to do that without knowing in advance what the
"payload" is going to be.

For example, an equivalent of the pseudo-official debian:bookworm image
on Dockerhub, but without dpkg, is unlikely to be directly useful on its
own, because it has neither a "payload" nor a way to install one; but an equivalent of the Debian-based postgres:latest image on Dockerhub
*would* be useful, because the database is useful in its own right.
However, I suspect that Debian is unlikely to want to get into preparing
an image for every possible choice of "payload", or choosing which
servers are important enough to get an official container image and
which ones don't. (It's hard enough to draw a reasonable line between
the desktop environments that get an entry in tasksel and the environments that don't, and we have a lot more servers than desktop environments.)

As some prior art for this, the Steam Linux Runtime containers that I
help to maintain for Valve are Debian derivatives containing various
libraries that are necessary or useful for games, but no dpkg and apt.
The process we use to prepare them is to bootstrap a minbase-like
container, add apt sources for backported packages, install metapackages
that pull in all the libraries we want to support, and finally `dpkg
--purge` any Essential packages that have already served their purpose
(for example we explicitly delete perl-base), with the last package
management step being something along the lines of
`dpkg --force-depends --force-remove-essential --purge dpkg`.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 01:38:18PM -0700, Josh Triplett wrote:

Simon Josefsson wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While
I'm not convinced the removal game is necessarily a good one, I can
see that it does have some advantages. Is it possible to drop 'mawk'
from the set of default tools in trixie? If not, what are the
blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is combining a couple of steps, and we'd do better to separate those steps.

One is "should we make dependencies on awk explicit, rather than having
them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the former would have a lot of value independently.

The former without the latter is just a lot of wasted work without any benefits.

And with the former
done, we'd have the opportunity to *consider* the latter on a
case-by-case basis, with rationales like "if packages A and B didn't use
awk, then we'd simplify bootstrapping", or "if packages B and C didn't
use awk, it'd be possible for XYZ useful class of minimal systems/containers/VMs to not need it installed".
...

How do you ensure there are no missing dependencies throughout the
archive when this is a situation that cannot happen in practice?

In practice you can do the former only if you have tooling that provides
the latter, contrary to your claim that the former would help with the
latter.

In general, I think this is roughly the right approach for any proposed
work on the Essential set, with the first step being to declare
dependencies explicitly.

It's just a waste of time, especially if the end goal is not defined
from the start.

If someone wants to remove awk from the essential set,
then replacing the far larger sed would also be desirable.

Larry Wall delayed the initial release of Perl until the a2p and s2p
converters for converting from AWK and sed to Perl were completed.
Instead of just annotating dependencies, usage of AWK and sed in the
relevant package set could immediately be replaced with usage of the
essential Perl.

Unless someone wants to get rid of Perl in the essential set,
which is 10 times the size of AWK and sed combined.

The sane starting point would be discussing which tools should be part
of the (transitive) essential set.

Otherwise you might end up with one group of people converting from
AWK to Perl, while another group of people converts from Perl to AWK.

- Josh Triplett

cu
Adrian

BTW: Replacing mawk with original-awk in installs might be a low-hanging
fruit to save 100kB in forky, having original-awk as only AWK
variant installed is already a supported configuration.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 18, 2025 at 08:09:38AM +0200, Helmut Grohne wrote:

...
It leads us to analyzing the effort and impact. Being in the essential
set means that dependencies are not spelled out. So the first step is locating those dependencies. As we will likely not be able to audit
Debian's source code for awk uses in a reasonable amount of time,
empirical methods are likely needed.
* Rebuild the archive with awk dropped and see what fails
* Consider using reproducible builds to additionally see what packages
change as a result of dropping awk (for those that happen to be
reproducible)
...

Tools like awk/sed/perl would have to stay part of the build
essential set if they get dropped from the essential set.

Example:
/usr/share/aclocal/libtool.m4:AC_REQUIRE([AC_PROG_AWK])dnl

Helmut

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 20/4/25 a las 13:56, Adrian Bunk escribió:

The former without the latter is just a lot of wasted work without any benefits.

I also agree that removing awk in the normal Debian distribution is a waste
of time.

If somebody wants to create a minimal container based on Debian, static
in nature, which does not need to be upgraded using apt, etc. there
are a lot of things that could be done before dropping awk, and those
things do not need to propagate to the normal distribution.

BTW: Replacing mawk with original-awk in installs might be a low-hanging
fruit to save 100kB in forky, having original-awk as only AWK
variant installed is already a supported configuration.

Yes, I was going to suggest that to those for which 263KB in a container
is too much.

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I
agree you don't need update-alternatives, but then, you also don't
strictly need the entire dpkg and apt packages, if you're already
omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers,
apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a
package you want to have installed (which is usually not necessary), so something like this should be possible.

The tricky part of that would be that you then couldn't use that
container image as a base and install any further packages. Offering a
"stock" container image without dpkg and apt would mean that the
container image has to *already* have everything installed that people
using the container need. (By contrast, if someone is installing their
own container they could then finalize it by removing dpkg and apt and
other things not needed at runtime.)

I think it's a good idea to support this case, but I would ideally want
to support it in tools that people use to build containers. For
instance, suppose we had an mmdebstrap option to purge dpkg and apt and associated paraphernalia, after installing everything needed.

On a slightly related note, one of these days I'd love to figure out how
we could stop systematically installing /usr/share/lintian/overrides *in
binary packages*, and move them to some form of metadata that doesn't
get installed. It's easy enough to exclude that directory, but doing so shouldn't be necessary in the first place; those overrides only have
value when running lintian on the package, not when installing the
package normally.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 02:56:58PM +0300, Adrian Bunk wrote:

On Thu, Apr 17, 2025 at 01:38:18PM -0700, Josh Triplett wrote:

Simon Josefsson wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While
I'm not convinced the removal game is necessarily a good one, I can
see that it does have some advantages. Is it possible to drop 'mawk' from the set of default tools in trixie? If not, what are the
blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is combining a couple of steps, and we'd do better to separate those steps.

One is "should we make dependencies on awk explicit, rather than having them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the former would have a lot of value independently.

The former without the latter is just a lot of wasted work without any benefits.

[...]

In general, I think this is roughly the right approach for any proposed work on the Essential set, with the first step being to declare dependencies explicitly.

It's just a waste of time, especially if the end goal is not defined
from the start.

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching
implementations), rather than relying on Essential, then it becomes
possible to make incremental progress, and that incremental progress
benefits people who are willing to carefully remove some of what Debian normally always has installed packages.

If you're already building the kind of container that will want to
remove dpkg and apt (among other things) when you're done building it,
it'd be nice to have dependency metadata that helps you figure out what
is and isn't still used. That's useful even if not everything eliminates
its dependencies yet.

By way of example: e2fsprogs uses awk (in e2scrub), but many container
builders will remove that package (or never install it in the first
place), so it's not particularly important to do anything about its
dependency on awk, *other than declaring it*. If other, harder-to-remove packages manage to stop using awk, then awk becomes removable, in a less error-prone way.

If someone wants to remove awk from the essential set,
then replacing the far larger sed would also be desirable.

[...]

Unless someone wants to get rid of Perl in the essential set,
which is 10 times the size of AWK and sed combined.

That would be ideal, yeah.

The sane starting point would be discussing which tools should be part
of the (transitive) essential set.

In an ideal world, rather than trying to pick which of sed/awk/perl/etc
are used in the core tools of Debian, one path would be to turn many
such core tools into compiled programs.

Another would be to identify tools that are only used *during
installation or upgrade* but are never needed by the running system
(e.g. `update-initramfs`), and make it easier to remove those. There'd
be no particular need to prioritize removing the usage of awk/sed/perl/python/etc from such tools.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 06:25:53PM +0100, Josh Triplett wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While
I'm not convinced the removal game is necessarily a good one, I can
see that it does have some advantages. Is it possible to drop 'mawk'
from the set of default tools in trixie? If not, what are the
blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is
combining a couple of steps, and we'd do better to separate those steps. >> >
One is "should we make dependencies on awk explicit, rather than having
them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the >> > former would have a lot of value independently.

The former without the latter is just a lot of wasted work without any
benefits.

[...]

In general, I think this is roughly the right approach for any proposed
work on the Essential set, with the first step being to declare
dependencies explicitly.

It's just a waste of time, especially if the end goal is not defined
from the start.

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching >implementations), rather than relying on Essential, then it becomes
possible to make incremental progress, and that incremental progress
benefits people who are willing to carefully remove some of what Debian >normally always has installed packages.

Should we start declaring deps on all essential packages explicitly?

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmgFO0gtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh u34P/RjfQUwAiW++pib4uWQwJI/aQ/tHZp9utJmuKtAb4KpnXe0cYe2OxyttcR6z G7r8hrpOz6mzzNJbowj3R/gzNTZzghiS5Cl9RgddoFvl3+TNIgo4VhuoyDo2uZnl LduxAKzGYn2xEfJe7fxJ4J+sv7BSKDkX9+oWvMb5eAZ9BREsarhrkNsKxue/1ru5 ktYDIXZJspiwJhtCC6UvvfipnnpTPg9+nyqm93Zn/JY1Re4canMttKNl7JL0yVRU wgCoaLSKKh48ZFnZmWxNI4d4ZkDlycIXEbStoHFrXD88wQAe9MwA0dhhBYw1m6by pMuTQ+M/jMciEAsyu10TWPoZIqqxccI9q5WeRsmHURUR18BCPNVGp/gmhLT0iOGq +2nEhfRif+Rn5gIEyZVO67+lZff4yiz5sAKgVAQ/IVThDmWzCArG4H+glptnwpCD ApgZnU5kyfoQFRsU6hapoWtiobOfnSP2lQM6Q+ikvBiR67aIgUTGExjJyDgpV1N5 6sQS6KjHM2LsNM6B31ze2UBJjeBo8Icsl6Qj9Lfrmc1O/Y8WiGXTyChPlXL1rEHd S1WR9RbOLBDIRN89zO0hIKaIgS/e87Inw/53OGDiwvy2DKzrXnxy9IUzGIhCMLB5 JcozLpQBPSTQCmuDSNPewjX/wl0btm6gg99fOZFUq+2H4Rnv
=16Ml
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 06:05:13PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I agree you don't need update-alternatives, but then, you also don't strictly need the entire dpkg and apt packages, if you're already omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers,
apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a package you want to have installed (which is usually not necessary), so something like this should be possible.

The tricky part of that would be that you then couldn't use that
container image as a base and install any further packages. Offering a "stock" container image without dpkg and apt would mean that the
container image has to *already* have everything installed that people
using the container need. (By contrast, if someone is installing their
own container they could then finalize it by removing dpkg and apt and
other things not needed at runtime.)

I think it's a good idea to support this case, but I would ideally want
to support it in tools that people use to build containers. For
instance, suppose we had an mmdebstrap option to purge dpkg and apt and associated paraphernalia, after installing everything needed.
...

This would be for the use case where a user does not want to be able to
install security updates, but does need binary compatibility with Debian.

That's a rare use case.

When binary compatibility is not required, source-based distributions
will always provide smaller images with slightly better performance.

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 08:58:29PM +0300, Adrian Bunk wrote:

On Sun, Apr 20, 2025 at 06:05:13PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I agree you don't need update-alternatives, but then, you also don't strictly need the entire dpkg and apt packages, if you're already omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers, apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a package you want to have installed (which is usually not necessary), so something like this should be possible.

The tricky part of that would be that you then couldn't use that
container image as a base and install any further packages. Offering a "stock" container image without dpkg and apt would mean that the
container image has to *already* have everything installed that people using the container need. (By contrast, if someone is installing their
own container they could then finalize it by removing dpkg and apt and other things not needed at runtime.)

I think it's a good idea to support this case, but I would ideally want
to support it in tools that people use to build containers. For
instance, suppose we had an mmdebstrap option to purge dpkg and apt and associated paraphernalia, after installing everything needed.
...

This would be for the use case where a user does not want to be able to install security updates,

With this style of container use case, you handle security updates (or
any other package version upgrade) by creating a new container with the
new package versions, and deplying that new container. That doesn't
require having apt or dpkg in the container.

but does need binary compatibility with Debian.

Or is just familiar with Debian, appreciates the variety of packages and
the maintenance and stability, and prefers to use it as their base.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrey Rakhmatullin wrote:

Should we start declaring deps on all essential packages explicitly?

I personally think that would be a good idea, though I'm not currently
trying to make the case for that across the board here. Right now, I'm
trying to make the case that that's a good first step for any packages
people might want to work on making optional. I doubt that anyone is
likely to make coreutils non-essential anytime soon (though the ability
to replace it with smaller alternatives would be nice), but on the other
hand, tools like perl-base, awk, and sed would be a lot more
feasible, as well as some higher-level things like ncurses-bin and
ncurses-base (not typically needed for systems that don't support
logins).

From what I've seen, there are two arguments for Essential:

1) Shrinking the Packages file. This is something that good compression
handles quite well, and it's not obvious that it provides much of a
win. And if we *really* care about shrinking the Packages file,
there's a lot of low-hanging fruit there: MD5sum, tags
(https://lists.debian.org/debian-devel/2023/11/msg00226.html), and
several others. Eliminating MD5sum alone would save more than 1MB of
*compressed* size from the currently ~8MB Packages.xz. And the names
of common packages are *much* more compressible than MD5sums. :)

2) Maintenance: missing dependencies are hard to track and test. But
these days, we have much more automatic testing infrastructure, much
more install/upgrade/removal testing infrastructure, and many other
things. And note, in particular, that there's nothing stopping us
from adding some of these packages to *Build-Essential* at the same
time we dropped them from Essential, for convenience.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 07:44:34PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 08:58:29PM +0300, Adrian Bunk wrote:

On Sun, Apr 20, 2025 at 06:05:13PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I agree you don't need update-alternatives, but then, you also don't strictly need the entire dpkg and apt packages, if you're already omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers
without apt and dpkg? I think that for many use-cases for containers, apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a package you want to have installed (which is usually not necessary), so something like this should be possible.

The tricky part of that would be that you then couldn't use that container image as a base and install any further packages. Offering a "stock" container image without dpkg and apt would mean that the container image has to *already* have everything installed that people using the container need. (By contrast, if someone is installing their own container they could then finalize it by removing dpkg and apt and other things not needed at runtime.)

I think it's a good idea to support this case, but I would ideally want to support it in tools that people use to build containers. For
instance, suppose we had an mmdebstrap option to purge dpkg and apt and associated paraphernalia, after installing everything needed.
...

This would be for the use case where a user does not want to be able to install security updates,

With this style of container use case, you handle security updates (or
any other package version upgrade) by creating a new container with the
new package versions, and deplying that new container. That doesn't
require having apt or dpkg in the container.

but does need binary compatibility with Debian.

Or is just familiar with Debian, appreciates the variety of packages and
the maintenance and stability, and prefers to use it as their base.

Container size is obviously not a priority for such users.

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 10:12:24PM +0300, Adrian Bunk wrote:

Container size is obviously not a priority for such users.

That is incorrect. Many, many users use Debian as the basis for
containers, and many such users care about container size, sufficiently
so to work on reducing it. You are suggesting that because they want to
use Debian, they don't care at all; I'm observing that they want to use
Debian and they care enough to try to make Debian better.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Apr 20, Josh Triplett <[email protected]> wrote:

On a slightly related note, one of these days I'd love to figure out how
we could stop systematically installing /usr/share/lintian/overrides *in >binary packages*, and move them to some form of metadata that doesn't
get installed.

Yes please! This is why I almost never add overrides to binary packages.
It's terminally stupid to waste space on all Debian systems in the world because our tooling is suboptimal.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCaAVPOgAKCRDLPsM64d7X gTIMAQD/UPQ07o2aVS3kRrLobnAsFdBwXqb+fTb1n54jID0QZAEA2hWQk03DSU3n r0LbvvVYdig2e04qJ3QMEfrV6DQQAgM=
=RQ7f
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Apr 20, Adrian Bunk <[email protected]> wrote:

With embedded distributions a whole system of bootloader, kernel and >userspace easily fits on 16 MB flash, even when including bloated stuff
like glibc and systemd, with plenty of space left for the application
that should run on the device.
You can't do that with Debian.

No, because the goal is to be able to use the whole Debian packages
ecosystem.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCaAVZOQAKCRDLPsM64d7X gf9pAQCJB3WA/SadsG+6QeI1F/3m18LqYH7lw4JcYc/odWlYwgD+J0PQyMJBHIaR LneW5Zb1t5UxZ9vnwkx4Yul25T5IJgI=
=jz51
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 06:25:53PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 02:56:58PM +0300, Adrian Bunk wrote:

On Thu, Apr 17, 2025 at 01:38:18PM -0700, Josh Triplett wrote:

Simon Josefsson wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While I'm not convinced the removal game is necessarily a good one, I can
see that it does have some advantages. Is it possible to drop 'mawk' from the set of default tools in trixie? If not, what are the blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is combining a couple of steps, and we'd do better to separate those steps.

One is "should we make dependencies on awk explicit, rather than having them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the former would have a lot of value independently.

The former without the latter is just a lot of wasted work without any benefits.

[...]

In general, I think this is roughly the right approach for any proposed work on the Essential set, with the first step being to declare dependencies explicitly.

It's just a waste of time, especially if the end goal is not defined
from the start.

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching implementations), rather than relying on Essential, then it becomes
possible to make incremental progress, and that incremental progress
benefits people who are willing to carefully remove some of what Debian normally always has installed packages.

If you're already building the kind of container that will want to
remove dpkg and apt (among other things) when you're done building it,
it'd be nice to have dependency metadata that helps you figure out what
is and isn't still used. That's useful even if not everything eliminates
its dependencies yet.

If you have no need to install security updates and want a really small
system, then Debian is simply not the right choice.

With embedded distributions a whole system of bootloader, kernel and
userspace easily fits on 16 MB flash, even when including bloated stuff
like glibc and systemd, with plenty of space left for the application
that should run on the device.
You can't do that with Debian.

Being able to remove libsystemd0 would save multiple times of what
you would save by removing AWK, your time would be better spent on
requesting the creation of packages like util-linux-nosystemd instead
of making dependencies on AWK explicit.

Trying to save < 1% space by removing AWK in situations where
Debian is anyway the wrong choice does not make much sense.

By way of example: e2fsprogs uses awk (in e2scrub), but many container builders will remove that package (or never install it in the first
place), so it's not particularly important to do anything about its dependency on awk, *other than declaring it*. If other, harder-to-remove packages manage to stop using awk, then awk becomes removable, in a less error-prone way.
...

"harder-to-remove packages manage to stop using awk" is such awfully
passive language.

Let's rather talk about what Debian should officially support,
and how Josh Triplett plans to implement it.

Trying to officially support removing essential packages sounds to me
like a maintainance nightmare with little benefit, you have to do some explaining how you will keep this maintainable when you do it.

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Lazin wrote:

I think removing awk is a bad idea. It will break legacy scripts as
has already been suggested. I am mostly an observer on this list and
say very little but I think that awk is used by a lot of people. I
used it in a script that analyzed mail logs for example. It was
previously written in perl but I redid it in bash with awk and it ran
faster.

Nobody in this thread is proposing removing awk from the
default-installed set of packages in Debian. Removing "Essential: yes"
from it would mean that some small and very deliberately constructed
system images would do without it. A default or even minimal Debian
install via d-i or debootstrap or mmdebstrap *would* include awk, and
your script would continue to run just fine. If you ever had a system
without awk, it would be because you removed awk, or deliberately
constructed a system that omitted it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 10:56:49PM +0300, Adrian Bunk wrote:

On Sun, Apr 20, 2025 at 06:25:53PM +0100, Josh Triplett wrote:

On Sun, Apr 20, 2025 at 02:56:58PM +0300, Adrian Bunk wrote:

On Thu, Apr 17, 2025 at 01:38:18PM -0700, Josh Triplett wrote:

Simon Josefsson wrote:

Debian trixie images ship with 'mawk' pre-installed right now. While I'm not convinced the removal game is necessarily a good one, I can see that it does have some advantages. Is it possible to drop 'mawk' from the set of default tools in trixie? If not, what are the blockers? What is the method to find out what the blockers are?

I would *love* to see the Essential set reduced. But I think this is combining a couple of steps, and we'd do better to separate those steps.

One is "should we make dependencies on awk explicit, rather than having them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

The latter may or may not happen in any individual case, but I think the
former would have a lot of value independently.

The former without the latter is just a lot of wasted work without any benefits.

[...]

In general, I think this is roughly the right approach for any proposed work on the Essential set, with the first step being to declare dependencies explicitly.

It's just a waste of time, especially if the end goal is not defined
from the start.

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching implementations), rather than relying on Essential, then it becomes possible to make incremental progress, and that incremental progress benefits people who are willing to carefully remove some of what Debian normally always has installed packages.

If you're already building the kind of container that will want to
remove dpkg and apt (among other things) when you're done building it,
it'd be nice to have dependency metadata that helps you figure out what
is and isn't still used. That's useful even if not everything eliminates its dependencies yet.

If you have no need to install security updates

You said this elsewhere in the thread, but it's not correct there or
here: you absolutely *do* install security updates for a container, by installing a new container with new versions of packages.

With embedded distributions a whole system of bootloader, kernel and userspace

Containers typically don't have either a bootloader or a kernel, and
often don't have an init either.

By way of example: e2fsprogs uses awk (in e2scrub), but many container builders will remove that package (or never install it in the first
place), so it's not particularly important to do anything about its dependency on awk, *other than declaring it*. If other, harder-to-remove packages manage to stop using awk, then awk becomes removable, in a less error-prone way.
...

"harder-to-remove packages manage to stop using awk" is such awfully
passive language.

Let's rather talk about what Debian should officially support,
and how Josh Triplett plans to implement it.

I would be more than happy to work on it, in collaboration with others proposing such changes. I expect that such work consists of 10% doing
careful archive-wide scans to detect usage of packages, 10% writing
tooling, 5% writing relatively small patches, and 75% discussion threads
having to defend the value of such work from people who have no interest
in working on it themselves but spend a lot of energy telling other
people it's a waste of time.

I would also be thrilled to write patches to Policy, establishing a very
clear process for *carefully* reducing the Essential set in step-by-step
ways. For instance, I'd try to revive a past Policy patch I wrote adding
an exception to the policy against depending on Essential packages.

And personally, I'd likely start by putting together a `dh-shelldeps`,
which parses shell the way that things like shellcheck does, does a
rough approximation of "what is every program invoked by every shell
script in the package", and looks that up in `shelldeps` metadata
analogous to `shlibdeps`.

Trying to officially support removing essential packages sounds to me
like a maintainance nightmare with little benefit, you have to do some explaining how you will keep this maintainable when you do it.

I expect it'll be maintained in much the same way most features in
Debian are maintained: the people who use it will submit patches, report
bugs when it doesn't work, and if they spend too much time reporting
those bugs or find it breaking more often than they'd like, they'll
implement more tooling (e.g. lintian checks, archive scans).

Right now, by way of example, if your package needs tzdata, and you fail
to depend on it, and because you have that package installed you don't
happen to notice, and you don't have autopkgtests that exercise that
part of the code, then there's very little to catch that. I don't think
this will be any worse than that, in practice, and we already deal with
that for e.g. `Priority: important` packages without substantial issues.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-04-20 Josh Triplett <[email protected]> wrote:

Andrey Rakhmatullin wrote:

Should we start declaring deps on all essential packages explicitly?

I personally think that would be a good idea, though I'm not currently
trying to make the case for that across the board here. Right now, I'm

[...]

From what I've seen, there are two arguments for Essential:

1) Shrinking the Packages file. This is something that good compression
handles quite well, and it's not obvious that it provides much of a
win. And if we *really* care about shrinking the Packages file,
there's a lot of low-hanging fruit there: MD5sum, tags
(https://lists.debian.org/debian-devel/2023/11/msg00226.html), and
several others. Eliminating MD5sum alone would save more than 1MB of
*compressed* size from the currently ~8MB Packages.xz. And the names
of common packages are *much* more compressible than MD5sums. :)

2) Maintenance: missing dependencies are hard to track and test. But
these days, we have much more automatic testing infrastructure, much
more install/upgrade/removal testing infrastructure, and many other
things. And note, in particular, that there's nothing stopping us
from adding some of these packages to *Build-Essential* at the same
time we dropped them from Essential, for convenience.

This has already come up, but I think it is worth noting more
prominently. There is a third important use case:

3) Essential packages can be used in preinst and postrm
maintainer-scripts. (The former usage can be made explicit mit
Pre-Depends, the latter would need to be dropped if a command lost
Essential status.)

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

CgpPbiBBcHIgMjEsIDIwMjUgMDM6NDIsIEpvc2ggVHJpcGxldHQgPGpvc2hAam9zaHRyaXBsZXR0 Lm9yZz4gd3JvdGU6Cgo+Cgo+IE9uIFN1biwgQXByIDIwLCAyMDI1IGF0IDEwOjEyOjI0UE0gKzAz MDAsIEFkcmlhbiBCdW5rIHdyb3RlOiAKCj4gPiBDb250YWluZXIgc2l6ZSBpcyBvYnZpb3VzbHkg bm90IGEgcHJpb3JpdHkgZm9yIHN1Y2ggdXNlcnMuIAoKPgoKPiBUaGF0IGlzIGluY29ycmVjdC4g TWFueSwgbWFueSB1c2VycyB1c2UgRGViaWFuIGFzIHRoZSBiYXNpcyBmb3IgCgo+IGNvbnRhaW5l cnMsIGFuZCBtYW55IHN1Y2ggdXNlcnMgY2FyZSBhYm91dCBjb250YWluZXIgc2l6ZSwgc3VmZmlj aWVudGx5IAoKPiBzbyB0byB3b3JrIG9uIHJlZHVjaW5nIGl0LgoKCkkgYWdyZWUgdGhhdCByZWR1 Y2luZyBvdXIgZm9vdHByaW50IGlzIGltcG9ydGFudC4gQnV0IG5vdCBvbmx5IGZvciBjb250YWlu ZXJzLiBJJ2QgbG92ZSBpdCBpZiBvdXIgYmFzZSBjbG91ZCBpbWFnZSB3YXMgc21hbGxlciB0b28u IEl0IGN1cnJlbnRseSBpcyBhIHdheSBiaWdnZXIgdGhhbiBpdCB1c2VkIHRvICgzMjlNIGZvciB0 aGUgZ2VuZXJpYyBjbG91ZCBxY293IGltYWdlKSwgSSBkb24ndCBrbm93IHdoeS4uLgoKClRob21h cyBHb2lyYW5kCgoK PGh0bWw+PGJvZHk+PGJyPjxkaXYgZGlyPSJsdHIiPk9uIEFwciAyMSwgMjAyNSAwMzo0MiwgSm9z aCBUcmlwbGV0dCAmbHQ7am9zaEBqb3NodHJpcGxldHQub3JnJmd0OyB3cm90ZTo8L2Rpdj4KPGRp diBkaXI9Imx0ciI+Jmd0OzwvZGl2Pgo8ZGl2IGRpcj0ibHRyIj4mZ3Q7IE9uIFN1biwgQXByIDIw LCAyMDI1IGF0IDEwOjEyOjI0UE0gKzAzMDAsIEFkcmlhbiBCdW5rIHdyb3RlOiA8L2Rpdj4KPGRp diBkaXI9Imx0ciI+Jmd0OyAmZ3Q7IENvbnRhaW5lciBzaXplIGlzIG9idmlvdXNseSBub3QgYSBw cmlvcml0eSBmb3Igc3VjaCB1c2Vycy4gPC9kaXY+CjxkaXYgZGlyPSJsdHIiPiZndDs8L2Rpdj4K PGRpdiBkaXI9Imx0ciI+Jmd0OyBUaGF0IGlzIGluY29ycmVjdC4gTWFueSwgbWFueSB1c2VycyB1 c2UgRGViaWFuIGFzIHRoZSBiYXNpcyBmb3IgPC9kaXY+CjxkaXYgZGlyPSJsdHIiPiZndDsgY29u dGFpbmVycywgYW5kIG1hbnkgc3VjaCB1c2VycyBjYXJlIGFib3V0IGNvbnRhaW5lciBzaXplLCBz dWZmaWNpZW50bHkgPC9kaXY+CjxkaXYgZGlyPSJsdHIiPiZndDsgc28gdG8gd29yayBvbiByZWR1 Y2luZyBpdC48L2Rpdj4KPGJyPjxkaXYgZGlyPSJsdHIiPkkgYWdyZWUgdGhhdCByZWR1Y2luZyBv dXIgZm9vdHByaW50IGlzIGltcG9ydGFudC4gQnV0IG5vdCBvbmx5IGZvciBjb250YWluZXJzLiBJ JiMzOTtkIGxvdmUgaXQgaWYgb3VyIGJhc2UgY2xvdWQgaW1hZ2Ugd2FzIHNtYWxsZXIgdG9vLiBJ dCBjdXJyZW50bHkgaXMgYSB3YXkgYmlnZ2VyIHRoYW4gaXQgdXNlZCB0byAoMzI5TSBmb3IgdGhl IGdlbmVyaWMgY2xvdWQgcWNvdyBpbWFnZSksIEkgZG9uJiMzOTt0IGtub3cgd2h5Li4uPC9kaXY+ Cjxicj48ZGl2IGRpcj0ibHRyIj5UaG9tYXMgR29pcmFuZDwvZGl2Pgo8YnI+PC9ib2R5PjwvaHRt bD4=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Josh Triplett <[email protected]> [250421 03:07]:

Let's rather talk about what Debian should officially support,
and how Josh Triplett plans to implement it.

I would be more than happy to work on it, in collaboration with others >proposing such changes. I expect that such work consists of 10% doing
careful archive-wide scans to detect usage of packages, 10% writing
tooling, 5% writing relatively small patches,

and 75% discussion threads
having to defend the value of such work from people who have no interest
in working on it themselves but spend a lot of energy telling other
people it's a waste of time.

This part seems a problem indeed.

Nevertheless, the people that are interested do exist. I also
observe that various current efforts in Debian work towards making
this easier, even if they start with a different proposition /
cause.

I would suggest you hit up some of the current maintainers of
Essential: yes packages, and leave the naysayers on d-devel to
themselves.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers,
apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a
package you want to have installed (which is usually not necessary), so something like this should be possible.

ask not what your distribution could do for you, ask what you could do for
your distribution!? IOW, i'm sure some people will have considered doing
this, some might even do it "somewhere", just appearantly noone has made
this happen for the existing Debian container projects...


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

There has never been a time when the people who've banned books were the good ones.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmgGMg4ACgkQCRq4Vgaa qhyUig/6AwtzAMaTQZVDFe+0Pjx5YUOHoMXhWXyZhq8Cw17VdPx7LpjjVCZ4wjYO mPSxyYO6p7cwvuO92we1z3OmdWncHihDOIsGFl85074FK1oIh5wHLuCOHn55iuGr tD1sFPrr3biuzYxgqokqwGqFaBPUyPBmb4z0zWRzy3ne2+7dpbL0QFz1+u+1TGz/ 6JTh5HC68U8jlSaGWKNT/Nma6vm2jO11jupX0Fyk0AmMv2If+kfGbXNdvCuFx+/M zD7+SRYxuflWpxSBToKMtXf4hzwj1bd0PAHNYM6fVUblP6WALfaGZUjLoRMGeUWh x/Te2bLH1zf5AYy1K5237QHe24ITO5nqan//dCWOWo+6CzCmxXbq0r0QGLTbQ6iW ib0qxVUwLsydFYXWyG91LHR3M3llyrjbp/EVpQulO3FSDTwoWUVHsWGwgkpEZGNo wn6S4AL8a0pCGDtqh85OtWmEx/7SxDxVlL96sRNPAc9eOVQszFR2GU/Z551hrPdK +aUSpiYQLFcBvcsK80EUoe71shOD00jdbAf+bMyPsKgXLi7ExObmWEztY//yPlU6 EknA84WFB07KT9g2bD17k2Wxfrij

El 21/4/25 a las 14:02, Chris Hofstaedtler escribió:

I would suggest you hit up some of the current maintainers of Essential: yes packages, and leave the naysayers on d-devel to themselves.

Note that there might be some overlap in those two sets of people.

The set of currently essential packages, and the fact that awk is among them
in particular, reflects a consensus which may be seen as nearly "foundational".

Consensus is not sacred and everything is open to discussion, but extraordinary breakages of consensus (like this one) should require extraordinary benefits,
and in this case we are talking about 263KB in a container image several
orders of magnitude bigger.

Also, while the idea of Josh might sound good in theory (adding dependencies will not harm anybody, we just want to see the dependencies explicit),
it might create some undeserved pressure on maintainers to stop using awk.

In some cases I'm sure that it would be easy to rewrite the code, but in
some others the alternate construction may be a lot less readable, and
overall worse.

Note also that the base system and the container images are expected
to grow over time, because everything grows over time, but machines
hosting those container images also grow over time, so one would
naturally wonder why awk has become a problem now when it was never
a problem due to its extremely small size.

My modest proposal here after trixie, if there is a consensus that
it's a good step, would be to replace mawk by original-awk in the
base system and see what can we learn from that. I would see that
little change as something similar to what we did with /bin/sh
being replaced by dash to ensure compatibility and standards
compliance (back then, we discovered some bashisms, and we either
rewrote them to be sh-compliant or used #!/bin/bash instead, and
everybody was happy with those little incremental changes). I don't
think we have many mawk-isms in the distribution, but this would be
an opportunity to check if all AWKs are really interchangeable.

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Santiago Vila <[email protected]> [250421 14:51]:

El 21/4/25 a las 14:02, Chris Hofstaedtler escribió:

I would suggest you hit up some of the current maintainers of Essential: yes packages, and leave the naysayers on d-devel to themselves.

Note that there might be some overlap in those two sets of people.

The set of currently essential packages, and the fact that awk is among them >in particular, reflects a consensus which may be seen as nearly "foundational".

Consensus is not sacred and everything is open to discussion, but extraordinary breakages of consensus (like this one) should require extraordinary benefits,
and in this case we are talking about 263KB in a container image several >orders of magnitude bigger.

I understood Josh's mail to include more than just awk, and that awk
should probably not be the first package on the list to tackle.

It will be a long journey anyway.

[..]

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 17 Apr 2025, Josh Triplett wrote:

One is "should we make dependencies on awk explicit, rather than having
them be implicit and undocumented because awk is Essential".
The other is "should we reduce dependencies on awk".

One of the things I dislike about awk being in the essential set is the
weird effect that dependencies on awk are hidden unless a package
depends on a particular implementation for some reason.

Some packages have a dependency on awk via the individual variants,
prettyping being one where I think it is probably pointless in practice.

i3lock-fancy is more weird as it also includes versions of "awk" that
don't satisfy awk.

More than half of packages that depend on mawk also depend on gawk,
which I guess is saying that they don't work with original-awk (except
for the packages that depend on all 3)

And gawk is definitely the winner in packages that require that specific implementation. (I've not checked for non awk satisfying options)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 21/4/25 a las 15:39, G. Branden Robinson escribió:

original-awk's man page admits to one area of POSIX-nonconformance:

BUGS
...
POSIX‐standard interval expressions in regular expressions are not
supported.

...which I think weakens the case for your proposal helping us to have
AWK scripts that don't exercise extensions to POSIX. (But maybe the
newer original-awk that supports CSV data--a non-POSIX extension--fixes that.)

Yes, maybe, I have not checked if/when they fixed that, but the line you
quote about interval expressions is no longer present in stable.
(I infer that you are you reading the manpage for bullseye?)

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Apr 21, 2025 at 08:39:18AM -0500, G. Branden Robinson wrote:

...
original-awk's man page admits to one area of POSIX-nonconformance:

BUGS
...
POSIX‐standard interval expressions in regular expressions are not
supported.

...which I think weakens the case for your proposal helping us to have
AWK scripts that don't exercise extensions to POSIX. (But maybe the
newer original-awk that supports CSV data--a non-POSIX extension--fixes that.)

I wonder if it'd be less effort to _review_ what AWK scripts we have
in maintainer scripts for satisfiability by any POSIX-conforming AWK.
How many can there be? </Jeremy Clarkson>

POSIX doesn't matter here, awk has is a virtual essential package and
having original-awk installed as sole implementation has been supported
for decades.

Like with most essential tools the subset of functionality that is used
by the vast majority of users is pretty small, and often not well
aligned with what is in POSIX.

The few packages that are not happy with original-awk already use mawk
or gawk explicitly.

It is possible that more awk usage that doesn't work with original-awk
is found when changing the default, but I would be surprised if this
would uncover a large number of bugs.

Regards,
Branden
...

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Sat 19 Apr 2025 at 11:42am -04, Michael Stone wrote:

You happened to pick two of the most compatible OSs--it's not hard to
be portable between linux & freebsd *by accident* as there's a long
history of cross-pollination between them. (E.g., coreutils routinely
looks to see what parameters freebsd used when implementing a new
feature.)

Fair point, though, I also use these programs on some NetBSD systems,
and my experience was that until I started paying attention to POSIX I
was continually using various features that weren't present over there.

Expand the problem set to include running on SunOS and AIX and OSX and
QNX and ... and the problem becomes much harder. But if you don't care
about all those oddballs, why limit yourself to POSIX--whose point was
to try to enable that degree of cross-platform interoperability?
[...]
It's just one of those things where regardless of what standard you
are writing to, you still need to check to see how reality matches the standard.

The nature of these particular programs is that I might want to be able
to run them on those platforms in the future.
If I've already stuck to POSIX when writing them, then porting them to
those more difficult platforms should be much easier.

I'm a big fan of not putting up barriers to making programs portable in
the future, even if you haven't gone to the effort of really making sure they're portable yet.

Also, I have to admit, I found it a lot of fun trying to figure out how
to make these programd performant enough with only POSIX facilities.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgIRuUZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQGzMD/4pgd+8dEHRZDTsTfeK9on9 OsHCK0vKKXKrFszThwSxYV913tBq7jcx4R/wv7FjpteJd2fVcYCrNlQeBXNtiELX YCX+FHx7/xszVAa9bBXwHguX57Mtf20pQ8/G2wkl+qtBy4oKEUSa7Yxjy6IQ3vU2 OMr8e2ii1tD+Gp2pw9s21q9pTfsHGfaETZUXRcZlJ8aK7CRyJH3AHaQZj+BM91c0 JRoQC+YrABJxc+NeEqZlDOnx2NEzGsBUS+7Feus8QmpI/jWqe/12pTiMlBu1Mz6Y SZ/Cgt5FgGAPfLUrBS9ArTSRHoLQKqQd9gUVjEj8JqjjVlP3sqSiGYNMT4ivsoJZ bTBXM5kHd2r3MAq7Su8gUNnyzFIT4xgQ/kiPp6YpT1YhPP9hlKR2BTFIjSsf+SzT KEQJmzYPPypidJDxo5MEuIh73G4wgxZhvG3qhwOCldFEjuQqe60SbHzM4XF5Mtnc 6wbtjprIChidCEted0gWLbsDQCrWRYaKrgowZD5b4AVhGAKO/NoBYtg42psznvLv NbPT5b4MKQ4FajufpRhjcdT01osG583a4OUnIQGfXsnV0YzXHV3wdE/PUnSY+FA9 7moSK5OZoKviURir/4nKvu1W9jbBjXLwp6emDxRLaE9osZPGaapnuZiczAPi9tH7 jPvlUDVDzJnPxpnPGfxtsQ==hGG4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

Hi,

Quoting Josh Triplett (2025-04-20 19:05:13)

On Sun, Apr 20, 2025 at 12:48:08PM +0200, Simon Josefsson wrote:

Josh Triplett <[email protected]> writes:

And the extra symlinks in `/etc/alternatives` don't take much size; I agree you don't need update-alternatives, but then, you also don't strictly need the entire dpkg and apt packages, if you're already omitting their files under /var/lib.

Right -- has anyone considered if Debian should have official containers without apt and dpkg? I think that for many use-cases for containers,
apt and dpkg will not be used and just take up space. Guix packs (containers) doesn't get Guix installed unless you specify that as a package you want to have installed (which is usually not necessary), so something like this should be possible.

The tricky part of that would be that you then couldn't use that
container image as a base and install any further packages. Offering a "stock" container image without dpkg and apt would mean that the
container image has to *already* have everything installed that people
using the container need. (By contrast, if someone is installing their
own container they could then finalize it by removing dpkg and apt and other things not needed at runtime.)

Not quite. You can use dpkg --root to let dpkg work on another directory than your current rootfs [1]. You can use DPkg::Options to pass such options to apt. You can use dpkg --force-script-chrootless and then maintainer scripts will use tools from outside the chroot to work on the chroot. mmdebstrap makes use of this functionality.

[1] small wrinkle, dpkg will read its configuration from outside the chroot, so this does not work well if you want to set up a system with a different configuration, see #808203

I think it's a good idea to support this case, but I would ideally want to support it in tools that people use to build containers. For instance, suppose we had an mmdebstrap option to purge dpkg and apt and associated paraphernalia, after installing everything needed.

You don't purge dpkg. You just tell mmdebstrap to create a chroot without dpkg. You can use mmdebstrap to create, for example, a chroot which contains all of build-essential but not dpkg. mmdebstrap can do this by running apt and dpkg from the outside, passing the chroot directory using the respective options and let it populate the chroot with the packages you choose. That package set can include dpkg and apt but it doesn't have to.

Don't purge dpkg and apt from your chroot. Do not install it at all in the first place. :)

Thanks!

cheers, josch
--============== 49386163154615341=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmgI2nIACgkQ8sulx4+9 g+EgURAAtK4z7G3rx8AIVxn98EcB5edxPIqMI9OaERWfqKwT9QnM0xsgXFWTMA26 IWb4DqlrCN8ivsGhtl9T+Q3Vx0tVixl/4QJCJM4R0rtGBN4XIwQhTvDXu5Hw5MzY Ho39JQf71GRxuzUuHBFZduKrhj+3/i1yjOpsxTqa1CrDMWLcMOAdxUYbIz1C1754 znoagOyRIw4P4kOs8yt4UWIw1Z8RLmBtYl8Itu9ocWQuVwwn+IfbVU6auFJVTA1q dQO7GgpA+lK66HNh7FNdZ32eFigI/HUSCRCdRI44C/PaY3SnEsE5jTc+VUUpsiHd 2Vsw/cYi3IZ4XNLC7G6xydYhjFP4hENpMBndcqrES/76xrBfs5LM8ZqHXxT1Fi+3 iI3SQu0E1NtHFutaphuwMVwR0+issuI2Y6EBRomDCqSdCESy6EAR/aMwfkjQF06E NC8Jag1fLGb89pzdE73ekZN6VYQDOGqcLI3TsHdzwXqpggVOpRvnLQ8oBRGulIsS 4oteYaJV9ChOnDGBeyQQUkYKHyAYgk+kuIiG/8HmdulBC4tGh3d28yFvgc2mpz4b TcYBJiojEfS1ZHEhFafN3aRiLlTWoFVVF4Ka7ltBBaF1pb46vOKNQrSaIlukJVSz 4Zl5Vbd+w22l8bQhOfy2ll4IhDE4EP5t6cpZ4PYWgNHdilylRzY=
=awxT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le Sun, Apr 20, 2025 at 11:22:04PM +0500, Andrey Rakhmatullin a �crit :

On Sun, Apr 20, 2025 at 06:25:53PM +0100, Josh Triplett wrote:

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching implementations), rather than relying on Essential, then it becomes possible to make incremental progress, and that incremental progress benefits people who are willing to carefully remove some of what Debian normally always has installed packages.

Should we start declaring deps on all essential packages explicitly?

There are maintainers scripts that run without the dependencies installed
(or even without the package being installed).
They can only use Essential:yes packages.
There is no place to write such dependency currently.

Cheers,
--
Bill. <[email protected]>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Bill Allombert <[email protected]> writes:

Le Sun, Apr 20, 2025 at 11:22:04PM +0500, Andrey Rakhmatullin a �crit :

On Sun, Apr 20, 2025 at 06:25:53PM +0100, Josh Triplett wrote:

What I'm suggesting here is that if every individual package that needs
awk has a Depends on it (via a package that allows switching
implementations), rather than relying on Essential, then it becomes
possible to make incremental progress, and that incremental progress
benefits people who are willing to carefully remove some of what Debian
normally always has installed packages.

Should we start declaring deps on all essential packages explicitly?

There are maintainers scripts that run without the dependencies installed
(or even without the package being installed).
They can only use Essential:yes packages.
There is no place to write such dependency currently.

How many of those scripts are really unavoidable? My view is that many pre/post-inst scripts are just hacks to work around some other problem.

Maybe we can work towards reducing the need for these scripts to begin
with.

Having some mechanism to create package-specific users seems like one
useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around that
on their own. There could be a declarative interface a package can use
and say 'USERS+=saned' or 'USERS+=munin' or 'USERS+=openldap' and that's
it.

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmghnMUUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFosv4AQCiGT9gETcJ H8JisonKHz5KPopqYXb3qwpuZkoETUGbjAEAokIXdr27sc2dnRtFUnaa3HcugxSD iZ+iv9yGI3cuoww=SE18
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Josefsson <[email protected]> writes:

Having some mechanism to create package-specific users seems like one
useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around
that on their own.

systemd-sysusers does this?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On May 12, Simon Josefsson <[email protected]> wrote:

Having some mechanism to create package-specific users seems like one
useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around that
on their own. There could be a declarative interface a package can use
and say 'USERS+=saned' or 'USERS+=munin' or 'USERS+=openldap' and that's
it.

We have one: it is documented in sysusers.d(5).
Now you just need to persuade everybody to use it.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCaCGteAAKCRDLPsM64d7X gec2AQC+V0cCEbsKVauW5LYvmsHwtr+o3vTWleyH1pV0MQEvCgEAlvaTraZvR7Hp hC9Q7YSNULituYJKsEBlFh8LPKg3AwU=
=eWJ+
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marco d'Itri <[email protected]> writes:

On May 12, Simon Josefsson <[email protected]> wrote:

Having some mechanism to create package-specific users seems like one >>useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around that
on their own. There could be a declarative interface a package can use
and say 'USERS+=saned' or 'USERS+=munin' or 'USERS+=openldap' and that's >>it.

We have one: it is documented in sysusers.d(5).
Now you just need to persuade everybody to use it.

Oh I wasn't aware of that, thanks for the pointer. Is there any known
reason (except lack of time) that people aren't using it? I'll see if I
can come up with a way to use it in some packages, I think 'pqconnect'
would be a good candidate -- the postinst script is only there to call addgroup+adduser and it always felt like a hack.

https://salsa.debian.org/python-team/packages/pqconnect/-/issues/13

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgiX6YUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFotlYAQDuIarh7lDM UG6QZMTawpJ/8zSnAGcwYFoYU33DDfftXAEAsGtDOZOLEE0R/a8/cELUkgoWlz53 cSmZACfJIaGT3Q4=
=dx0t
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/05/2025 21:52, Simon Josefsson wrote:

Marco d'Itri <[email protected]> writes:

On May 12, Simon Josefsson <[email protected]> wrote:

Having some mechanism to create package-specific users seems like one
useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around that >>> on their own. There could be a declarative interface a package can use
and say 'USERS+=saned' or 'USERS+=munin' or 'USERS+=openldap' and that's >>> it.

We have one: it is documented in sysusers.d(5).
Now you just need to persuade everybody to use it.

Oh I wasn't aware of that, thanks for the pointer. Is there any known
reason (except lack of time) that people aren't using it? I'll see if I
can come up with a way to use it in some packages, I think 'pqconnect'
would be a good candidate -- the postinst script is only there to call addgroup+adduser and it always felt like a hack.

https://salsa.debian.org/python-team/packages/pqconnect/-/issues/13

Relatively new perhaps. Needs a little fiddling to work with debhelper
compat level 13 (needs dh helper called from d/rules).

You sponsored ntfy with one example of it. Small hint is not to forget
the d/rules call to dh_installsysusers.

https://salsa.debian.org/go-team/packages/ntfy/-/blob/debian/latest/debian/ntfy.sysusers?ref_type=heads


--
Regards,
Ahmad

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!

On Mon, 2025-05-12 at 22:52:53 +0200, Simon Josefsson wrote:

Marco d'Itri <[email protected]> writes:

On May 12, Simon Josefsson <[email protected]> wrote:

Having some mechanism to create package-specific users seems like one useful goal, and I don't understand why each package has to write
scripts to invoke 'adduser' and deal with all the complexity around that on their own. There could be a declarative interface a package can use and say 'USERS+=saned' or 'USERS+=munin' or 'USERS+=openldap' and that's it.

We have one: it is documented in sysusers.d(5).
Now you just need to persuade everybody to use it.

Oh I wasn't aware of that, thanks for the pointer. Is there any known
reason (except lack of time) that people aren't using it? I'll see if I
can come up with a way to use it in some packages, I think 'pqconnect'
would be a good candidate -- the postinst script is only there to call addgroup+adduser and it always felt like a hack.

https://salsa.debian.org/python-team/packages/pqconnect/-/issues/13

systemd's sysuser support is only apparently slightly better than
adduser (in that it is declarative), otherwise it feels rather
underwhelming in the package management context. It does not solve being
able to use such users in .deb files w/o maintainer scripts, it currently
also uses maintainer scripts for its normal operation (you just do not
write them explicitly), it does not solve bootstrapping issues, does
not support setting a system-wide policy on whether to remove the
users/groups on package purge, etc.

I still think the right way forward is to add proper native support
for system user/groups to dpkg, where the first stage was implemented
recently by portably parsing passwd and group files natively (to
support chroots). I'm planning to discuss this with the base-files and
adduser maintainers, to have a draft for dpkg 1.23.x.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ahmad,

Il 13 maggio 2025 00:30:09 CEST, Ahmad Khalifa <[email protected]> ha scritto:

Relatively new perhaps. Needs a little fiddling to work with debhelper compat level 13 (needs dh helper called from d/rules).

You might want to build-depend on dh-sequence-sysusers instead. This way, you don't need to fiddle with d/rules.

Bye!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrea Pappacoda <[email protected]> writes:

Hi Ahmad,

Il 13 maggio 2025 00:30:09 CEST, Ahmad Khalifa <[email protected]> ha scritto:

Relatively new perhaps. Needs a little fiddling to work with debhelper compat level 13 (needs dh helper called from d/rules).

You might want to build-depend on dh-sequence-sysusers instead. This way, you don't need to fiddle with d/rules.

Are there any guarantees on semantics for package removals? Will the user/group be removed from /etc/{passwd,group} or not? Will it remove
the home directory? What happens if the home directory is not empty?
Will it remove files owned by that user/group elsewhere? I recall
different packages have different preferences on these topics.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNnBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgkRpEUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFom2BAQDrdcF8+G1G YsafQCwWUoJ/nRLp83lBYdb51hPa7isECgD4iJTZJc5lzM20UXm4P5+VzaB7ltMa 4cWb7gLHyHemBQ==
=zDk4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, May 14, 2025 at 09:30:25AM +0200, Simon Josefsson wrote:

Are there any guarantees on semantics for package removals? Will the user/group be removed from /etc/{passwd,group} or not? Will it remove
the home directory? What happens if the home directory is not empty?
Will it remove files owned by that user/group elsewhere? I recall
different packages have different preferences on these topics.

see #228692 from 20024, or maybe directly jump to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=228692#63
from at least 2020.

To quote Russ once again: 'I think Policy should say something like
"created users and groups should not be removed by default, but may be
removed on purge if the local administrator explicitly requests this, either for that package or as a system-wide default."

I think this is still the best practice, even if underdocumented.

Finally I'd like to add that I would not remove home directories even on
purge, unless they are empty.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

Everyone is entitled to their own opinion, but not their own facts.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmgkSy0ACgkQCRq4Vgaa qhyj+w//ZibIxmsgp0hQGcgohXm79E0ZuumSutsCsHzqHUVLmRXjBrsUlZ+RDVXu 5GYzTSrRlwCOpw0taKNU43n76plsaNAEtXdIUHXdh2KvP2SlpIM0vZLIvyD+U52S a+pOvPRCUdEGOvvBIgsKkxqRGmzIoFCOM15vnIVm1lxbpM3R4gE1bSrzoRIaA7b1 eRkv4au8DmLuMJlSfkQUVIeNKHE/dXgFYAKW7O1KwVl9PG9u69GqwEhWNM3C1q4Y XjC8+S0rEDxR/NYFZK7Lk8NL7pNYv5U9rijGz0nCN1Tljmdp+WYrI946xZtsb87r vF1se3Veoe8EHstVLpaZS+OS483dIAgb6dlq7BJUjrZJ3Nru1Sh71XTdctxwPrK7 oML7lAskzJozUM2msbF+Vv7FZ/JfiMTQv/vBAJrCBdh1vcOSpZSdr2e3b8UWFKuM /dJQmta8uNpyj9LmYpfV3DVCAB60iKqBM3w0YFaynHg4lBIwjh0725JusMD/nfwS QVKtrkC8+tR0Z35YweNy5Lmz7KVrjtoYgYjfO+FiegwYp4Gtpy+wLUQJwZDulkTv ewVh8gcLDtURkNaIHOhUToxkEZDSwT+nnsQsySkW2cBW8

Holger Levsen <[email protected]> writes:

On Wed, May 14, 2025 at 09:30:25AM +0200, Simon Josefsson wrote:

Are there any guarantees on semantics for package removals? Will the
user/group be removed from /etc/{passwd,group} or not? Will it remove
the home directory? What happens if the home directory is not empty?
Will it remove files owned by that user/group elsewhere? I recall
different packages have different preferences on these topics.

see #228692 from 20024, or maybe directly jump to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=228692#63
from at least 2020.

To quote Russ once again: 'I think Policy should say something like
"created users and groups should not be removed by default, but may be removed on purge if the local administrator explicitly requests this, either for that package or as a system-wide default."

I think this is still the best practice, even if underdocumented.

Finally I'd like to add that I would not remove home directories even on purge, unless they are empty.

Right -- and I just read that Guillem wants dpkg to have native support
for this, which really sounds like the best way forward to me.

Hopefully then the behaviour for user/group removal on package removal
will be more consistent.

Meanwhile I'm not sure it is worth investing time to increase adoption
of dh-sequence-sysusers, at least for me, unless it actually solves some
real problem (like
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100030 ...).

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgkTmsUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFonSKAPsE+qk5mb+p C2BYc0Nizpc/GmRZqmDKnvaw5yaUZX+h0AEAvDUYDN5Zl0+rBldOBP9rw0CWN32S JKA8SMbiMOuaLQ4=Dly5
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On May 13, Guillem Jover <[email protected]> wrote:

systemd's sysuser support is only apparently slightly better than
adduser (in that it is declarative), otherwise it feels rather
underwhelming in the package management context. It does not solve being
able to use such users in .deb files w/o maintainer scripts, it currently

This is much less of an issue that it used to be, because nowadays the /{etc,run,var/*}/$NAME directories can be created most of the times on
demand by systemd with the right permissions, by using the ConfigurationDirectory, StateDirectory, etc... directives.
See systemd.exec(5) for details.

also uses maintainer scripts for its normal operation (you just do not
write them explicitly),

I suppose that you could implement support for calling systemd-sysusers directly in dpkg, if you think it is needed.

it does not solve bootstrapping issues, does

What do you mean here?

not support setting a system-wide policy on whether to remove the >users/groups on package purge, etc.

I think that this could be implemented in systemd-sysusers, if somebody
cares enough to do it.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCaCRurwAKCRDLPsM64d7X gWnoAQCUv68aK4YyEhfKh5uj65+8vg8rfB8seSYK3p8i5+MIewEAs2Xh2LW2YlAP kMa0yaNRF1MxThOVYIq+RqdoTr8vXQ4=
=787w
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 May 2025 07:50:06 +0000, Holger Levsen
<[email protected]> wrote:

To quote Russ once again: 'I think Policy should say something like
"created users and groups should not be removed by default, but may be >removed on purge if the local administrator explicitly requests this, either >for that package or as a system-wide default."

I think this is still the best practice, even if underdocumented.

adduser will support this behavior in forky, should it not be thrown
out earlier.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From: [email protected]

I think removing awk is a bad idea. It will break legacy scripts as has already been suggested. I am mostly an observer on this list and say very little but I think that awk is used by a lot of people. I used it in a
script that analyzed mail logs for example. It was previously written in
perl but I redid it in bash with awk and it ran faster.

Thank you,

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.


On Sun, Apr 20, 2025 at 4:57 PM Josh Triplett <[email protected]> wrote:

On Sun, Apr 20, 2025 at 10:12:24PM +0300, Adrian Bunk wrote:

Container size is obviously not a priority for such users.

That is incorrect. Many, many users use Debian as the basis for
containers, and many such users care about container size, sufficiently
so to work on reducing it. You are suggesting that because they want to
use Debian, they don't care at all; I'm observing that they want to use Debian and they care enough to try to make Debian better.

<div dir="ltr"><div>I think removing awk is a bad idea.  It will break legacy scripts as has already been suggested.  I am mostly an observer on this list and say very little but I think that awk is used by a lot of people.  I used it in a script
that analyzed mail logs for example.  It was previously written in perl but I redid it in bash with awk and it ran faster. </div><div><br>Thank you,</div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div
dir="ltr">Michael Lazin<br><span style="font-size:16.6px;font-family:serif"></span><div><br></div><div><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif">.. </span><span style="font-size:
16.6px;font-family:serif">τὸ </span><span style="font-size:16.6px;font-family:serif">γὰρ</span><span style="font-size:16.6px;font-family:serif"> αὐτὸ </span><span style="font-size:16.6px;font-family:serif">νοεῖν </span><span style="
font-size:16.6px;font-family:serif">ἐστίν </span><span style="font-size:16.6px;font-family:serif">τε </span><span style="font-size:16.6px;font-family:serif">καὶ </span><span style="font-size:16.6px;font-family:serif">εἶναι</span><span
style="font-size:16.6px;font-family:serif">.</span></div><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;
font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><
span style="font-size:16.6px;font-family:serif"></span></div></div></div><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sun, Apr 20, 2025 at 4:57 PM Josh Triplett &lt;<a href="mailto:josh@joshtriplett.
org">[email protected]</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sun, Apr 20, 2025 at 10:12:24PM +0300, Adrian Bunk wrote:<br>
&gt; Container size is obviously not a priority for such users.<br>

That is incorrect. Many, many users use Debian as the basis for<br>
containers, and many such users care about container size, sufficiently<br>
so to work on reducing it. You are suggesting that because they want to<br>
use Debian, they don&#39;t care at all; I&#39;m observing that they want to use<br>
Debian and they care enough to try to make Debian better.<br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

At 2025-04-21T14:50:40+0200, Santiago Vila wrote:

Also, while the idea of Josh might sound good in theory (adding
dependencies will not harm anybody, we just want to see the
dependencies explicit),

While I support that proposal and initiative...

it might create some undeserved pressure on maintainers to stop using
awk.

I agree with that, too. Our industry struggles to resist recurring
trends to rewrite everything in the language du jour. This decade it's
Go and/or Rust; both languages have things to recommend them (and both
their communities have demonstrated worrisome governance problems).

In some cases I'm sure that it would be easy to rewrite the code, but
in some others the alternate construction may be a lot less readable,
and overall worse.

Yes, and we also have to ask what we have to gain by doing so, apart
from fashionability and bragging rights on a CV. Nothing stops anyone
from reimplementing anything in any language and slapping it up on
GitHub or a Gitlab site to prove their skills--but my impression is that
a lot of people only feel such an undertaking is worth the effort if
they can cram it down a lot of other people's throats. Doing so shows
that one is "impactful", and therefore appealing to hiring managers at
startups and other places that natter on about being "disruptive" and
about Schumpeter's "creative destruction" as the engine of capitalism.

AWK is a nice language--small, pleasant, and consistent for problems
where C is too much trouble but a C-ish syntax is comfortably familiar
to your target audience, the shell is too quirky, and where you don't
need a bulky standard library.

Note also that the base system and the container images are expected
to grow over time, because everything grows over time, but machines
hosting those container images also grow over time, so one would
naturally wonder why awk has become a problem now when it was never
a problem due to its extremely small size.

Yes. I have little interest in the drive to shrink container images for its/their own sake.

My modest proposal here after trixie, if there is a consensus that
it's a good step, would be to replace mawk by original-awk in the
base system and see what can we learn from that.

I just learned that you're the maintainer of original-awk (a.k.a. BWK
AWK)...

We can observe right now that the space savings is meager. Using older
data on amd64, I see:

Package: original-awk
Version: 2018-08-27-1
Maintainer: Santiago Vila <[email protected]>
Installed-Size: 180 kB

Package: mawk
Version: 1.3.4.20200120-2
Maintainer: Boyuan Yang <[email protected]>
Installed-Size: 248 kB

...for a savings of 68kB from your proposal. Hmm, how much does
perl-base grow from one Debian release to the next?

Package: perl-base
Version: 5.36.0-7+deb12u2
Installed-Size: 7639 kB

Package: perl-base
Version: 5.40.1-3
Installed-Size: 7811 kB

Difference: 172 kB

So whatever we'd have gained by hypothetically trading mawk for
original-awk in trixie, or even eliminating AWK entirely from the
Essential set, we'd have traded away simply by having Perl around.

I would see that little change as something similar to what we did
with /bin/sh being replaced by dash to ensure compatibility and
standards compliance

This argument requires a footnote. Dash has its own problems with POSIX conformance[1] and we insist on a couple of extensions to POSIX behavior
for own own sanity (the one I can remember is the `local` keyword).

(back then, we discovered some bashisms, and we either rewrote them to
be sh-compliant or used #!/bin/bash instead, and everybody was happy
with those little incremental changes).

It was a good thing to do, but the standards-compliance benefit was, I
think, more a matter of inchoate bragging rights (see above) than
concrete benefit. The benefit, I think, came in saying what we meant:
either expressing dependencies explicitly, or eliminating unnecessary
ones. Also, it was really important for people using "upstart" as their
init system because, as I recall, the time differential when dynamically loading Bash versus dash was thought to be an easy win for performance. Bragging rights and impactfulness again.

I don't think we have many mawk-isms in the distribution, but this
would be an opportunity to check if all AWKs are really
interchangeable.

...and make you the maintainer of (even more?) Essential packages. ;-)

original-awk's man page admits to one area of POSIX-nonconformance:

BUGS
...
POSIX‐standard interval expressions in regular expressions are not
supported.


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)