Ubuntu
discover package

Why is discover installed by default in Oneiric base system?

Asked by xor

I installed 11.10 via PXE setup, the only selected tasksel task is "Basic ubuntu server" (internal name "server"), so this is equal to an Ubuntu server installation

Then I disabled the universe, multiverse and backports repositories via /etc/apt/sources.list

Now aptitude shows 3 "Obsolete and Locally Created Packages": discover, discover-data, libdiscover2
They are obsolete/locally created because I removed the repositories which I they came from,

There are no packages installed which depend on discover or suggest/recommend it.
Also "tasksel --task-packages server" shows that "discover" is not part of the packages of Ubuntu server.

So the conclusion is: The Oneiric base system contains "discover", even though it is from the universe repository and no packages depend on it or suggest it.
Why is it contained in the base system? And Isn't this a major security flaw as the universe repository is not included in security updates etc. AND the package is not needed anyway?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu discover Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Sam_ (and-sam) said : 		#1

This was (since alpha) a fresh 12.04 desktop install without 'discover' although there would be hardware to detect.
As description says it's there to identify hardware, lets assume to provide a smooth installation and boot experience.
I wouldn't consider maintainance by MOTUs and Debian install-system-team insecure. Maybe ask in ubuntu-motu channel for more background info.

~$ aptitude show discover
Package: discover
State: not installed
Version: 2.1.2-5.1
Priority: optional
Section: universe/admin
Maintainer: Ubuntu Developers <email address hidden>
Uncompressed Size: 126 k
Depends: libc6 (>= 2.4), libdiscover2 (= 2.1.2-5.1), debconf (>= 0.5) | debconf-2.0
Suggests: lsb-base
Conflicts: discover1 (< 2.0), discover1 (< 2.0), discover
Description: hardware identification system
Discover is a hardware identification system based on the libdiscover2 library. Discover provides a flexible interface that programs can use to report a wide range of information about the hardware that is installed on a Linux system. In addition to reporting information, Discover includes support for doing hardware detection at boot time.

~$ apt-cache rdepends discover
discover
Reverse Depends:
  libdiscover2:i386
  discover:i386
  libdiscover2
 |bootcd-mkinitramfs

Revision history for this message
xor (xor) said : 		#2

I don't understand what you mean by "to provide a smooth installation and boot experience".
There are not other daemon/installation packages installed which depend on it, and it does not seem to be a daemon itself, so I don't understand how it is supposed to be used for installation/boot?
To me it seems more like a command line tool for being used by the user directly if he ever needs it.

Also, sources.list says about the "universe" repository:
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

So I don't understand why you do not consider it as insecure?
The whole point of splitting up the repositories is to divide between secure, supported software and unsupported, and therefore less secure software, isn't it?

I've checked a Debian 6 machine of mine, it also has "discover" installed, but Debian 6 does not have "universe" repositories, so they somehow consider "discover" as stable/secure/supported I guess.

My conclusion is that there are 2 possible explanations of why it is installed by default:
1. This package was accidentally put in the wrong repository by the Ubuntu team.
2. This package is in the right repository but was accidentally put into the installed-by-default packages. It is universe and therefore should not be installed by default as default installations should not contain software which receives no security updates.

Either way, it is a bug, and I think this issue should not be closed. Can you somehow convert it into a bugtracker entry for me?

Revision history for this message
Sam_ (and-sam) said : 		#3

xor, please click above the answer inbox 'create bug report', this will create a bug report from the question.

> It is universe and therefore should not be installed by default

Again, I've made two desktop installations of 12.04 which didn't install 'discover'.
The issue seems to occur on specific install routine.

Can you help with this problem?

Provide an answer of your own, or ask xor for more information if necessary.

To post a message you must log in.