[MIR] cron pulls in b-d's from universe

This brings us in line with the Debian cron package, which links against libaudit. I was surprised to see that libaudit wasn't already in main.

No major bugs on the package in Debian or in Ubuntu.

One secunia advisory for the package, from 2008.
  http://secunia.com/advisories/29617/

The auditd binary package runs a privileged daemon that talks to other local processes to provide an auditing service.

I was puzzled by audit's build-dependency on libev, because there's no binary dep. It turns out audit bundles its own copy of libev, and statically links against it.

If libev is to be linked against dynamically, we need to move it to /lib (currently in /usr/lib). If static linking is ok in this case, we can drop the libev-dev build-dependency.

If this is all too ugly, we can drop the libaudit build-dep from cron.

On 10/20/2011 01:23 AM, Steve Langasek wrote:
> This brings us in line with the Debian cron package, which links against
> libaudit. I was surprised to see that libaudit wasn't already in main.

FYI: by default, cron does not link against libaudit. Support for
libaudit is an optional feature that has to be requested at build time.

The security team is interested in audit in main as well, but as it is now, we don't want it. auditd runs with a lot of privileges and can talk over the network. We will be discussing auditd as part of https://blueprints.launchpad.net/ubuntu/+spec/security-p-catch-all

> The security team is interested in audit in main as well, but as it is now,
> we don't want it.

Ok, thanks - will drop the build-dependency from cron.

This bug was fixed in the package cron - 3.0pl1-120ubuntu2

---------------
cron (3.0pl1-120ubuntu2) precise; urgency=low

  * Drop build-dependency on libaudit, not in main and the security team
    doesn't want it there. LP: #878155.
 -- Steve Langasek <email address hidden> Thu, 20 Oct 2011 07:57:06 -0700