Shared publicly  - 
 
Debian has been my distro of choice since about 1998. I rarely have cause to complain, but one particular issue has been nagging at me for a couple of years now... Dynamic Kernel Module Support.

DKMS has the well intended goal to make it easier to maintain and deploy out-of-kernel modules. That being said, I still prefer the option to build native Debian packages to deploy kernel modules. For years, the approach to build native Debian modules was to install a *-source package and use module-assistant to generate a standalone package for your running kernel.

Since about 2009, I've been watching packages deprecate support for their source packages with claims that DKMS provides equivalent functionality. This is demonstrably untrue, but the meme persists anyway. DKMS can build binary debs, but you still must have DKMS on the target system to make use of the built modules.

Recently, the Debian open-vm maintainers dropped support for open-vm-source which provides virtual machine drivers for virtual nodes. Now if I want to have good support for running Debian virtual machines on vmware, I have to install DKMS which depends in kernel headers, compilers, Debian packaging software and a whole host of unnecessary and arguably dangerous software on production systems.

Most systems people would agree with me that deploying a server with unnecessary compilers makes it easier for an attacker to install rootkits or other types of malicious software if the system ever becomes vulnerable. The fact that Debian now makes it a requirement that nodes deployed on vmware include a compiler, it takes away a security option systems administrators have taken as granted for years.
2
Add a comment...