A forthcoming article on the Red Hat
Security Blog got me to ask the
question: is it possible to have yum remove dependencies when
uninstalling packages? The answer is a somewhat surprising "yes"! The
functionality is turned off by default for a good reason but that's no
reason why everyone should have it off. A little perspective here is
probably due...
If a piece of software isn't installed on your system then it can't be
used as a vector of attack. That's a simple thought, really. If I
don't have Apache, for instance, installed then it cannot be used as a
means of gaining unauthorized access to my system. So when removing a
package it would be nice to be able to remove the package's dependencies
as well so that no extra software is left on the system. In the past
I've had to go back through logs to see what was actually pulled in to
know what I could remove. Now that I know the switch things will be
much easier.
Well, it might not actually be that simple. Giving software a set of
logical rules to use to determine whether or not a piece of software can
be removed isn't that simple. Yum's implementation isn't bullet-proof
either. I give the following example:
$ sudo yum remove cqrlog
Resolving Dependencies
--> Running transaction check
---> Package cqrlog.x86_64 0:1.5.2-2.fc18 will be erased
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
---> Marking mysql-server to be removed - no longer needed by cqrlog
---> Marking trustedqsl to be removed - no longer needed by cqrlog
---> Marking mysql to be removed - no longer needed by cqrlog
---> Marking hamlib to be removed - no longer needed by cqrlog
---> Marking perl-DBD-MySQL to be removed - no longer needed by mysql-server
---> Marking wxBase to be removed - no longer needed by trustedqsl
---> Marking tqsllib to be removed - no longer needed by trustedqsl
---> Marking wxGTK to be removed - no longer needed by trustedqsl
Found and removing 8 unneeded dependencies
CQRLog has several dependencies including mysql-server and
openssl-devel. You don't see openssl-devel being targeted for removal
because it's in use by another package. But what about mysql-server?
That is a package that could be needed all on it's own. Had I actually
needed mysql-server and hadn't been paying attention that package would
have been removed and things could have broken on my system.
So using this functionality in yum should come with some caution. You
must be a diligent systems administrator and watch what you are doing
instead of just hitting that 'y' key when asked if this is what you
really want to do.
I actually looked for this functionality a while back and now it is
found, surprisingly, right under my nose for a while. A quick read of
the man page for yum.conf shows:
clean_requirements_on_remove When removing packages (by removal,
update or obsoletion) go through each package's dependencies. If
any of them are no longer required by any other package then also
mark them to be removed. Boolean (1, 0, True, False, yes, no)
Defaults to False
Adding this switch to the yum.conf file added the functionality
immediately. Testing has proved positive that the functionality works
as advertised as well. I, for one, will be using this feature on all of
my systems that I administer as I dislike having packages just laying
around needing updates and not doing anything. Having packages just
laying about is a potential security hazard and this should help reduce
the amount of "stuff" one has on their system.