Use install_recommends: False in aws/init.sls?

[ocp-deploy]

@RobHooper From Dogsbody in December:

we have just patched a number of C++ packages on ocp27...

libgcc-13-dev
libstdc++-13-dev
g++-13
gcc-13
cpp-13-x86-64-linux-gnu
cpp-13
g++-13-x86-64-linux-gnu
gcc-13-x86-64-linux-gnu
gcc-13-base

... these packages are typically only on systems where you have compiled some code.
I wanted to let you know that if this is the case then you may need to recompile your code to include the security updates above.

If I’m not mistaken, ocp27 uses a PostgreSQL backup script that installs the awscli pip package, which requires python3-pip, which in turn has Recommends: build-essential, which then depends on gcc, etc.

Should we set install_recommends: False in salt/aws/init.sls, and also uninstall build-essential?

[RobHooper]

I have just tested this on a dev server and I can confirm we can remove build-essential without effecting the aws-cli install.
We should action as suggested: set install_recommends: False and uninstall build-essential.

[jpmckinney]

Ok, I've made the Salt change and purged build-essential on ocp21, ocp23, ocp25 and ocp27, then ran autoremove, which removed:

ocp21: g++, g++-11, libstdc++-11-dev
ocp23: g++, g++-11, libstdc++-11-dev
ocp25: g++, g++-11, libstdc++-11-dev
ocp27: g++, g++-13, g++-13-x86-64-linux-gnu, g++-x86-64-linux-gnu, libstdc++-13-dev