Smart card Usage in Debian: middleware
See "Smart card Usage in Debian: pcscd and drivers" for the previous article.
The next layer above the smart card reader driver and PC/SC resource manager
are middleware. These software are between PC/SC and the user application.
I try to maintain a
list of smart card middleware available in Debian.
I updated the list when writing this blog article. New Debian packages have
been added, and others have been removed.
cackey: CAC and PIV Smartcard PKCS #11 cryptographic module
libckyapplet1: Smart Card Coolkey applet
libckyapplet1 is a dependency of coolkey. So they are both installed at the
same time.
libckyapplet1-dev: Smart Card Coolkey applet development files
libcacard0: Virtual Common Access Card (CAC) Emulator (runtime library)
libcacard0 is a dependency of all the
qemu-system-*
packages. That can explain why this package is installed in so
much systems.
libcacard-dev: Virtual Common Access Card (CAC) Emulator (development files)
libchipcard6: library for accessing smartcards
libengine-pkcs11-openssl: OpenSSL engine for PKCS#11 modules
libopenconnect5 is a dependency of plasma-nm (Plasma5 networkmanager library).
Plasma is the KDE graphical
workspaces environment.
libosmosim0: Osmo SIM library
Part of libosmocore: Open Source MObile COMmunications CORE library
(metapackage)
libpam-p11: PAM module for using PKCS#11 smart cards
Part of pam-p11: PAM module for using PKCS#11 smart cards
libpam-pkcs11: Fully featured PAM module for using PKCS#11 smart cards
libspice-client-glib-2.0-8: GObject for communicating with Spice servers (runtime library)
libspice-client-glib-2.0-8 is a dependency of vinagre: remote desktop client for the GNOME Desktop
libspice-client-gtk-3.0-5: GTK3 widget for SPICE clients (runtime library)
We can see that openjdk-8-jre-headless has been replaced by
openjdk-11-jre-headless.
openjdk-13-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)
openjdk-13-jre-headless is not yet in Debian stable. So the number of
installation is low. This version is also replaced by
openjdk-14-jre-headless since 2020.
openjdk-14-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)
openjdk-15-jre-headless is very new. It is in Debian unstable but has not yet
migrated to Debian testing. So the number of installation is very low.
opensc-pkcs11: Smart card utilities with support for PKCS#15 compatible cards
python3-pyscard is a dependency of
python3-yubikey-manager. Users are installing this package not because they love this software (I am
the upstream maintainer) but because they use a yubikey.
Installations
| Package | # of installation | % of Debian systems |
| libcacard0 | 54878 | 27,83 % |
| libspice-client-glib-2.0-8 | 53935 | 27,35 % |
| openjdk-11-jre-headless | 51455 | 26,10 % |
| libspice-client-gtk-3.0-5 | 49029 | 24,87 % |
| openjdk-8-jre-headless | 42921 | 21,77 % |
| opensc-pkcs11 | 24375 | 12,36 % |
| libopenconnect5 | 19034 | 9,65 % |
| python3-pyscard | 369 | 0,19 % |
| openjdk-14-jre-headless | 340 | 0,17 % |
| libengine-pkcs11-openssl | 312 | 0,16 % |
| openjdk-13-jre-headless | 300 | 0,15 % |
| libchipcard-data | 199 | 0,10 % |
| libckyapplet1 | 193 | 0,10 % |
| coolkey | 190 | 0,10 % |
| libchipcard6 | 182 | 0,09 % |
| libykpiv1 | 178 | 0,09 % |
| libcacard-dev | 135 | 0,07 % |
| libchipcard-tools | 131 | 0,07 % |
| libpam-pkcs11 | 90 | 0,05 % |
| openjdk-15-jre-headless | 78 | 0,04 % |
| libpam-poldi | 39 | 0,02 % |
| libpam-p11 | 33 | 0,02 % |
| libosmosim0 | 29 | 0,01 % |
| python3-pykcs11 | 19 | 0,01 % |
| libchipcard-dev | 18 | 0,01 % |
| cackey | 12 | 0,01 % |
| libckyapplet1-dev | 3 | 0,00 % |
| libpcscada0.7.5 | 3 | 0,00 % |
| libgnokii7 | 2 | 0,00 % |
Conclusion
Many (all?) smartcard middleware packages with an important installation base
are not installed for themselves but because they are a dependency of another
package.
So users are installing packages with smart card features or services but
without any need or use of the smart card features.
It is not a problem. It is how dependencies works.