[CentOS] Re: 5.0: installing everything
Les Mikesell
lesmikesell at gmail.com
Fri May 4 12:53:33 UTC 2007
Johnny Hughes wrote:
>>>>> The thing I always wanted from an 'everything' install was the expertise
>>>>> of the distribution packager as to whether something would likely be
>>>>> useful to have installed. Someone, somewhere must have known enough
>>>>> about the packages to decide what was worth including in the
>>>>> distribution. I'd take their word for whether it should be on my hard
>>>>> disk or not.
>>>>>
>>>> If the distribution packager wanted you to install everything, there
>>>> would not
>>>> be any options of what to install. It would always be an "everything"
>>>> install.
>>> Not true. There was a time when distributions included "everything" as
>>> one among several more specialized and limited choices. Now you only
>>> get the limited versions.
>>>
>> I have been guilty of an "everything" install in the past. It is much harder
>> to remove things that you are not sure you need than it is to just install
>> something you do need. If you are doing something that requires a new bit of
>> fluff, you just need to "yum install fluff" and now you have it. I think you
>> learn much more by knowing what and why you install something.
>
> Look at the RedHat security report in the thread entitled:
>
> "security report from RHEL's Mark Cox"
>
> You will see a 20x increase (from 3 to 60) of non-browser "Critical"
> security issues if you move from a "Default Install" to full install.
>
> Note: That is not moving from a minimal install (with many fewer
> issues) ... but the default install (with GUI, Gnome, etc.) to a full
> install.
That's not the way I read it. The 3 is for a default AS install. A
default WS install is 53 with the bulk of the difference coming from the
mozilla family that you absolutely would want to have on a
desktop/development/general purpose box.
> Not only are you GREATLY increasing your risk by doing a full
> install ... the riskiest items are the ones that you don't use (or even
> know what they do) that are enabled in their default setup conditions as
> part of the everything install. If you turn off items that you don't
> need that enable listening ports it will mitigate this issue somewhat.
>
> It is not just a little bit of extra hard drive space ... it is a
> potential way to get your machine taken over and root kitted.
Agreed for single-purpose machines, and tolerable for machines where all
users are allowed to become root and install things as needed. No one
has posted a solution for a multiuser, general purpose box yet.
> But then again, what do I know Linux or CentOS.
You have added yet another reason why it should be the experts familiar
with all the packages that pick a complete general-purpose list instead
of end users guessing at it. Checking all of the choices sort-of works
but it's not clear that it gives the best selection.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list