[CentOS] Re: 5.0: installing everything

Fri May 4 08:55:13 UTC 2007
Johnny Hughes <mailing-lists at hughesjr.com>

On Wed, 2007-05-02 at 14:58 -0700, Scott Silva wrote:
> Les Mikesell spake the following on 5/2/2007 2:37 PM:
> > Scott Silva wrote:
> >>>
> >>> The thing I always wanted from an 'everything' install was the expertise
> >>> of the distribution packager as to whether something would likely be
> >>> useful to have installed.  Someone, somewhere must have known enough
> >>> about the packages to decide what was worth including in the
> >>> distribution.  I'd take their word for whether it should be on my hard
> >>> disk or not.
> >>>
> >> If the distribution packager wanted you to install everything, there
> >> would not
> >> be any options of what to install. It would always be an "everything"
> >> install.
> > 
> > Not true.  There was a time when distributions included "everything" as
> > one among several more specialized and limited choices.  Now you only
> > get the limited versions.
> > 
> I have been guilty of an "everything" install in the past. It is much harder
> to remove things that you are not sure you need than it is to just install
> something you do need. If you are doing something that requires a new bit of
> fluff, you just need to "yum install fluff" and now you have it. I think you
> learn much more by knowing what and why you install something.

Look at the RedHat security report in the thread entitled:

"security report from RHEL's Mark Cox"

You will see a 20x increase (from 3 to 60) of non-browser "Critical"
security issues if you move from a "Default Install" to full install.  

Note: That is not moving from a minimal install (with many fewer
issues) ... but the default install (with GUI, Gnome, etc.) to a full
install.

Not only are you GREATLY increasing your risk by doing a full
install ... the riskiest items are the ones that you don't use (or even
know what they do) that are enabled in their default setup conditions as
part of the everything install.  If you turn off items that you don't
need that enable listening ports it will mitigate this issue somewhat.

It is not just a little bit of extra hard drive space ... it is a
potential way to get your machine taken over and root kitted.

But then again, what do I know Linux or CentOS.

Thanks,
Johnny Hughes

  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20070504/9995df63/attachment-0004.sig>