[CentOS] Re: 5.0: installing everything

Fri May 4 12:53:33 UTC 2007
Les Mikesell <lesmikesell at gmail.com>

Johnny Hughes wrote:

>>>>> The thing I always wanted from an 'everything' install was the expertise
>>>>> of the distribution packager as to whether something would likely be
>>>>> useful to have installed.  Someone, somewhere must have known enough
>>>>> about the packages to decide what was worth including in the
>>>>> distribution.  I'd take their word for whether it should be on my hard
>>>>> disk or not.
>>>>>
>>>> If the distribution packager wanted you to install everything, there
>>>> would not
>>>> be any options of what to install. It would always be an "everything"
>>>> install.
>>> Not true.  There was a time when distributions included "everything" as
>>> one among several more specialized and limited choices.  Now you only
>>> get the limited versions.
>>>
>> I have been guilty of an "everything" install in the past. It is much harder
>> to remove things that you are not sure you need than it is to just install
>> something you do need. If you are doing something that requires a new bit of
>> fluff, you just need to "yum install fluff" and now you have it. I think you
>> learn much more by knowing what and why you install something.
> 
> Look at the RedHat security report in the thread entitled:
> 
> "security report from RHEL's Mark Cox"
> 
> You will see a 20x increase (from 3 to 60) of non-browser "Critical"
> security issues if you move from a "Default Install" to full install.  
> 
> Note: That is not moving from a minimal install (with many fewer
> issues) ... but the default install (with GUI, Gnome, etc.) to a full
> install.

That's not the way I read it.  The 3 is for a default AS install.  A 
default WS install is 53 with the bulk of the difference coming from the 
  mozilla family that you absolutely would want to have on a 
desktop/development/general purpose box.

> Not only are you GREATLY increasing your risk by doing a full
> install ... the riskiest items are the ones that you don't use (or even
> know what they do) that are enabled in their default setup conditions as
> part of the everything install.  If you turn off items that you don't
> need that enable listening ports it will mitigate this issue somewhat.
> 
> It is not just a little bit of extra hard drive space ... it is a
> potential way to get your machine taken over and root kitted.

Agreed for single-purpose machines, and tolerable for machines where all 
users are allowed to become root and install things as needed.  No one 
has posted a solution for a multiuser, general purpose box yet.

> But then again, what do I know Linux or CentOS.

You have added yet another reason why it should be the experts familiar 
with all the packages that pick a complete general-purpose list instead 
of end users guessing at it.  Checking all of the choices sort-of works 
but it's not clear that it gives the best selection.

-- 
   Les Mikesell
    lesmikesell at gmail.com