On Sat, Oct 11, 2025 at 01:15:39PM +0300, [email protected] wrote: > A long time ago, there was a discussion on this mailing list about whether > the security of an installed OS would be improved by the absence of its > comp*[.tgz] and x*[.tgz] subsystems. I don't remember the exact details, but > it seems to me that Theo de Raadt gave the final answer in that discussion. > > Unfortunately, I couldn't find that thread on marc.info. Does any of the > old-timers remember and could send me the link? > > I need that link to the discussion for authoritative arguments in the context > of discussing the security of an OS that processes personal data (and > possibly other critical information).
I could not be bothered to look for a working link to the disdussion(s) -- I think this topic came up several times -- but I can offer this: If I remember correctly, the reasoning for keeping the x* sets as part of the default selection was that they contain libraries that are required dependencies even for quite a few programs that it is reasonable to run even on systems that do not run the actual X servers themselves. I forget whether this would affect anything in the base system, but leaving out the x* sets would definitely be inconvenient once you start installing packages. For the comp* set, I would not be surprised if they contain bits that are required for the relink-at-boot process. Also, it could be argued that once an adversary has gained enough access that they are able to use development tools on your system, the likelihood that they will be able to upload and run their own tools is somewhere near a certainty. That said, installing those sets is the installer's default setting only. If you want to leave out those sets, you simply deselect them during install. Try that on a test system and have it perform the tasks your environment requires. If it works for you, or the limitations you bump into are something you are prepared to live with, fine. If things break, at least you know first hand what functionality will be missing and just how inconvenient that state of things is for you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://nxdomain.no/~peter/blogposts https://nostarch.com/book-of-pf-4th-edition "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
