[Michael told me in a different e-mail that he replied off-list by accident, so I'm taking the thread back on the list]
On Fri, Jun 20, 2008 at 08:07:14AM -0500, Michael Hipp wrote: >> We should probably add an install option to the server CD to only >> install the base system, so that the die hard group of old school >> admins can keep their Ubuntu systems as small as possible, though. > I'm not sure if you're trying to spark a flame war or not. Err.. No, I'm not. I'm not sure a) what would make you say that, and b) why you seem to be taking this so very personal. > But there's nothing "die hard old school" about not wanting to install > a bunch of crap that we don't need or want. Again, I'm not sure why you're taking it so personal. (Henceforth abbreviated INSWYTISP) > That's part of what attracted many of us to ubuntu-server. That's valuable input. Thanks. > Since this thread has turned into > let's-add-my-favorite-just-in-case-I-might-need it. INSWYTISP, but that's really not the case. I'm attempting to start a discussion about what sort of stuff we should put on servers by default. The operative word here is "should". Not "could". The current approach is something like: 1. Will more than 95% of our users need it? If yes, install it by default. If no, go to next question. 2. Will more than 80% of our users need it? If yes, include on CD. If no, go to next question. 3. Will more than 10% need it and be completely and utterly screwed without it? If yes, include it on the CD. If no, go to next question. 4. Forget it. What I'm suggesting is to add an extra step in between 1 and 2. Something like "Is it something most of our users *should* be using?" or "Does using it constitute what we consider best practice?". If so, install it by default. > Here's my list: > > openssh > samba > apache > postfix > dovecot > openvpn All of these listen on the network and would violate our no-open-ports-by-default policy. > openntpd I agree that something that makes sure the time on your server is accurate is needed, which is why I suggested ntp. I'm not familiar with openntpd. What benefits does it provide over ntp (which is already in main)? > no-ip Is a transitional package for noip2. I think something like noip2 might make sense to have on the CD, actually, but I wouldn't suggest installing it by default. It doesn't constitute best practice, and I don't think it's of great use to the majority of users. > screen Agreed. > vim (full) vim-full depends on a stack of GUI stuff, but a more full featured vim than vim-tiny (like e.g. the "vim" package) would be lovely to have by default. > Just to name a few. And how could anyone possibly object to any of those? > Why, they're just basic stuff that I really, really need. Not like it'll > hurt anything. So what that ubuntu-server requires a stack of DVDs to > install. DVDs are cheap! INSWYTISP. > And, excuse me, saying we can just apt-get remove it is surely the > *dumbest* suggestion I've heard on an Internet list anytime recently. A guy called Michael Hipp (you may have heard of him) once asked me: "I'm not sure if you're trying to spark a flame war or not." It just so happens that I'm not, but you sure seem to be. I find that it's sometimes convenient to stop for a second and think about why you're doing the things you're doing. Simply refusing to discuss things and reevaluate them is just silly. Any policy that can't stand being reevaluated once every couple of years is not worth much, IMO. Let me offer a take on this. Say there's a package called foo, which 60% of our users would want. If we install it by default, only 40% of our users will have to change the default, while 60% will be happy with it. Disregarding all other circumstances, surely that sounds sensible? Now, what if the package is a several hundred megabyte blob of stuff that would be completely unusable for the 40% (perhaps it's a driver for some hardware they don't have)? See, that shifts reality a bit, because the convenience of the 60% of users who need it doesn't justify the amount of pain inflicted upon the 40% who has absolutely no use for it. In Ubuntu I like to think that we take security rather seriously. That's why I picked checksecurity and chkrootkit as examples of stuff to install by default. They are tools that at intervals will scan your system for various things that might represent a security problem.[1] > (Enough juvenile sarcasm and hate mongering already) I'm glad you can see it yourself. I'm less glad that you couldn't avoid it, though. > Do you see the problem? I see plenty of problems... so I try to solve them. Where I come from, this is usually considered a good thing. > None of them (along with w3m) are in any way essential to get a basic > server up and running. So why include them? Because a server that does nothing but boot is useless for anything but heating your house and increasing your electrical bill? > Servers are *by definition* a DIY affair. "Oh, so maybe we shouldn't even install a coreutils? Or a kernel? Maybe we should make an apt-get remove --ALL option?" (I'm taking a stab at the take-whatever-people-say-and-blow-it-completely-out-of-proportions things. How am I doing?) Do you think there are things in the standard seed that doesn't belong there? If you truly want to do everything yourself I guess you'd even want the server install to not include the standard seed, but only minimal? That would remove such completely useless things as psmisc, man-db, iptables, ftp, at, cron, file, openssh-client, and wget. > So don't start me out in a mansion when a rustic cabin is adequate for > my needs. To keep to the house analogies, I think that your suggestion is closer to just providing the foundation of the house and leave it up to anyone who actually wants a place to live to build the house itself, install doors, windows, heating facilities, bathrooms, kitchens, etc., because, you know, a very significant percentage of the world's population manages survives without most of these things, so who are we to go and decide that everyone should have heating facilites installed even though they can just choose to not turn them on? > If we want to start shipping various huge hand-holding metapackages to > help all those gui-obsessed windows admins to cope, then great. INSWYTISP, but could you please take a deep breath and read what I wrote again. I'm suggesting nothing of the sort. > But please don't put them on my server. They won't be much help when > I'm trying to admin a system over a flaky satellite link with 1200ms > ping times. I'm sure you'll enjoy installing extra packages over that sort of connection. > And while I'm at it do I need to tutor you on the fact that *every* > installed piece of software is a potential security hole and attack > vector? I don't know. What do you think? > And just means there will be that many more security updates to apply > on an ongoing basis. The costs mount. The risks mount. The > rationalizations crumble. Whether stuff is installed by default or just included on the CD does not matter when it comes to the work we have to put into putting out security updates, FYI. [1]: You might be shocked to know that checksecurity used to be part of the cron package, so you actually used to have this installed by default back in the old days (around 2003-2004, I belive). -- Soren Hansen | Virtualisation specialist | Ubuntu Server Team Canonical Ltd. | http://www.ubuntu.com/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
