[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: From release notes for FC5T3 (web)



On Mon, 2006-03-06 at 17:10 -0600, Les Mikesell wrote:
> On Mon, 2006-03-06 at 16:49, David Boles wrote:
> 
> > >> This is exactly what everyone has been trying to tell you all along. You want
> > >> ONE package so you install everything. That way you would be sure to get the
> > >> "the gazillion packages" that you don't want.
> > > 
> > > How do I know I don't want them until I've tried them all?  Isn't
> > > it like flavors of ice cream except all free?
> > > 
> > 
> > How new at this are you?

> Old enough to remember versions of unix where you had to pay
> extra to get a compiler or X so I'm happy to have more thrown
> in for free. I'm not sure what that has to do with knowing
> whether you'll find a program useful without trying it, or
> knowing if you are likely to run across a script that invokes
> it in the future.

	In the security business, we have and expression for people like you.
Those people who use the "install everything" button just because they
"might" want something in the future (and then forget they installed it,
if they even realize they installed it to begin with).

	We dub thee "owned".

	The funny thing is that (and I've seen this in this thread) most of the
time people will use the argument that the newbie user is the one who
needs the "install everything" option, because they don't know what they
want, so they'll be sure to get it.  They are EXACTLY the LAST people
who need or should use that damn thing.  They are the MOST likely to get
burned by it (and I've spent too much time helping newbies fix broken
systems what would not have been broken into if they had only installed
what they needed).

	This has gotten vastly better from the bad old days when RedHat Linux
3.x (or was it 4 - and I don't mean Enterprise) would install Samba and
share out your entire system because the service was installed "running"
and installed with the dumbest default configuration on the face of the
planet (Bob Young and I had a little discussion about that down here in
Atlanta when he came to the Atlanta Linux Showcase way back when).  But
better isn't perfect.  Fine, now we are much more careful that
"installed" services are not "enabled" services until you take some
action.  And the firewall defaults definitely help.  But what about
Apache add ons (like PHP et al).  If you don't know and decide
discreetly (with malice o forethought) that you want this fancy wiz bang
sledgomatic chopper utility, and you just figure you'll get around to
playing with it one of these days, I can bet you that the first person
who plays with it will not be you and will not have your best interest
at heart.  Some security advisory comes out and you don't even know you
have this tinker toy installed till someone has changed your root
password for you.

	I've preached for years that one of the worst security vulnerability in
many Linux distributions was the "install everything" button.  That
remains true to this day.  Ignorance WILL bite you.

> >  I always go through the default install package
> > selection and un-select things just because I don't want everything.
> > 
> > And come to think of it has it been mentioned to you that the 'install
> > everything' button never really did 'install everything'?

> I guess I always believed the part that said it installed more
> than all of the individual groups combined.

> -- 
>   Les Mikesell
>     lesmikesell gmail com

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]