From release notes for FC5T3 (web)

Wed Mar 8 01:01:08 UTC 2006

On Mon, 2006-03-06 at 18:24 -0600, Les Mikesell wrote:
> On Mon, 2006-03-06 at 17:59, Michael H. Warfield wrote:
> 
> > 	In the security business, we have and expression for people like you.
> > Those people who use the "install everything" button just because they
> > "might" want something in the future (and then forget they installed it,
> > if they even realize they installed it to begin with).
> > 
> > 	We dub thee "owned".
> 
> As I said back a few messages, this is not what you want on
> a production server.  However, if you don't try the new stuff
> somewhere, how are you ever going to know if it will improve
> your production or not?
> 
And now you come back to WHY the everything install should NOT be there.
It would only be of use in a very few select cases, and having it there
would result in the case Michael just mentioned.

Accept the fact that if you want a unique system for test/development
you should manually create the unique system.  The mainstream has no
need for the bloat or security issues caused.  Insisting on a tool to do
that for you at the expense of many others is not productive to the
community in any way.

> > 	The funny thing is that (and I've seen this in this thread) most of the
> > time people will use the argument that the newbie user is the one who
> > needs the "install everything" option, because they don't know what they
> > want, so they'll be sure to get it.  They are EXACTLY the LAST people
> > who need or should use that damn thing.  They are the MOST likely to get
> > burned by it (and I've spent too much time helping newbies fix broken
> > systems what would not have been broken into if they had only installed
> > what they needed).
> 
> The people who need it are the ones deciding what needs to
> run in production next month.  A lot of people are doing a lot
> of work writing this stuff. Do you want only your competitors
> to be using it?
> 
> >  Fine, now we are much more careful that
> > "installed" services are not "enabled" services until you take some
> > action.  And the firewall defaults definitely help.  But what about
> > Apache add ons (like PHP et al).
> 
> What about them?  Name *one* service that hasn't had security
> issues.  They get found and fixed only after people start
> using them.  Speeding up that process helps us all.
> 
> > 	I've preached for years that one of the worst security vulnerability in
> > many Linux distributions was the "install everything" button.  That
> > remains true to this day.  Ignorance WILL bite you.
> 
> If a distribution contains security flaws they need to be fixed,
> not ignored.

Having 200 packages (hypothetical) installed with known weaknesses that
are only exploitable locally is a measured and known risk.  Installing
one additional package that has an unknown weakness that allows a remote
individual to gain access and have free reign on your system breaks all
other known and measured risks.  

Have you heard of phpbb?

One common rule of security is to install only what is needed. It
reduces the potential exploit paths.

You are free to open your system up in any way you choose, but *most* of
us are better trained than to just install everything 'because we can'.