[EMAIL PROTECTED] (Martin Maney) writes: > On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote: > > > Well, it depends. You can never tidy up a rooted box; the same > > mentality sort of applies all the way down - if you're setting up a > > box, why worry about installing this and uninstalling that, when your > > original installation shouldn't have had anything enabled in the first > > place? (And yes, you can push that back into the distro, too.) > > Sure, you can have a distro that doens't install any services. Heck, > consider local exploits and you may decide that "login considered > harmful" isn't too great a stretch... :-)
Well, smiley noted, but the list of users who have what kind of access to the box has to be considered. > I have to take issue with your attempt to draw a aparallel to a rooted > box. It *is* possible to cleanup the newly installed box because you can > reasonably assume that it hasn't been maliciously setup to resist the > cleanup. Well, if you can assume that, sure. But the parallel really comes in saying you half-way don't know what to look for, or might miss something. That's why I'm in favour of pushing some things into the distro installation-default area. > > Surely software you install on production machines has its requirements > > either satisfied by the wonder that is apt-get, or documented properly? > > You can, and should, start from blank and add things as you need. > > Could I agree with the minimalist sentiment while yet observing that > apt-get, wonderful as it is, cannot satisfy requirements that come not > from packages installed on this machine, but from other machines - > possibly ones that aren't even using Debian? Sure; that's where `or documented properly' comes in. > At the same time, I would like to agree with the sentiment that has been > expressed a few times. "If you don't know what it's for, shut it off." I > think the unstated part that some may have overlooked is that if you need > something but don't know it, then you owe it to yourself (and your > employers, if that's the sort of situation it is) to find out what's > there. It's been mentioned very en-passant, as has `but I don't have the time to investigate everything', which makes my caffeine^Wblood boil. > This is how sysadmins lose their hair! Tell me about it. My take on the whole thing is that you're building a test box internally first *anyway*, if you don't know exactly how to set up a live machine; then you investigate, kill off everything your reading of the manuals allows you to, on the simple grounds that you don't want it to turn around & bite you later on, and you're on a test box so any breaks won't matter and you'll learn in the process. Leaving stuff open because `there aren't any known holes at the moment doesn't really wash here :( . ~Tim -- But mountains are holy places, |[EMAIL PROTECTED] And beauty is free / We can still walk |http://spodzone.org.uk/ Through the garden | Our earth was once green |
