Moving w3m out of standard

Soren Hansen soren at ubuntu.com
Fri Jun 20 15:04:09 UTC 2008


[Michael told me in a different e-mail that he replied off-list by
accident, so I'm taking the thread back on the list]

On Fri, Jun 20, 2008 at 08:07:14AM -0500, Michael Hipp wrote:
>> We should probably add an install option to the server CD to only
>> install the base system, so that the die hard group of old school
>> admins can keep their Ubuntu systems as small as possible, though.
> I'm not sure if you're trying to spark a flame war or not. 

Err.. No, I'm not. I'm not sure a) what would make you say that, and b)
why you seem to be taking this so very personal.

> But there's nothing "die hard old school" about not wanting to install
> a bunch of crap that we don't need or want.

Again, I'm not sure why you're taking it so personal. (Henceforth
abbreviated INSWYTISP)

> That's part of what attracted many of us to ubuntu-server.

That's valuable input. Thanks.

> Since this thread has turned into
> let's-add-my-favorite-just-in-case-I-might-need it. 

INSWYTISP, but that's really not the case. I'm attempting to start a
discussion about what sort of stuff we should put on servers by default.
The operative word here is "should". Not "could".

The current approach is something like:

1. Will more than 95% of our users need it? If yes, install it by
   default. If no, go to next question.

2. Will more than 80% of our users need it? If yes, include on CD. If
   no, go to next question.

3. Will more than 10% need it and be completely and utterly screwed
   without it? If yes, include it on the CD. If no, go to next question.

4. Forget it.

What I'm suggesting is to add an extra step in between 1 and 2.
Something like "Is it something most of our users *should* be using?" or
"Does using it constitute what we consider best practice?". If so,
install it by default.

> Here's my list:
>
> openssh
> samba
> apache
> postfix
> dovecot
> openvpn

All of these listen on the network and would violate our
no-open-ports-by-default policy.

> openntpd

I agree that something that makes sure the time on your server is
accurate is needed, which is why I suggested ntp. I'm not familiar with
openntpd. What benefits does it provide over ntp (which is already in
main)?

> no-ip

Is a transitional package for noip2. I think something like noip2 might
make sense to have on the CD, actually, but I wouldn't suggest
installing it by default. It doesn't constitute best practice, and I
don't think it's of great use to the majority of users.

> screen

Agreed.

> vim (full)

vim-full depends on a stack of GUI stuff, but a more full featured vim
than vim-tiny (like e.g. the "vim" package) would be lovely to have by
default. 

> Just to name a few. And how could anyone possibly object to any of those? 
> Why, they're just basic stuff that I really, really need. Not like it'll 
> hurt anything. So what that ubuntu-server requires a stack of DVDs to 
> install. DVDs are cheap!

INSWYTISP. 

> And, excuse me, saying we can just apt-get remove it is surely the
> *dumbest* suggestion I've heard on an Internet list anytime recently.

A guy called Michael Hipp (you may have heard of him) once asked me:
"I'm not sure if you're trying to spark a flame war or not."  It just so
happens that I'm not, but you sure seem to be.

I find that it's sometimes convenient to stop for a second and think
about why you're doing the things you're doing. Simply refusing to
discuss things and reevaluate them is just silly. Any policy that can't
stand being reevaluated once every couple of years is not worth much,
IMO.

Let me offer a take on this.  Say there's a package called foo, which
60% of our users would want. If we install it by default, only 40% of
our users will have to change the default, while 60% will be happy with
it.  Disregarding all other circumstances, surely that sounds sensible?

Now, what if the package is a several hundred megabyte blob of stuff
that would be completely unusable for the 40% (perhaps it's a driver for
some hardware they don't have)?  See, that shifts reality a bit, because
the convenience of the 60% of users who need it doesn't justify the
amount of pain inflicted upon the 40% who has absolutely no use for it.

In Ubuntu I like to think that we take security rather seriously. That's
why I picked checksecurity and chkrootkit as examples of stuff to
install by default. They are tools that at intervals will scan your
system for various things that might represent a security problem.[1]

> (Enough juvenile sarcasm and hate mongering already)

I'm glad you can see it yourself. I'm less glad that you couldn't avoid
it, though.

> Do you see the problem?

I see plenty of problems... so I try to solve them. Where I come from,
this is usually considered a good thing.

> None of them (along with w3m) are in any way essential to get a basic
> server up and running. So why include them?

Because a server that does nothing but boot is useless for anything but
heating your house and increasing your electrical bill?

> Servers are *by definition* a DIY affair. 

"Oh, so maybe we shouldn't even install a coreutils? Or a kernel? Maybe
we should make an apt-get remove --ALL option?" (I'm taking a stab at
the take-whatever-people-say-and-blow-it-completely-out-of-proportions
things. How am I doing?)

Do you think there are things in the standard seed that doesn't belong
there? If you truly want to do everything yourself I guess you'd even
want the server install to not include the standard seed, but only
minimal? That would remove such completely useless things as psmisc,
man-db, iptables, ftp, at, cron, file, openssh-client, and wget.

> So don't start me out in a mansion when a rustic cabin is adequate for
> my needs.

To keep to the house analogies, I think that your suggestion is closer
to just providing the foundation of the house and leave it up to anyone
who actually wants a place to live to build the house itself, install
doors, windows, heating facilities, bathrooms, kitchens, etc., because,
you know, a very significant percentage of the world's population
manages survives without most of these things, so who are we to go and
decide that everyone should have heating facilites installed even though
they can just choose to not turn them on?

> If we want to start shipping various huge hand-holding metapackages to
> help all those gui-obsessed windows admins to cope, then great.

INSWYTISP, but could you please take a deep breath and read what I wrote
again. I'm suggesting nothing of the sort.

> But please don't put them on my server. They won't be much help when
> I'm trying to admin a system over a flaky satellite link with 1200ms
> ping times.

I'm sure you'll enjoy installing extra packages over that sort of
connection.

> And while I'm at it do I need to tutor you on the fact that *every*
> installed piece of software is a potential security hole and attack
> vector? 

I don't know. What do you think?

> And just means there will be that many more security updates to apply
> on an ongoing basis. The costs mount. The risks mount. The
> rationalizations crumble.

Whether stuff is installed by default or just included on the CD does
not matter when it comes to the work we have to put into putting out
security updates, FYI.

[1]: You might be shocked to know that checksecurity used to be part of
the cron package, so you actually used to have this installed by default
back in the old days (around 2003-2004, I belive).

-- 
Soren Hansen               | 
Virtualisation specialist  | Ubuntu Server Team
Canonical Ltd.             | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20080620/6ee235ce/attachment.pgp>


More information about the ubuntu-server mailing list