Suggestion/Request: post-install debloating script for minimalist system directly from the standard iso

Stephen Kellat alpacaherder at live.com
Sun Dec 6 21:07:51 UTC 2020


I strongly urge that you consult the Xubuntu Strategy Document here: https://docs.xubuntu.org/contributors/xsd.html

This crosses many lines.  Most of what you propose to do makes for fragile systems as well as ones that will break easily.   Having looked at CVE-2020-8833 it frankly seems like you are fear-mongering about apport.

Bloat is often discerned differently.  While change is always possible this proposal may need scaling back a bit.

Stephen Michael Kellat

On Dec 6, 2020, at 12:10 PM, s0me0ne at disroot.org wrote:



Hi everyone,

first of all thank you for making and keeping Xubuntu what it is - namely great!



Now I know Xubuntu wants to give an easy and comfortable experience out of the box, but the downside of that is quite some bloat. While there are also lots of people simply looking for a reliable and also minimalist system, I'm aware we are still not that many, so it makes sense to keep the focus on the average user.


-Issues with Xubuntu Core-

And I'm aware of Xubuntu Core, and it's quite an improvement, but has some issues in my opinion:

-While it's mentioned in the latest release notes for example, the iso still appears to be not officially supported, which I think makes it unfortunately not suitable for productive use (please correct me on that if that's not true)

-Canonical apparently doesn't want to further provide the netboot-MinimalCD, so without that, it seems there isn't an reliable way to even get it installed from 20.10 on (and simply release-upgrading the 20.04-ubuntu-MinimalCD-install to 20.10 lead to a broken system when I tried).

-And most importantly, even Xubuntu Core appears to be quite bloated:

When looking at the package list:
https://unit193.net/xubuntu/core/pending/xubuntu-20.10-core-amd64.iso.manifest

- it still contains for example Snapd(!), apport (bugreports should be strictly opt-in I think), Cups with all kinds of printer drivers (many not removeable without triggering the removal of the whole system core), bluez, all kinds of rare asian or arabic fonts (I get that one, but still), modemmanager, xubuntu-wallpapers *-docs *-artwork (I get that too, but still not strictly necessary), ppp, ftp, gparted ... and many more.


-Why even bother?-

Now the actual footprint of some of the packages might be small individually (though not snapd and cups as far as I'm aware), but it's still at least a security flaw to have countless unused/unnecessary packages (that may also listen on ports), as for example merely the package 'apport' could be used in an exploit some time ago to compromize the whole system. So I think it's absolutely crucial to keep the package count as small as possible while keeping the core functionality.


-Debloating Script-

That's why I use a debloating script post install to turn a standard xubuntu install into something close to a xubuntu barebone, but I'm not a developer and there is most likely still a lot of potential.

So I will post at the end of this mail the list I use to reduce the package count while keeping the functionality, and would ask you if you have any suggestions for further improvement, to make it even more barebone.
The eventual improved list/script could be provided for example on the github page for advanced users. I think this is the least invasive way to provide an option for such a system in case you don't want to touch Xubuntu Core as it is now, and don't have time or interest for a modular installer.


-Use case-

The system use case is a standard laptop used for browsing and a somewhat advanced user at osi-layer 8 who will then take the barebone and simply install what he needs and wants manually (and without recommended packages), while not having any fringe usecases (e.g. package modemmanager, mobile-broadband-provider-info) and no need for printers, scanners, bluetooth or pretty much anything apart from the barebone system that won't also be installed automatically when setting up the preferred software. System settings are mostly applied via copying the backup-.config folder.


-Harder to remove-

What I have avoided to remove so far are a lot of packages that will trigger the whole removal of some system core - like the removal of the printer drivers does for example:

apt purge --autoremove printer-driver*

- triggers the removal of ca. 70 packages (on a standard-Xubuntu-iso install), many crucial.

While I know this can be overcome and am sure these are absolutely useless after removing cups, I still might not be aware of packages expecting them to exist. So this is something I can not reliable solve because I don't have the in-depth knowledge of the packagemanagement, and while I can look at dependencies, it only tells me so much.


-The debloating list so far-

So here is what I remove post install from a standart Xubuntu Iso. After the terminal commands I give it as an alphabetical list as well, for increased readability. I used mostly synaptic to look at the description and dependencies.
If I can present that in a more readable way for you please let me know.


#removing also software I want use to reinstall it without recommended packages

sudo apt-get purge --autoremove whoopsie apport popularity-contest cups snapd mate-calc gimp firefox ristretto engrampa thunderbird atril xfburn pidgin simple-scan gnome-mines gnome-sudoku sgt-puzzles libreoffice-core libreoffice-base-core unattended-upgrades "bluez*" fonts-kacst* fonts-lao fonts-takao-pgothic fonts-tlwg* fonts-nanum fonts-khmeros-core fonts-smc-* fonts-kacst fonts-kacst-one fonts-khmeros-core fonts-lklug-sinhala fonts-guru fonts-nanum fonts-noto-cjk fonts-takao-pgothic fonts-tibetan-machine fonts-guru-extra fonts-lao fonts-sil-padauk fonts-sil-abyssinica fonts-tlwg-* fonts-lohit-* fonts-beng fonts-beng-extra fonts-gargi fonts-gubbi fonts-gujr fonts-gujr-extra fonts-kalapi fonts-lohit-gujr fonts-samyak-* fonts-navilu fonts-nakula fonts-orya-extra fonts-pagul fonts-sahadeva fonts-sarai fonts-smc fonts-telu-extra fonts-wqy-microhei synaptic

#(re-)installation of software without recommended packages:
sudo apt-get install --no-install-recommends apparmor bleachbit firefox gimp ristretto catfish evince galculator parole engrampa libreoffice-writer libreoffice-gtk3 mousepad -y

#purging part 2, also because even the non-recommendation-installs have some unnecessary stuff like gimp-help-common gimp-help-en libreoffice-help-en-us liblibreoffice-java
#what would be necessary to keep/install for secure boot: secureboot-db shim mokutil

sudo apt-get purge --autoremove cups cups-common cups-browsed cups-core-drivers cups-daemon cups-server-common cups-browsed cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-filters cups-filters-core-drivers cups-ipp-utils cups-pk-helper cups-ppdc cups-server-common mobile-broadband-provider-info secureboot-db shim mokutil yelp xfce4-screensaver wamerican wbritish firefox-locale-en gnome-software java-common xfce4-dict xfce4-notes transmission-gtk xcursor-themes xfce4-cpugraph-plugin xfce4-dict xfce4-mailwatch-plugin xfce4-netload-plugin xfce4-notes xfce4-notes-plugin xfce4-places-plugin xfce4-systemload-plugin xfce4-verve-plugin xfce4-weather-plugin xfce4-xkb-plugin xfpanel-switch mugshot fonts-droid-fallback gucharmap fonts-symbola gnome-font-viewer gigolo rsync gnome-accessibility-themes at-spi2-core colord onboard usbmuxd thunar-media-tags-plugin speech-dispatcher pastebinit gimp-help-common gimp-help-en gnome-menus gnome-system-tools bolt system-config-printer gnome-themes-extra gnome-themes-extra-data ftp mlocate brltty xfce4-indicator-plugin software-properties-gtk xfce4-indicator-plugin software-properties-gtk gvfs-backends pptp-linux gdb aspell aspell-en avahi-daemon bash-completion xserver-xorg-video-qxl printer-driver-c2esp printer-driver-foo2zjs printer-driver-min12xxw printer-driver-pxljr printer-driver-sag-gdi printer-driver-ptouch printer-driver-foo2zjs-common printer-driver-brlaser ppp manpages info xserver-xorg-input-synaptics pavucontrol gstreamer1.0-plugins-bad sane-utils gnome-disk-utility xfce4-taskmanager pidgin-otr espeak appstream apt-config-icons gstreamer1.0-tools liblcms2-utils libreoffice-style-elementary usb-modeswitch xubuntu-community-wallpapers-* xubuntu-docs os-prober build-essential g++ g++-10 libreoffice-help-en-us liblibreoffice-java pocketsphinx-en-us foomatic-filters xfce4-panel-profiles modemmanager lightdm-gtk-greeter-settings efibootmgr install-info


The former purged packages in lines and alphabetical order:
(stripped of the packages simply purged to directly reinstall without recommendations)


apport
appstream
apt-config-icons
aspell
aspell-en
at-spi2-core
avahi-daemon
bash-completion
bluez*
bolt
brltty
build-essential
colord
cups
cups-browsed
cups-bsd
cups-client
cups-common
cups-core-drivers
cups-daemon
cups-filters
cups-filters-core-drivers
cups-ipp-utils
cups-pk-helper
cups-ppdc
cups-server-common
efibootmgr
espeak
firefox-locale-en
fonts-beng
fonts-beng-extra
fonts-droid-fallback
fonts-gargi
fonts-gubbi
fonts-gujr
fonts-gujr-extra
fonts-guru
fonts-guru-extra
fonts-kacst
fonts-kacst*
fonts-kacst-one
fonts-kalapi
fonts-khmeros-core
fonts-lao
fonts-lklug-sinhala
fonts-lohit-*
fonts-lohit-gujr
fonts-nakula
fonts-nanum
fonts-navilu
fonts-noto-cjk
fonts-orya-extra
fonts-pagul
fonts-sahadeva
fonts-samyak-*
fonts-sarai
fonts-sil-abyssinica
fonts-sil-padauk
fonts-smc
fonts-smc-*
fonts-symbola
fonts-takao-pgothic
fonts-telu-extra
fonts-tibetan-machine
fonts-tlwg*
fonts-tlwg-*
fonts-wqy-microhei
foomatic-filters
ftp
g++
g++-10
gdb
gigolo
gimp-help-common
gimp-help-en
gnome-accessibility-themes
gnome-disk-utility
gnome-font-viewer
gnome-menus
gnome-mines
gnome-software
gnome-sudoku
gnome-system-tools
gnome-themes-extra
gnome-themes-extra-data
gstreamer1.0-plugins-bad
gstreamer1.0-tools
gucharmap
gvfs-backends
info
install-info
java-common
liblcms2-utils
liblibreoffice-java
libreoffice-help-en-us
libreoffice-style-elementary
lightdm-gtk-greeter-settings
manpages
mate-calc
mlocate
mobile-broadband-provider-info
modemmanager
mokutil
mugshot
onboard
os-prober
pastebinit
pavucontrol
pidgin
pidgin-otr
pocketsphinx-en-us
popularity-contest
ppp
pptp-linux
printer-driver-brlaser
printer-driver-c2esp
printer-driver-foo2zjs
printer-driver-foo2zjs-common
printer-driver-min12xxw
printer-driver-ptouch
printer-driver-pxljr
printer-driver-sag-gdi
rsync
sane-utils
secureboot-db
sgt-puzzles
shim
simple-scan
snapd
software-properties-gtk
speech-dispatcher
synaptic
system-config-printer
thunar-media-tags-plugin
thunderbird
transmission-gtk
unattended-upgrades
usb-modeswitch
usbmuxd
wamerican
wbritish
whoopsie
xcursor-themes
xfburn
xfce4-cpugraph-plugin
xfce4-dict
xfce4-indicator-plugin
xfce4-mailwatch-plugin
xfce4-netload-plugin
xfce4-notes
xfce4-notes-plugin
xfce4-panel-profiles
xfce4-places-plugin
xfce4-screensaver
xfce4-systemload-plugin
xfce4-taskmanager
xfce4-verve-plugin
xfce4-weather-plugin
xfce4-xkb-plugin
xfpanel-switch
xserver-xorg-input-synaptics
xserver-xorg-video-qxl
xubuntu-community-wallpapers-*
xubuntu-docs
yelp



-What else can be removed?-

Now going from a standard Xubuntu iso, what packages could further be removed?
(Or the other case, are there some of these that absolutely shouldn't be removed at all - from a security perspective?
Though I'm pretty sure these are safe to remove.)



I think the Xubuntu github page would be a great place for such a post-install debloating script or list, for users who want their system as minimal as possible and go from there, without having to rely on any particular (unofficial?) iso, but being able to simply use the standard one.

Of course there should ideally be a note or wiki-entry with a few explanations for users who still want to use it, but also want to print for example, and I would help with that.


Greetings

Michael
--
xubuntu-devel mailing list
xubuntu-devel at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/xubuntu-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/xubuntu-devel/attachments/20201206/ef0c744a/attachment-0001.html>


More information about the xubuntu-devel mailing list