On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > Is there any effort to reduce the number of services running on a > default debian install? For example: a typical workstation user doesn't > really need to have inetd enabled, nor portmap (unless they are running > fam or nfs -- which isn't enabled by default)
This happens in woody, yes. Sarge might be slightly different. Inetd will
be still be there, probably, until there is a way to provide a
'virtual' inetd server which could be provided by the current
inetd, xinetd, and some other inetd replacemes (see bug #185943)
>
> Is this something that needs to be taken up with individual package
> maintainers? Or is there a single point of contact that helps choose
> which packages are present in the base install?
The "base" installation is partially decided by the priority of the package
('required', 'important', 'standard', 'optional', 'extra'). The
archive maintainers have the final word (that is the 'ftp.debian.org'
virtual package in the BTS) for what is "base" but obviously, each package
maintainer is responsible for what goes into the package:
For the current "base" contents see:
http://packages.debian.org/stable/base/
(it includes the required packages + some of the important ones)
More information is available in the Debian Policy
http://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities
or the Debian Developer's Reference:
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-override-file
There are constantly changes reducing the base installation. It improved
from potato to woody, and will do so too from woody to sarge. For example,
notice that 'netbase' in testing no longer suggests the RPC portmapper
('portmap'). It will, however, still install the inetd server
('netkit-inetd') which provides a bare minimum installation (time and
discard services are enabled IIRC).
However, if you see that there are thing lacking feel free to submit bug
reports either to ftp.debian.org or the appropiate packages.
There is an open bug related to this you might want to check #81118
Notice some of the comments in that bug which will probably answer your
questions. It's rather old (so it's an ongoing discussion) and some things
do not apply completely (telnetd is no longer priority 'standard',
some other packages that provide network services such as portmap,
nfs-common or pidentd are)
Ethan Benson says:
"(...) is priority standard, and with dselect (and tasksel in
woody i think) all priority standard packages are installed by
default. (well selected by default in your first dselect session, so
if you do nothing more then run the select step in dselect and then
install you get priority: standard)."
From aj (Release Manager):
""Standard" (and important) are basically defined as a "free, character
mode Unix system". Probably, this implies having telnet and telnetd
available, and being able to use NFS and so on."
>
> Is this already documented somewhere that I should have already read? :)
Well bug #81118 kind of "documments" this, but is probably difficult to
find.
> If so, isn't it better to have to RTFM to turn something on as you need
> it, rather then to need to remember to turn something off that you
> aren't using?
The compromise in Debian has always been that a service that gets installed
will be executed in a minimum configuration, if you don't want it, don't
install it or remove it.
See
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6
Regards
Javi
PS: Some of the talk I gave at Debconf3 might be relevant here, check out:
http://people.debian.org/~jfs/debconf/security/security-discussion.pdf
pgp00000.pgp
Description: PGP signature
