Minimal Install Option

[Bill Anderson]

On Thu, 2003-08-21 at 07:38, Jef Spaleta wrote:
> Bill Anderson wrote:
> >Wouldn't it be great if the Minimal Install option meant what it said?
> >Who seriously believe NIS belongs on a firewall?? Minimal states it is
> >for such things as firewalls
> 
> File it as a bug! Or maybe you want to step up and be part of a
> worthwhile discussion as to re-working of the existing minimal install
> option. Since it seems its really a more a matter of how the packages
> are grouped and which groups a minimal install actually installs..its
> more a policy issue than an expert coding issue. This seems like
> something we can have a nice lovely little community discussion

I thought that was what we are doing here.

> about...instead of just poking repeatedly at the anaconda maintainer to
> remove this one package here...or this one other package..or maybe add
> this one package to minimal. And its certainly a better idea to fix the
> current minimal install offering than adding another minimal minimal
> layer beyond the "broken" minimal. 

I have not suggested anything of the sort you are saying here. I stated
a few packages I think are not part of a minimal install intender for
"small routers or firewalls" as it was listed in the options, and why.
Indeed, it is not my understanding that the maintainer of Anaconda even
chooses these package lists. IIRC this thread correctly, it was you who
went all sarcastic on things.

Here is a short, quick list of what I see needs to be removed from an
install "for creating small router/firewall boxes":
aspell
aspell-en
autofs
dhclient
finger
irda-utils
mt-st
mtools
krb5-workstation
nfs-utils
pam_smb
rsh # should not be a default or mandatory install at all
jwhois
wget
ypbind
unix2dos 
kudzu # do not generally find router/firewall boxes w/changing hardware
at #firewalls/routers not usually using at commands
parted #firewalls are pretty static partition-wise, remove
sudo # plagued w/security concerns and not useful on a router/firewall
talk # TALK!?!?!?! on a FIREWALL??!?


Why those packages gone? Routers/Firewalls should not (and generally *do
not*) do wgets, participate in Nothing Is Secure(NIS), manipulate dos
files, finger other machines, run infrared equipment, act as a DHCP
*client*, automount remote NFS shares, do spell checking, authenticate
against SMB for users, perform whois lookups, etc..

The "dialup" group should also not be *required*, it should be optional.

The following packages should be removed or made optional instead of
default/mandatory:

dos2unix #Optional, non-selected-by-default
eject #Optional, non-selected-by-default
gpm #Optional, non-selected-by-default
kernel-pcmcia-cs #Optional, non-selected-by-default

apmd #Optional, non-selected-by-default
dump#Optional, non-selected-by-default
ftp #Optional, non-selected-by-default
mtr #Optional, non-selected-by-default
nss_ldap #Optional, non-selected-by-default
pam_krb5 #Optional, non-selected-by-default
pidentd #Optional, non-selected-by-default
reiserfs-utils # not all routers/firewalls will use this FS
rp-pppoe #Optional, non-default
jfsutils # not all routers/firewalls will use this FS
sendmail # router/firewall, not email server
slocate  #Optional, maybe default but unselectable
specspo # firewall/router not used to make RPMS!
tcsh  #Optional, non-selected-by-default
telnet  #Optional, non-default
traceroute #Optional, non-selected-by-default
up2date #Optional
wireless-tools #*most* will not need them: optional, non-default
lha #Optional, non-selected-by-default
bc # firewall/router, not calculator
lftp #Optional, non-selected-by-default
openssh-clients #Optional, non-selected-by-default

Why the last one, you may ask? IMO, it is bad security policy to have
your firewall able to log in to other machines. 

A minimal install should provide no external services beyond SSH,
especially when listed as a firewall/router install.

Well, how is that for "bootstrapping" this discussion?


-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com