Re: Trimming priority:standard

To: debian-devel@lists.debian.org
Subject: Re: Trimming priority:standard
From: Ralf Jung <post@ralfj.de>
Date: Sun, 14 Sep 2014 11:26:48 +0200
Message-id: <[🔎] 54155F58.4060601@ralfj.de>
In-reply-to: <[🔎] 20140912075553.GA1084@thin>
References: <[🔎] 20140912075553.GA1084@thin>

Hi,

from personal experience, I agree that the packages with priority
standard need to be reconsidered. I don't really care about bc, dc, w3m
and similar tools - I never use then, but then, they only need a few KiB
so I wouldn't mind if they were installed nontheless. However, there are
4 packages which, I think, are actively problematic: at, exim, nfs, and
locate.

> - at.  Trivially installed by anyone actually using it, but we don't
>   need one more daemon running on everyone's system just to watch for
>   jobs via a service that almost nobody uses.

Exactly. There's no point in this daemon running all the time on
machines where they will never be used. It's not significant, but it's
just a complete waste.

> - exim4.
> - nfs-common and rpc-bind.

Just like at, these packages just install processes that will needlessly
sit around and do nothing at all on most machines. Those admins that
actually want mail and/or NFS can easily get them anyway (and they may
choose another MTA), most people won't even know they have them running.
Unlike at, these two additionally open ports, thereby increasing the
attack surface of newly installed systems. I don't think it is a good
idea to have open ports (and no firewall) on a newly installed system.
However, I don't know enough about their respective default
configuration to judge how large the risk of an attack is.
Besides, the considerations regarding at apply here as well.

> - mlocate.  We don't need a "locate" in standard; anyone who actually
>   uses locate (and wants the very significant overhead of running a
>   locate daemon) can easily install this.

Finally, I think this one is actively harmful. I've had to tell a bunch
of my friends to remove this package after they asked me why their
Debian system, from time to time, triggered huge bursts of disk
activity. That's the opposite of the "feeling of control" many like
about Linux, and Debian in particular: The system is doing "something"
it was not asked for, for no good purpose (as far as the user is
concerned), and without an obvious way to figure out what's going on and
how to stop it. I sure hope there is at least something in place to stop
this from running when the machine is on battery...

I removed these four packages from a bunch of systems where they were
installed accidentally, and either served no purpose or were actually
annoying the user (i.e., locate). They are also the reason why I tell
everybody *not* to select "Standard system utilities" during the Debian
installation: It's better to start without some basic utilities and
install them as needed, than to have a bunch of stuff doing things on
the system that you don't know about...

So, please, restrict "Standard system utilities" to packages that don't
open ports or regularly create significant system load without obvious
gain for the average user. If possible, avoid everything that runs a
daemon which does nothing if the user doesn't know about it (unlike
daemons like, for example, ntp - which I'd be happy to see in
"standard"). From my experience, nothing like this is what people expect
when selecting "Standard system utilities".

Kind regards
Ralf

Reply to:

References:
- Re: Trimming priority:standard
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Re: Can a leaf package require SSE2 on i386?
Next by Date: Re: Can a leaf package require SSE2 on i386?
Previous by thread: Re: Trimming priority:standard
Next by thread: Re: Trimming priority:standard
Index(es):
- Date
- Thread