Hi, from personal experience, I agree that the packages with priority standard need to be reconsidered. I don't really care about bc, dc, w3m and similar tools - I never use then, but then, they only need a few KiB so I wouldn't mind if they were installed nontheless. However, there are 4 packages which, I think, are actively problematic: at, exim, nfs, and locate.
> - at. Trivially installed by anyone actually using it, but we don't > need one more daemon running on everyone's system just to watch for > jobs via a service that almost nobody uses. Exactly. There's no point in this daemon running all the time on machines where they will never be used. It's not significant, but it's just a complete waste. > - exim4. > - nfs-common and rpc-bind. Just like at, these packages just install processes that will needlessly sit around and do nothing at all on most machines. Those admins that actually want mail and/or NFS can easily get them anyway (and they may choose another MTA), most people won't even know they have them running. Unlike at, these two additionally open ports, thereby increasing the attack surface of newly installed systems. I don't think it is a good idea to have open ports (and no firewall) on a newly installed system. However, I don't know enough about their respective default configuration to judge how large the risk of an attack is. Besides, the considerations regarding at apply here as well. > - mlocate. We don't need a "locate" in standard; anyone who actually > uses locate (and wants the very significant overhead of running a > locate daemon) can easily install this. Finally, I think this one is actively harmful. I've had to tell a bunch of my friends to remove this package after they asked me why their Debian system, from time to time, triggered huge bursts of disk activity. That's the opposite of the "feeling of control" many like about Linux, and Debian in particular: The system is doing "something" it was not asked for, for no good purpose (as far as the user is concerned), and without an obvious way to figure out what's going on and how to stop it. I sure hope there is at least something in place to stop this from running when the machine is on battery... I removed these four packages from a bunch of systems where they were installed accidentally, and either served no purpose or were actually annoying the user (i.e., locate). They are also the reason why I tell everybody *not* to select "Standard system utilities" during the Debian installation: It's better to start without some basic utilities and install them as needed, than to have a bunch of stuff doing things on the system that you don't know about... So, please, restrict "Standard system utilities" to packages that don't open ports or regularly create significant system load without obvious gain for the average user. If possible, avoid everything that runs a daemon which does nothing if the user doesn't know about it (unlike daemons like, for example, ntp - which I'd be happy to see in "standard"). From my experience, nothing like this is what people expect when selecting "Standard system utilities". Kind regards Ralf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54155f58.4060...@ralfj.de
