On Tue, 30 Nov 2004 18:44:49 +0000 (UTC), A.Sloman@cs.bham.ac.uk
wrote:
>Hi Jonathan
>
>> On Tue, 30 Nov 2004 12:50:39 +0000 (UTC), Aaron Sloman
>> <A.Sloman@cs.bham.ac.uk> wrote:
>> ......
>> >
>> >It seems that linux vendors are now trying to package linux to be as
>> >much like windows as possible and most windows users do not compile
>> >or link anything???
>>
>> It's in part, I think, a security thing. If you are running a
>> secure server, then naturally you spend every waking minute
>> thinking about securty vulnerabilities and installing patches
>> the very second they are released.
>
>In the case of SuSe it seems the developers think that they can provide
>pre-compiled versions of everything their users will want (via
>their stupidly named tool 'YAST' -- how many novice users will
>recognize that that's what they need to help configure their system?
None. Novice users don't use SuSe. Novice users use Mandrake.
And I'm only half joking: SuSe is not intended for novices, Mandrake
is. (Unless it's changed recently.)
>On my laptop I had to upgrade the kernel in order to get SWSUSP
>(software suspend) to work properly, which is almost indispensable for
>me.
Novice users do not upgrade the kernel.
>So, in my experience, the majority of uses of gcc are for installing
>useful packages not for updates and fixes.
This may be true. One hopes that such users have someone knowledgeable
to install updates for them. (IME, Linux market penetration is still
such that this is usually the case.)
>> If a hacker *does* get in, through, say, a
>> buffer overflow exploit in one of your "visible" services (and a
>> firewall is not going to save you) then they can do far less
>> damage, or it is harder, if they are unable to compile source
>> code.
>
>Fortunately my firewall has proved very resistant for three years.
>(One of the services now needs to be upgraded.)
I'm not sure if you missed the point, or if you were just making
a comment about firewalls. The point I was making was that if you
have opened ports for a public ftp server (or, say, sshd) then a
firewall is not going to make any difference *if* there is a
vulnerability in the ftp server. I'd have to look back over
comp.os.linux.security to find examples. There were quite a lot
of problems with BIND (IIRC) a while back, which I don't think
affected me, but there are occasionally warnings about upgrading
to the latest version of various other bits of software.
If you run a vulnerable server which is only visible on an internal
network, you *are* protected by your firewall. But there are quite
a lot of sites on the internet which run things like public
web servers. (My web logs show I'm still being probed by infected
Microsoft web servers, but you can't simply assume that Apache
is safe now and forever.)
>> It's a general principle for security: don't run or install anything
>> which isn't needed
>
>Well, I could sit all day looking at pretty pictures on the screen, I
>suppose...
If you *need* gcc, then of course go ahead and install it. If you
are very concerned about security, you wouldn't necessarily install
it on the same machine you use as a secure web server. If you don't
use your own machine as a public server, but as a development machine,
you can get away with installing what you like. But not all computer
users are developers: some of them are users.
Some *very* strict security fanatics will tell you that you shouldn't
even run two different services on the same machine: one machine for
SMTP, one for HTTP, one for ... that's going to be overkill for most
small organisations (or individuals).
>> - it's another security risk. Most people
>> running servers/doing wordprocessing etc. don't need to compile
>> code.
>
>Even if that is true of 'most' people, I find it strange that SuSe do
>not give you an option during custom installation to select 'developer
>tools' or some such thing.
Don't they? I find that truly very strange. So much so, that I'm
tempted to ask, "Are you *sure*?"
>> On the OpenPoplog "todo" list is a task to make standard binary
>> packages for the common distros, so that recompilation is not
>> necessary.
>
>Who will decide which the common distros are? Someone who wants
Well, if I did it, I would.[1] If Jeff does it, he will. If Nico did
it, I expect he would. How else could it be decided?
>something as unusual as poplog may also be the sort of person who
>wants an unusual version of the operating system for some reason.
True. Perhaps, after they've installed gcc etc., we could ask them
to make a binary for their favoured distro.
>While I applaud the intention to provide packaged versions that work,
>I suspect that will never cover all the requirements.
<sarcasm>
Alas, you are right. Perhaps we should all give up and go home: if
it only benefits 90% of potential users, it's not worth doing.
</sarcasm>
If I did it, it would be precisely *because* I would want to be
appealing to the someone who does not want "something as unusual
as poplog" but wants it for more mundane reasons.
It's a chicken'n'egg thing. If you only support unusual users,
don't be surprised if you only *get* unusual users.
>I switched from providing a packaged version of Poplog to relinking on
>installation, partly because that coped better with changes in operating
>systems, and partly because it made the Poplog tar file smaller.
>
>But that is defeated by linux installations that don't include gcc!
It would be nice to have a simple, cross-platform method of installing
executables that didn't need a horrendous amount of effort to support.
Unfortunately I don't know enough to comment on how near to that the
current situation has got. I believe some of the Linux standardisation
and common kernel kinds of things may be alleviating the situation
somewhat, but I haven't been keeping up to date.
Jonathan
[1] For me, personally, the order in which I'd support distros *at
the moment, and subject to change* would be: Mandrake, Red Hat,
Debian, SuSe. But if someone hadn't nicked the DVD out of the last
copy of a Linux magazine in the shop last time I bought one, the
order could have been different (I think it was a SuSe they nicked,
but can't remember.)
--
Use jlc1 at address, not spam.
|