Slashdot Mirror
Linux Lite?
smock writes "An interesting (and, IMO, excellent) suggestion is over at Linux Journal. " Essentially, an argument for better opening security, given the lack of experience of many new Linux users.
← Back to Stories (view on slashdot.org)
I discovered (although only recently) that hitting F1 from the dialog where you "choose individual packages" produces at least a semi-helpful description of the particular package. (Actually the contents of the description contained in the RPM package.)
Anyway, I believe RedHat's install is getting better. I fiddled with Lorax (the RH6.1 beta) a little this weekend and I think that the new graphical install will be quite nice when they get it working correctly. Also, the new install options are:
- Install Gnome Workstation
- Install KDE Workstation
- Install Server
- Install Custom
So, more specialized install options is the trend. This is good. Also, install help is printed directly on the same screen as the options. Also good, pending useful help comments.I still believe Linux isn't there yet as far as the novice is concerned; perhaps not even close yet, but it's getting better fast.
"I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
There is definitely room for another flavor of Linux along these lines. Hiding root almost completely, is a good idea. Certainly a root password will be setup at install, but a large set of root capabilities could be handled by a small set of setuid root programs that ask for the root password to peform admin tasks. Packages could be installed by something like an setuid root install shield, which would ask for root's password to install the package system wide, otherwise the package would be installed in the user account if possible. Even better, the install shield should have a configuration screen which lets you pick which users have the priveledge to add and remove system wide applications. This would then be implemented via groups, file permissions, and setuid root, behind the scenes. Using this, root could really be reserved for only the most neccessary occations, and attempting to login as root could come with all sorts of warnings.
Of course if you don't want all this hand holding, don't use it. This is Linux after all pick the flavor that fits you!
I really can't imagine this being terribly complicated, but I would personally love to see a nice, graphical (or at least curses-based) installation program that behaved basically like this:
1. Select a basic "personality" for this system:
a. Server
b. Workstation
2. Select a starting configuration for this system:
a. Minimal (most secure)
b. Standard
c. Custom (for experienced users or administrators only)
You would then proceed to an application selection area, where you would pick some major configuration options (X Windows, Web Server, Mail Server, Games, etc.) and, if you picked Custom, an exhaustive sub-list of packages selectable with checkbox efficiency. Defaults would be pre-selected based on what "personality" you chose for the system.
Basic daemon configuration would be taken care of at this time as well. If you chose to install the telnet daemon, you would be presented with a warning and an option to automatically refuse connections (firewall? TCP wrappers?) from Internet hosts. Repeat this procedure for things like sendmail, httpd, whatever.
Daemon venders tend to like their packages shipped individually with everything "turned on", because in most cases, when the package is being installed, it's being installed by someone who's about to configure and *use* it. This is bad in the cases where someone is installing a new system, because they probably *won't* be jumping straight to the "configure and use" part. They'll install all of the packages and get to them "later." So, if we force them to make configuration decisions at *install* time, and build (or use pre-built) configuration files then, instead of the stock configuration files, the system ends up being much more secure with the user much more aware of what's been installed and how it's been set up.
Along a similar line of thought, and perhaps this already exists, an extension of this installation program could be a graphical "autorpm" of sorts. A program that retrieves from the 'Net a list of updated packages (such as RedHat's updates), and either automatically makes the updates or at least notifies the user that updates are available (a la Windows Update). If the package uses a new configuration file format, a packaged utility should be included and run to convert the old configuration to the new, otherwise the user should be presented with a configuration dialog again to be sure the new package is ideally configured for the system. I've been the victim of several instances where an RPM "upgrade" *overwrote* the existing configuration file (though it did save a backup). In cases where the "default" configuration only differs from the user-specified configuration in that the default configuration is much less secure, the change might not be noticed immediately (or ever).
I'd also like to see warnings where an installed/upgraded RPM is being installed on a machine that previously contained a self-installed copy of the same package. An example could be some HTTP daemon. A quick search for various httpd binaries could let the RPM's installation program know about previously installed copies of the package that weren't done via RPM's and warn the user (perhaps with the option of duplicating the old package's configuration files in the new setup).
Anyways, these are just a few of my ideas, and it seems like we're starting to move in these directions, but the setup programs I'm seeing are just baby steps. Instead of just dropping everything and writing a totally user-friendly setup *system*, we're spending time writing stuff "in between," and I just don't think that's a very efficient way to do it.
The author have a good point.
All distribution should be secure at install, it should be up to the user to enable some ports, etc. If the user as enough knowledge to enable the ports he wants, he should have enough knowledge to make hes system secure.
There is a liability issue with this, if a system is not secure out of the box, one could sue the distributor if another one break into the system. Unless the license agreement state that the distibutor shall not be responsible for this.
One thing that all the distros should do, is to clean up the apps and command duplicates.
Why when I install linux I have 3 or 4 word processor, 3 or 4 text editor, several web browsers, 2 or 3 administration utilities than have the same functions, etc.
A default linux installation with most distos take at 500megs to 1gig. This is a lot more bloat that Windows9x/NT.
Why also the installation wizard like Lizard can only be invoked at installation and I have to use another utilities when I add new hardware? There should be a way to invoke the installation wizard to update the configuration.
Would reading a few paragraphs kill anyone?
While reading the manuals is something we would *hope* everyone would do, time and experience has shown us that it just Won't Happen. We can't just say, "Well, dammit, you should have read the manual," over and over again. We have to build something that will work securely for those that *don't* read the manuals, because there will always be a significant percentage of users that simply won't.
No amount of screaming, shouting, pasting of banners and throttling will get everyone to "clue up" and read about what they're installing, so we have to adapt the distributions so that they will still function for these types of people.
I mean; us hackers could still fall back to Debian, slackware or whatever, while end users could setup a stripped down version of Linux which would run word processor and other stuff while logging them automatically in single-user mode. I mean, for most people that's all they need.
Linux still sees itself as a network OS, and until some extra effort is spent in making it darn easy to install and run on a single machine not connected to any LAN, it won't catch on completely. I mean, not everyone has a friendly Linux guru to set them up and give them the tour ('Well, you have to use 'ls'. Well, it's possible to use 'dir', but you need to alias it. Let me show you...' etc.)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
It would be much simpler to give a special name to the lite version, and give a simple name like server to the server version. Any special name for the server version would be picked up by consumers as being "cool" and they would buy it on that name alone. We are trying for the opposite effect, naming the lower version to make it sound better.
OK, so if the user doesn't even know there's a root account (even though there will have to be), that means that they don't know what the root password is. Which means they didn't set it. Which means all the root passwords will be the same. Which means it's even a bigger security hole than it would be otherwise. Or am I just way off here?
I have been thinking along these lines for some time. If World Domination (tm) is truly a goal, we have to recognize that a lot of users will never, ever, have the inclination of imaginative horsepower to understand administration activities. Not everybody likes recompiling their kernels or editing /etc/inetd.conf or...
What to do? Give them a secure, stable, preconfigured setup they can browse the net and send mail from. Something you can set up for your grandmother, and it will just plain work. I am wondering who will get there first.
Then again, a good separate commercial distro might be very good. There's probably enough security issues to merit a company just focusing on that, not to mention if they do it right they'll be proactive about finding security problems in Linux and feeding them back to the community.
Personally I think it'd be nice if Linux took OpenBSD's path of concentrating on security, for example by auditing all code for security problems. But that doesn't look like it'll happen any time soon.
----------
In a real emergency, we would have all fled in terror, and you would not have been notified.
I dunno. I rather like dselect because it's good for what I do. (Then again, I know linux pretty well, and have been using it for going on five-six years).
That said, using the debian core functionality would be an excellent way to implement this. Start off with basic install, use apt to get what you need to start off and no more, and most importantly have apt periodically update packages from dists/stable. Security flaws will "fix themselves" (or at least be fixed seamlessly and without needing too much user intervention) as Debian maintainers get around to patching and updating the relevant packages.
Maybe the underlying distribution doesn't have to be debian, but Debian is well suited to this kind of automation.
--
--
There is no premature anti-fascism. -Ernest Hemingway
(1) Yeah, that would seem to be the best way to do things.
(2) This doesn't seem like such a great idea. If all the services are set up correctly, there's no need to firewall the PPP device. If there's no telnetd running, a script kiddie can't telnet into your box. Rejecting incoming TCP connections would have nasty side-effects such as messing up IRC DCC transfers and ICQ messaging.
(3) Definitely. New users should not be encouraged to set up an ftp/http/irc/telnet server during their initial install. They should get the OS running first, then worry about setting up services.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
What this article proposes is nothing less than the dumbing down of Linux. And his motivation?
"We have to do it so all the drooling idiots will never have to think for themselves or learn about their computers!"
The drooling idiots can keep their Windoze and MacOS, for all I care. I'm a Linux elitist and proud of it. I'm sick of the M$ myth that computers are easy to use. Computers are not always easy to use, and damnit people deserve to be honestly told that when they get into Linux. They need to be sat down and told: "Look, you're graduating off your training wheels now. There are fewer safeguards in your new OS. UNIX (and Linux, of course) have a philosophy called "leave enough rope", which means they give you the power to hang yourself by the neck if you ask for it. Don't think this is going to be easy. You have been granted great power and flexibility, but with it comes complexity."
This will undoubtedly scare away some novices or lazy people, or people who just aren't interested in their computers except as a means to an end. This is all well and good and as it should be. M$ OSen are out there for people WHO DON'T WANT TO THINK. And personally, I'm not so worshipful of the Cult of Linux that I feel the need to turn everyone into a Linux junkie. Let there be diversity and many OSes. Let those who would willingly walk into the Gates of hell take their damnation in the form of bluescreens and Back Orifice. You asked for it, you got it! No pity for the masses.
Now, none of this is to say that shipping distros with better "out of the box" security is a bad thing. Precisely the opposite, in fact. Let's get real here, folks. Out of the new users coming into Linux now, the "second wave", (i.e., the typical users), how many of them will actually need a real mailer daemon running on their box?
So does it make sense to ship with sendmail or POP/IMAP (both notorious security holes) enabled and running by default? I don't think so. Similiarly with webservers. If a user wants these daemons, they should set them up themselves.
Yes, I can hear you saying "but those things are hard to set up!" Well, I have two replies for that. The first is: Yeah, damn right those things are hard to set up. There's a reason for that. It's so fools with incomplete understanding who don't want to take the time to enlighten themselves, don't mess with them. The other reply is: Yeah, damn right those things are hard to set up - and shouldn't we the open source community be doing something to fix that?
I agree with main point of this article, which is that distros need to ship with tighter security. But I think the author is advocating better security for all the wrong reasons.
-Ben
About a year ago I decided I was sick of being a windows luser. I am a programmer, and had had previous generic *nix experience so I was far from being inept. I, like many others, decided to take the easy approach and go with Red Hat (I was aware of the other distributions, but had it on good word from a Linux guru that I should start out with Red Hat).
;). Anyway, I kept Linux around for a while, until the real world problem of disk space came around.
Most of the installation was pretty straightfoward...I knew my hardware specs and wasn't really phased by all the partitioning. However, the package installer was a **nightmare**. There was an absolutely humongous list of packages with undecipherable names that all had intricate dependencies on each other. "What is prl3.405.1? And why do I need it for tk103.4? What the hell is asdf4.21...and why does qwerty1.2.3 want it?" Since no clue was really given as to WHAT these things were, I was forced (after several attempts at a minimalistic install) to install a humongous amount of crap @350 MB.
Now I used to be a DOS dork with a stupid 386. I knew every in and out of my system, and spent a lot of time tweaking. I liked to be able to understand and control everything. But the sheer amount of stuff I was required to install under Linux made this a bit daunting, and less than enjoyable. Sometimes there is such a thing as TOO much choice
I would really, *really* like to switch to SOMETHING other than Windows. BeOS looks pretty nice too...I sort of like the idea of a clean start. If I do permanently switch to Linux it will probably be Debian, because I've heard their package handling is rather stringent. I'd also like GNOME and KDE to mature a bit, and see XFree86 get some of the performance enhancements in.
It's 10 PM. Do you know if you're un-American?
We (LinuxPPC Inc.) used to have a "lite" version of LinuxPPC R4, our old glibc-1.99 distro. Lite was a minor debacle..
;)
First, it was hard to install. I actually can't remember why at this point, but it rarely seemed to work.
It was hard to figure out what needed to be in, and what people would want, and still give it a small footprint. The final cut was a 104 MB distro that could be installed into as little as 30 or 50 MB. But really, you can do that with R4 anyway. I installed from an R4 CD onto a Zip disk. I had Apache running, but no X. It was slow, but it worked!
Then there was LinuxPPC Live, which was an all-in-one distro similar to the recently announced "DemoLinux". Live consisted of a big fat ramdisk.image.gz file and a bigger, fatter live.filesystem file.
Now, the problem with Live was that to make it small enough to fit on demo CD-ROMs and Zip disks, we had to (again) do a lot of cutting, which made it semi-useless. You could set up a PPP dialup with netcfg (kppp was a buggy pile of junk at the time, and of no use). But, if you booted it off a CD, it took forever to boot, and it couldn't save any settings.
Linux on PowerPC still has to contend with users who have HFS Extended formatted drives. HFS Extended, or HFS+, is a more efficient disk format than Apple's original HFS, the Heirarchical File System. (Anyone else remember MFS?) Most Macs now ship with HFS+ formatted HDs, and Linux can't boot from a live filesystem on an HFS+ disk.
Live worked better than Lite, but only slightly. I never had problems with it (that is, it booted, it ran), but it just wasn't usable for much.
The good news is that doing Live provided a lot of solid R&D ground for us to do our current release's installer on. LinuxPPC 1999 (and the new Q3) can boot right from the CD-ROM, into Linux, into X, and into the installer. And it's all under the GPL. C'mon, Caldera! You made such a big deal about releasing Lizard under a semi-open license.. let's see you go all the way.
Live as a standalone distribution isn't a totally dead concept, though. It's got a lot of merit, and it's served nicely as a proof of concept for the live filesystem. It's not perfect, definately not ideal for power users, but it's a good way to get people into Linux with a minimum of fuss.
-- haaz.
I was just talking to someone about making a spinoff distro of Debian called "Snack Cakes", as in "Little Debian Snack Cakes". Or just "Little Debian". Of course, then we have the whole "Big Debian v. Little Debian"
_________
Sometimes, when I'm feelin' bored, I like to take a necrotic equine and assault it physically.
So you arrive at college to move your junk into your dorm room. You notice a little jack in your wall that is too big to stick your telephone plug into and see the word DATA above it. After asking someone, you find out that it's an Internet connection. Not only that, it's *Really* fast and always connected. A sence of freedom and superiority overcomes you as you think of all of your friends with little modems. You can't wait, and run to the bookstore to get the "Network startup kit."
Opening your machine for the first time made you nervous, but after all, you have "ethernet" now, so you can't possibly go wrong. Magicly enough, Windows properly finds your new 3C509 and sets it up. You begin playing around with the network settings based on the little numbers you find on your dorm network setup paper. After a reboot, you fly into Netscape and get lost in the web, watching things come at you with blinding speed. But you want more.
You meet this scruffy, withdrawn student down the hall. You know he's the resident computer guru, so you ask him what else you can do to have fun on the internet. He gives you a long hard look, not sure just how bright you are. Unknown to you, he has been evaluating your intellegence since day one, along with the rest of the incoming freshman. He sighs when he realizes you are the least annoying person in your pack. "Linux," he says. You turn to him with a quizical look on your face. He points you to linux.org and tells you to look around. You jump to it.
Around 2 AM, your Debian install is complete. You had another hard drive lying around from when you had your machine upgraded, and an engineering major installed it and made it go. You choose debian because of the FTP install. You wanted everything to work without waiting, too impatient. Once it's set up, you leave your machine on as you go to bed. You logged out, and felt important doing so.
The morning brings around the first day of classes. You give your friends your 'New' email address and brag about being able to get your own email without having to use the Campus system. You don't know or care how sendmail works. You know, however that it works, and that pine is rather nifty.
As you walk in at night, exhausted from a full day of work and play, you hear your hard drive going a mile a second. You walk over to log in, and find your password changed. You're completely lost and have no idea what to do. You yank the magic cable out of the wall and turn off the machine. You remember that you can still boot to Windows, so you do. Ahh, safe, you sigh.
A week later, the scruffy geek comes back to your room with your hard drive. He had taken it, at your request, to find out what had happened. He snorted, and asked you what business did you have running NCSA HTTPD. You shrugged. He looks over at the wall. He looks confused and exasperated. Unbenounsed to you, he's having a chicken and egg argument with himself. "He needs to learn before he can use this stuff. However, he can't learn without using Linux."
He turns back to you. "Ok, I'll secure this system for you. However, this is a one time deal. I'll answer your questins, in brief, but I will not do anymore for you. Do you understand?" You nod. He returns your harddrive the next day. You're happy as a clam that everything, as far as you can tell, is just as you left it. What did he do? You let it escape your mind as you look at this neat thing called IRC.
Two weeks later, your hard drive is wiped. Unknown to you, another daemon, this time sendmail, had a Cert advisory posted, and you pissed someone off on IRC. The wrong person.
I hope you enjoied that little tidbit. This happens way too often. However, in reality, people's college boxes just become hideouts for script kiddies. I believe a condenced Linux Workstation would be extreamly useful. I wish I had one when I started. I, instead, was baptized by fire.
Mike
There are two assumptions being made here that I am not sure are universally held.
First, that "we" collectively want people who refuse to read documentation running Linux.
Second, that "we" are striving for universal use of Linux.
These are contrary to the things that drew me to Linux in the first place. I started using Linux (and reading /. and hanging out at #linux) because every illiterate monkey who considers himself a "computer expert" doesn't. The OS sucks less, and so does the community. Now there is this big push to get "every computer" running Linux. World dominance is a Microsoft value, not an open source value.
I am not against making Linux (and associated software) easier to use, I am absolutely for it, but I am for making these things easier as one element of making them better. I am against making it easier to use at the expense of quality. I think that we need to be ever vigilant in this regard.
"Is ease of use more important than quality?""No. Quicker, easier, more seductive"
"But how will I know good ease of use improvements from the bad?"
You will know when your goal is making software better, not driving it on to every processor in the world.
My $.02
-Peter
Personally, I've been thinking about this and a few other things as well. The idea of a simple, secure, 'lite' distro is an alluring one, but as we've seen, there's no need for it to be an entire distro. What we need is for the installation options to be improved even further. One of the beauties about a linux distro is that every copy can be either a workstation or a server. What needs to happen is to continue to improve the installation programs. Linux installation programs could explain everything in a depth greater than we've seen in any previous setup util for any os, simply because of the massive amount of information available. An installation that could tailor exactly what is needed, based on computing need and experience, with a level of realtime help previously unheard of, is exactly what the os needs. With a tool like that, at the time of install, users would have a complete, powerful system, at startup. And there's no reason to have it stop there. Looking at SuSE's yast, I think we see the beginning of this process. But imagine a setup tool even more powerful and flexible, which could perform various types of automated updates, and search for information and help. It's a kind of killer meta-app, something that enables a user to take complete advantage of his system. I think the linux community has the basic elements already, and it's the only community that could provide anything like this in the near future.
I completly agree with you. Lets call it Ultra instead of lite.. hehe JK thats a bit far..
Umm how bout Distribution Desktop
or maby Distribution User Edition.
(replace Distribution with your favorite distribution of course.. as in RedHat User Edition.)
I use 'autorpm' to keep stuff updated. For background updates, it works fine, e-mailing me progress reports, but the interactive mode it uses to install new packages is just horrible. I haven't looked at the Mandrake-update program, but I suspect it behaves similarly.
Additionally, it just uses RPM's upgrade facility. It would be very nice to have a global configuration mechanism so that one could configure a new package at install/upgrade time (or at least select from multiple pre-written configurations). There are already some efforts on global X-based configuration programs (dotfile I think might be one such effort), but it hasn't quite made its way into a large enough chunk of packages (it might not be flexible/powerful enough for large apps that have complex configuration systems, such as sendmail or Apache).
I submitted a suggestion like this as a RedHat bug (ID 134) awhile ago. The response was not exactly overwhelming.
The RedHat workstation/server difference is helpful, but not enough. We need an option to install the RPMs but not start the services. And I think *all* listening ports (except maybe telnet) should be off by default.
How about Server and GUI for the identifiers? It's kind of silly to have X running on a serious server, and it's quite unnecessary as you can admin it remotely and it needn't even have a _monitor_. Conversely, what could be more attractive and appropriate to the lusermentality than choosing between 'unpretty' and 'GUI'? No way would most of them pick 'light' or 'restricted' but give them a choice between 'server' and 'GUI' and they will _leap_ on 'GUI' uttering cries of delight. It's all in how you phrase it. Problem solved.
Ok. So your hammer (you're not a proffesional carpenter are you?) will protect you from hitting your thumb? And keep you from bending nails as you hammer them in? Or mabe it refuses to hammer in nails at all, for fear you'll hammer them all the way through into the floor.
Making things simple to use is great. And having a good, clean, secure base setup is extremely important.
But the computer *is* a tool. And you have to know how to use any tool or you can't use it effectively. That's the flip side of this dumbing down business -- it discourages users from ever learning to use their computer effectively. This idea that you can have a powerful tool without risk is ridiculous. That users expect this is a mistake on their part. That system designers who should know better cater to this mistake is idiotic and shortsighted. You expect this sort of thing with comercial OS's, but OSS is supposed to be able to take the longer view.
Video = N64 (most people can get it to work, but they don't know how or why it does what it does)
Private Aircraft = Linux PC (anyone can be taught to fly one, but they may need constant supervision, and they're pretty likely to crash it)
Society doesn't always handle tech well (the idea that everyone should be encouraged to operate 100kph 1000kg machinery in populated areas is just craziness, and it's a tribute to human ingenuity that we've made it as safe as it is to drive a Car)
Today's attitude to computers (Uh, I deleted it, how do I get it back?) is just a less extreme example of this in action, and I think it's pretty sad to Dumb Down Computers just to let people be more lazy...
That said, I support the idea that Out-of-box Linux should not be set up as a fully-daemonized Unix if it's intended for desktop users, if you really NEED an SMTP server you can read the paragraph which tells you how to activate the damn thing.
Nick.
OK I'm going to go under the assumption that by "people like you" you are of course not literally referring to me. If I'm wrong in making that assumption, please let me know so that I can respond in a more direct fashion.
---
If they can't be bothered to learn about the software they want to use, we don't need them.
This is *not* the attitude to take. If we continue to cater only to the technically savvy, Linux will remain a niche operating system used only by the technically savvy. Its growth will slow, and fewer people will be interested in learning to use it.
The current trend for computers and operating systems is for intelligent, autonomous simplicity. Some people call it "dumbing the PC down", others call it "creating an intuitive user interface." The types of people that need these interfaces are going to be the types of people that have the hardest time manually editing configuration files and "learning" an operating system's internals. These are the consumers. These are the people that make up the vast, vast majority of the operating system market, and if these people are unable to make use of an operating system that is unable to present configuration options in an intelligent, simple way, that operating system will lose market share and remain in a niche market forever.
Yes, there's probably not a real reason to have a lot of the 'default' daemons running - especially for the average user, and yes, Linux should install fairly securly by default, but one have seperate versions ala workstation and server? I don't think so. The installation program should be able to handle a lot of this - and, I personally, believe the user should have some clue what's going on- that may require some reading and understanding on what the installation program is asking. Would reading a few paragraphs kill anyone? Perhaps it would be nice to coddle new users with a 'dumbed' down version of Linux, but why not try to get the user to learn a little bit - that way there's a more intelligent userbase to work with.
It seems that way too many things are 'dumbed' down or over-simplified for the 'average' user - it makes me sick.
Dispite the general distain towards the folks, this seems like a great place for RedHat to come into play. For most newbies coming into the flux, they know of RedHat, they might even trust RedHat. So why not have a RedHat Lite? Cost less mayhap, perhaps it just comes on another CD in the standard install. Or just have a "presets" menu in the installer that has such things as "Secure", "Web Server", some pregrown installs that'll all work peachy.
Supurb idea, and an absolutly needed before Linux can be for the average folk.
debian comes with a default hosts.deny file of ALL : PARANOID. That way, if you want an inetd controlled service open to anyone, you have to explicity open that service. More distributions should follow this lead.
I think that this issue will become more important as we get away from PPP and move towards cable and dsl. The person who wrote this article was fortunate because he realized that someone was logged into his machine, but if the average user walks away from his/her machine at home, then Bad Things can happen without the user knowing it
All computer users need to be made more aware of security issues, including those running Windows. I have a friend with a cable modem, and just for fun one day he decided to see how many Windows shares were available to him on his network. He was able to get, among other things, someone's tax return because of a share that user left open.
Ouch.
The basic idea is hard to fault. A few caveats:
(1) There's no need for entirely separate distributions: a radiobutton selection in the install dialog about whether you want the default desktop edition or something fancy would do.
(2) Firewalling the PPP device by default would help. A *lot*. Just bar incoming TCP connections and most other stuff and a lot of script kiddies get shown the door.
(3) The biggest helper would be if these distributions installed fewer packages! I've installed Debian umpteen times, and I've grown to loathe dselect. The best thing would be for distributions to install a minimum set of recommended packages at install time, enough to get online and browse the Web and read mail and news, and then let them get used to it. Another day, they can learn about making Web servers available and suchlike: a simple, secure base would be an excellent place to start.
--
Xenu loves you!
The users do need to know that there is a root account, and know the password. They need to be educated at least to the extent not to stay logged in as root. Many NT users have been able to grasp this; Linux users should, too. And as someone already pointed out, otherwise there will be known default root passwords, which is a Bad Thing, Man (tm).
In reality, all distributions should come with the default configurations a bit more secure. Maybe not to the level of extreme paranoia, but to a reasonable degree. Let's be honest, we sysadmins aren't perfect (although we want our users to think so). It's possible that we could forget to configure something when installing a new system, or erroneously assume that some option is already set in a secure manner when in fact it's not.
This will have another, non-technical effect. Once the mainstream media picks up on such a distribution or effort, that's going to entice more users (and corporate managers) to consider it a viable desktop option. I'm all for users learning more about what they're doing, but I've met too many customers who asked me, "What's 'double-click' mean?" to believe that this could ever happen.
"You can never have too many elephants on your team."
The author seems a bit systems-administration-naive to think that you'd have to design a special distribution just for this.
Bruce
Bruce Perens.
... Almost!
Mandrake has the main install categories (server, workstation and custom), but not the subcategories.
The package categories are almost like it.
And it has Mandrake-update: You start it, it fetches the list of mirrors of the FTP site, let's you select one, then fetches the list of RPMs to update, you select the ones to get, it downloads and installs them, and you're set.
Now, they're preparing the next incarnation, we can suggest this to them, it shouldn't be hard to implement.
"Now you can see that evil will triumph, because good is dumb!"
First - I agree with the author. Why does
should a system come out of the box running
httpd, ftp, or whatever?
The OTHER problem that stops us from
world domination is the GUI! X can be
impossible to get working - especially
on newer hardware(My EOne for example)
A couple of days ago there was an announcement
here of yet another distro that takes care
of one issue: http://www.demolinux.org
This distro runs exclusively off of a CDROM -
you can take linux to any machine! One of the
tricks they pulled that got it to run on my
EOne that neither the latest RH, Mandrake, or
Suse could do was bring up X! They used the
new Frame Buffer server. It isn't accelerated
but it works GREAT! So if the demolinux
people were to go a step further and tighten
up their system to not have a large number
of separate demons running - we might be
pretty close to what the author was asking
for! (Actually haven't looked at what
demons they HAVE enabled on this distro -maybe
it's already there?)
Steve
Have you compiled your kernel today??
While I understand they do it to attract Windows users it is becoming a very dangerous game. The solution is not going even further the Windows way, as the article suggests. The only real solution is that the distributions stop focusing on copying Windows styles, looks, feels, sounds, etc. and start focusing on these points:
- Good comprehensive documentation, including overviews and guides to the software they distribute. Besides all generic documentation which comes with a package there is a need for each distribution to explain what is included and why, how the packages included will help the user, and which packages should a user install to accomplish what she needs.
- An installation system which educates the user at the same time it installs the packages. It should guide users so that they choose the installation which best fits their needs, avoiding the current install everything approach.
- A good admintool which takes care of all the tedious system administration tasks in an unobtrusive way. It should perform all necessary security checks and monitor the system periodically.
Of course, these are the ultimate goals and it would take time to reach them. However, while some distros are at least partially working on similar projects, most are not. If new Linux boxes are insecure it is the distros fault. No doubt about it.red hat lite is a great idea but the funny thing is that if you market something as "lite", you expect less features for less price. great for most products unless your product is support (a la redhat & every other linux distribution) red hat should be charging more for a red hat lite because the newbies are the ones requiring the most tech support.
I supppose I was trying to refute the comments about "the typical user" when I started to reply to this, but now I have to say that I'm in agreement.
I started my time with Win 3.1, and tweaked that to death, then moved on to Win95 and played with that for a time. Up until this time, I had been your typical user, unwilling to dig too much further.
My experience with NT over the years has taught me some valuable lessons.
* I have a user account on my machine instead of logging in as the Admin. I've set up the desktop and start menu on the Admin account with items aimed at administration [doh].
* I set whatever services I may run to manual, so that I use them only when needed.
* The C: partition is for the OS and programs only. All data is on the D: or subsequent drives.
I'll be damned if that isn't the successful recipe for a Linux box as well.
I'd have to say the first few chapters of the Red Hat manual were invaluable, and ought to be required reading. It isn't that difficult. And if you're not careful, you just might learn something.
The party's over
"Nobody" may need to be concerned about security if your computer is never plugged into a network such as the internet.
However, as soon as you dial up your ISP, not to mention connect a cablemodem, you would be well advised to be concerned with security.
Even if you have nothing but valueless games on your personal computer, a malicious cracker can still make use of it as a depot for warez and pornography, and they can also use your computer as a launching pad for attacks on other systems. Some people will try and damage your computer simply because you live in (insert your country here).
How would you like it if your computer was seized by the feds for evidence because a malicious person used it for illegal purposes?
Everyone who is part of an worldwide electronic community should be aware of security (and privacy) issues. You don't have to be a security expert, but you should at least go in with a cautious attitude. In the end, you are responsible for yourself.
I mean in Windows the big deal is *poof* its there and its helped me. I mean if we ever want to survive this war the answer is standards, standards , standards. We need to have a better installation precedure, not just for the distro, but say for Quake3 , if i'm the average user I want installation to be simple. I mean do I really need a 12 step procedure, including mounting a cdrom changing up directories, copying the windows "content" files to the right place, downloading the linux binary, etc. AWW! This should be point and click, a BOOM your there. This should all be standardized too. What are we doing worring about the correct definition of open source so we can scold someone who doesnt do it exactly right, or having flame wars of Linux vs. xBSD? Lets make all our shit work together, and make it easier for the rest of us.
sorry about any errors,
rob
"Are you satisfied with fucking?" - Dave Matthews from "Halloween"
Redhat has been asking users whether they want a server, workstation, or custom installation for a while now. Anyone know the specifics between the server and workstation. I fear it may only be Gnome/Kde or no Gnome/Kde; but hopefully it rips out sendmail and some other nasty daemons.
What would really be appropriate is if distributions could package in ssh, but then we run into export problems - i assume, only because I know redhat doesn't come with ssh - but maybe that's the ssh people being uncooperative. But really, does a home user even need telnet?
Joseph Elwell.