Openssh really needed in desktop profiles?

OK, I've not seen this dealt with on any of the Gentoo
groups/lists I'm 
in since at least early 2004, there's nothing I can find
about it on 
bugs, and for some reason my package.provided entry quit
working, 
bringing the question back to the front burner.

Why is openssh (as virtual/ssh) part of the desktop
profiles?

Sure, some folks will have more than one machine, or ssh in
to work or 
something, but they can emerge it, just like anyone else
does.  Those 
with only a single machine, who only access it locally, and
who have no 
reason to ssh into any other machines, should have no need
of it.

In fact, despite the fact that I've been running Gentoo
since early 2004, 
I've /never/ had ssh on the system, AFAIK.  It has always
been injected 
or in package.provided, since I never could see a reason to
have it on my 
system, and as we all know, an unneeded and unused app on
the system is a 
security vulnerability waiting to happen.  Not only that,
but on Gentoo, 
there's a significantly higher than normal maintenance
burden, give our 
compile from sources general policy.  Since I've not needed
it in all 
/that/ time, it should indeed be safe to remove from the
system list and 
made a dependency for anything that /does/ need it.

Anyway, I think at least a discussion might be worthwhile,
and I decided 
to bring it up here to see what desktop folks thought,
before bothering 
the entire dev list with the idea.  If it gets shot down
here, then no 
need to bring it up there.  I keep thinking that /someone/
must have 
asked the question before, but I haven't seen it in three
years now, so 
it can't be /too/ much of a FAQ.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." 
Richard Stallman

-- 
gentoo-desktopgentoo.org mailing list

ON SATURDAY 24 FEBRUARY 2007, DUNCAN <1I5T5.DUNCANCOX.NET> WROTE 
ABOUT '[GENTOO-DESKTOP]  OPENSSH REALLY NEEDED IN DESKTOP
PROFILES?':
> WHY IS OPENSSH (AS VIRTUAL/SSH) PART OF THE DESKTOP
PROFILES?

ODDLY ENOUGH, THE #1 COMPLAINT I'VE HEARD ABOUT (K)UBUNTU IS
THAT IT 
DOESN'T INSTALL SSH BY DEFAULT.  BUT, THAT COULD BE BECAUSE
THERE'S A 
NUMBER OF GEEKS I KNOW TRYING TO CONVERT THE MASSES VIA
KUBUNTU, AND WHEN 
THEY ARE ASKED FOR SUPPORT THERE FIRST INSTINCT IS TO SSH IN
AND FIX 
THINGS.

THAT SAID, I THINK THE PROFILES SHOULD BE KEPT TRIM, AND I'D
HAVE NO 
PROBLEM WITH VIRTUAL/SSH DISAPPEARING FROM THEM.  HOWEVER,
PLEASE MAKE 
SURE THE RELENG TEAM LEAVES IT ON THE INSTALL MEDIA.

-- 
BOYD STEPHEN SMITH JR.                     ,= ,-_-. =. 
BSS03VOLUMEHOST.NET                      ((_/)O O(_))
ICQ: 514984 YM/AIM: DATWINKDADDY           `-'(. .)`-' 
HTTP://IGUANASUICIDE.ORG/                      _/     
NEW GPG KEY!  OLD KEY EXPIRES 2007-03-25.  UPGRADE NOW!

> -----Original Message-----
> From: news [mailto:newssea.gmane.org]On Behalf Of
Duncan
> Sent: 24 February 2007 15:10
> To: gentoo-desktoplists.gentoo.org
> Subject: [gentoo-desktop] Openssh really needed in
desktop profiles?
> 
> In fact, despite the fact that I've been running Gentoo
since 
> early 2004, 
> I've /never/ had ssh on the system, AFAIK.  It has
always 
> been injected 
> or in package.provided, since I never could see a
reason to 
> have it on my 
> system, and as we all know, an unneeded and unused app
on the 
> system is a 
> security vulnerability waiting to happen.  Not only
that, but 
> on Gentoo, 
> there's a significantly higher than normal maintenance

> burden, give our 
> compile from sources general policy.  Since I've not
needed it in all 
> /that/ time, it should indeed be safe to remove from
the 
> system list and 
> made a dependency for anything that /does/ need it.
> 

I was under the (possibly mistaken) impression that openssh
was a relatively secure, stable package as one would hope
from one of the staple packages for any remote *nix server.


Also.

2min43s to compile 4.5_p1-r1 on a Core Duo running at
1.33GHz (while doing other things).
/etc/ssh is 164k
other confs in /etc are 12k total
scp is 44k
sftp is  68k
/usr/bin/ssh* are <700k
sshd is 300k.

Plus docs and stuff. So it's not that long to compile, and
only takes a few megs of space at most. I don't see a
pressing reason to remove it by default - and it's a damn
useful tool to have installed. Throw into that the confusion
if people don't know it's been removed by default....

Anyone who knows they wont need it can easily remove it. Or
do rc-update del sshd default.

Just my £0.02 - the "aye been" approach I'm
afraid.

--
djn

I do not represent anyone else in emails I send to this
list.

ON SUNDAY 25 FEBRUARY 2007 20:14:22 CHRIS GIANELLONI WROTE:
> ON SAT, 2007-02-24 AT 15:09 +0000, DUNCAN WROTE:
> > WHY IS OPENSSH (AS VIRTUAL/SSH) PART OF THE
DESKTOP PROFILES?
>
> UHH... BECAUSE I LIKE IT AND PEOPLE EXPECT IT TO BE
THERE.  YOU'RE MORE
> THAN CAPABLE OF REMOVING IT FROM YOUR SYSTEM.

'CEPT SINCE IT'S IN THE PROFILE IT'S CONSIDERED PART OF
SYSTEM, SO A GREAT 
MANY EMERGES (PARTICULARLY EMERGE -AVTUND WORLD) WANT TO
BRING IT BACK IN.  
THE PACKAGE.PROVIDED AND EDITING VIRTUALS HACKS SHOULD BE
UNNECESSARY TO 
HAVE 
A SYSTEM WITHOUT AN SSH DAEMON INSTALLED.

> FEEL FREE TO BRING IT UP, BUT THE DESKTOP PROFILE IS
MAINTAINED BY
> RELEASE ENGINEERING SINCE IT IS USED TO BUILD RELEASE
MEDIA.  I HAVE NO
> INTENTIONS ON REMOVING IT, SINCE I SEE IT AS
INVALUABLE. 

IT IS INVALUABLE FOR THE RELEASE MEDIA.  I DON'T WANT TO SEE
IT MISSING 
FROM 
THERE.

> MY PERSONAL BELIEF IS THAT THE PROFILES SHOULDN'T BE
REMOVING 
> REQUIREMENTS ON THINGS UNLESS THEY'RE INCOMPATIBLE.

MY PERSONAL BELIEF IS THAT THE PROFILES SHOULD BE
MINIMALISTIC, ONLY 
BRINGING 
IN THING THAT ARE REALLY REQUIRED -- BUT PERHAPS, I SHOULD
BE USING THE 
PARENT PROFILE OF DESKTOP INSTEAD, THEN?

-- 
BOYD STEPHEN SMITH JR.                     ,= ,-_-. =. 
BSS03VOLUMEHOST.NET                      ((_/)O O(_))
ICQ: 514984 YM/AIM: DATWINKDADDY           `-'(. .)`-' 
HTTP://IGUANASUICIDE.ORG/                      _/     
NEW GPG KEY!  OLD KEY EXPIRES 2007-03-25.  UPGRADE NOW!

ON MONDAY 26 FEBRUARY 2007 15:35:04 BOYD STEPHEN SMITH JR.
WROTE:
> > MY PERSONAL BELIEF IS THAT THE PROFILES SHOULDN'T
BE REMOVING
> > REQUIREMENTS ON THINGS UNLESS THEY'RE
INCOMPATIBLE.
>
> MY PERSONAL BELIEF IS THAT THE PROFILES SHOULD BE
MINIMALISTIC, ONLY
> BRINGING
> IN THING THAT ARE REALLY REQUIRED -- BUT PERHAPS, I
SHOULD BE USING THE
> PARENT PROFILE OF DESKTOP INSTEAD, THEN?

THIS IS INHERITED FROM THE BASE PROFILE SO IT'S NOT SPECIFIC
TO ANY DESKTOP 
PROFILE AT ALL. WHAT YOU COULD DO IS CREATE YOUR OWN PROFILE
WHICH INHERITS 
FROM WHICHEVER PROFILE YOU WANT AND CONTAINS:

# CAT << EOF > PACKAGES
-*VIRTUAL/SSH
EOF

-- 
BO ANDRESEN

ON MON, 2007-02-26 AT 16:18 +0100, BO ØRSTED ANDRESEN
WROTE:
> ON MONDAY 26 FEBRUARY 2007 15:35:04 BOYD STEPHEN SMITH
JR. WROTE:
> > > MY PERSONAL BELIEF IS THAT THE PROFILES
SHOULDN'T BE REMOVING
> > > REQUIREMENTS ON THINGS UNLESS THEY'RE
INCOMPATIBLE.
> >
> > MY PERSONAL BELIEF IS THAT THE PROFILES SHOULD BE
MINIMALISTIC, ONLY
> > BRINGING
> > IN THING THAT ARE REALLY REQUIRED -- BUT PERHAPS,
I SHOULD BE USING THE
> > PARENT PROFILE OF DESKTOP INSTEAD, THEN?
> 
> THIS IS INHERITED FROM THE BASE PROFILE SO IT'S NOT
SPECIFIC TO ANY DESKTOP 
> PROFILE AT ALL. WHAT YOU COULD DO IS CREATE YOUR OWN
PROFILE WHICH INHERITS 
> FROM WHICHEVER PROFILE YOU WANT AND CONTAINS:
> 
> # CAT << EOF > PACKAGES
> -*VIRTUAL/SSH
> EOF

CORRECT.  THIS IS WHAT I MEAN BY *NOT* REMOVING PACKAGES.

IN OTHER WORDS, RELEASE ENGINEERING WOULDN'T MAKE A PROFILE
THAT
*REMOVES* THINGS FROM BASE, UNLESS IT WAS INCOMPATIBLE, SUCH
AS REMOVING
A PACKAGE WHICH ISN'T AVAILABLE DUE TO AN INCOMPATIBILITY. 
WE HAVE A
SIMPLE RULE, AS THINGS GO TO THE RIGHT IN OUR PROFILES, THEY
GO MORE
SPECIFIC, AND ARE ADDITIVE FROM THE PARENT.  THE *ONLY* WAY
WE WOULD
REMOVE VIRTUAL/SSH FROM THE DESKTOP PROFILE WOULD MEAN
REMOVING IT FROM
BASE, THEN MOVING IT TO EVERY SINGLE LEAF PROFILE *EXCEPT*
THE DESKTOP
ONES.  YOU CAN PROBABLY GUESS WHY WE DON'T WANT TO DO THAT. 
OF COURSE,
BO'S SOLUTION REALLY IS THE QUICKEST WITHOUT RESORTING TO
ANY FURTHER
TRICKS.  IF YOU WANT A CUSTOM PROFILE (WHICH YOU DO IF YOU
DON'T WANT
VIRTUAL/SSH), THEN CREATE ONE.  ;]

-- 
CHRIS GIANELLONI
RELEASE ENGINEERING STRATEGIC LEAD
ALPHA/AMD64/X86 ARCHITECTURE TEAMS
GAMES DEVELOPER/COUNCIL MEMBER/FOUNDATION TRUSTEE
GENTOO FOUNDATION

ON MONDAY 26 FEBRUARY 2007, CHRIS GIANELLONI
<WOLF31O2GENTOO.ORG> WROTE 
ABOUT 'RE: [GENTOO-DESKTOP]  OPENSSH REALLY NEEDED IN
DESKTOP PROFILES?':
> IN OTHER WORDS, RELEASE ENGINEERING WOULDN'T MAKE A
PROFILE THAT
> *REMOVES* THINGS FROM BASE, UNLESS IT WAS INCOMPATIBLE,
SUCH AS REMOVING
> A PACKAGE WHICH ISN'T AVAILABLE DUE TO AN
INCOMPATIBILITY.

OKAY, THAT MAKES SENSE.  BUT, I DON'T REALLY THINK
VIRTUAL/SSH SHOULD BE IN 
THE MOST FUNDAMENTAL PROFILE EITHER.  IT'S SIMPLY NOT THAT
ESSENTIAL FOR A 
RUNNING GENTOO SYSTEM.

> WE HAVE A 
> SIMPLE RULE, AS THINGS GO TO THE RIGHT IN OUR PROFILES,
THEY GO MORE
> SPECIFIC, AND ARE ADDITIVE FROM THE PARENT.

I LIKE THAT RULE.

> THE *ONLY* WAY WE WOULD 
> REMOVE VIRTUAL/SSH FROM THE DESKTOP PROFILE WOULD MEAN
REMOVING IT FROM
> BASE, THEN MOVING IT TO EVERY SINGLE LEAF PROFILE
*EXCEPT* THE DESKTOP
> ONES.

OR PERHAPS, ONLY THE FEW WHERE SSH IS PART OF THE SYSTEM
PACKAGES LIKE 
SERVER-SPECIFIC PROFILES, NO NEED TO MAINTAIN THE STATUS QUO
WHEN YOU ARE 
ALREADY MAKE A CHANGE OF THE SAME SCOPE.

> YOU CAN PROBABLY GUESS WHY WE DON'T WANT TO DO THAT.

YEAH.

> OF COURSE,  
> BO'S SOLUTION REALLY IS THE QUICKEST WITHOUT RESORTING
TO ANY FURTHER
> TRICKS.  IF YOU WANT A CUSTOM PROFILE (WHICH YOU DO IF
YOU DON'T WANT
> VIRTUAL/SSH), THEN CREATE ONE.  ;]

HOW QUICKLY WILL BY BUGS GET CLOSED WITH RESPONSES LIKE
"USE A STANDARD 
PROFILE, RICER!", THEN?  SERIOUSLY, I GET ENOUGH FLAK
FOR -O3.  (IT HAS 
YET TO ACTUALLY HAVE BEEN A PROBLEM.)

-- 
BOYD STEPHEN SMITH JR.                     ,= ,-_-. =. 
BSS03VOLUMEHOST.NET                      ((_/)O O(_))
ICQ: 514984 YM/AIM: DATWINKDADDY           `-'(. .)`-' 
HTTP://IGUANASUICIDE.ORG/                      _/     
NEW GPG KEY!  OLD KEY EXPIRES 2007-03-25.  UPGRADE NOW!

On Tuesday 27 February 2007 19:37:23 Duncan wrote:

> The thing is, most other clients aren't part of system.
 (rsync and wget
> are, for portage to use, but firefox isn't, and dhcpcd
or other dhcp
> client isn't, despite the number of folks using both,
for instance.)

It sounds as though you'd like the openssh package to be
split into two - a 
client and a server, analogously to, say, ntp. Is that
right?

-- 
Rgds
Peter
-- 
gentoo-desktopgentoo.org mailing list