royce at tycho.org
Wed Feb 22 20:38:04 UTC 2017
On Wed, Feb 22, 2017 at 11:30 AM, Gary E. Miller <gem at rellim.com> wrote:
> Yo Achim!
> On Wed, 22 Feb 2017 18:21:01 +0100
> Achim Gratz <Stromeko at nexgo.de> wrote:
> > Gary E. Miller writes:
> > > Mark was thinking of a separate ntp-tools package or option. Many
> > > distros has a X package and a matching X-tools package. We could
> > > make that easy with a build option.
> > >
> > > I see the vast majority of users only using ntpd.
> > >
> > > But seriously, do you really need to save USD$0.001 of disk space?
> > I'm pretty sure that Hal was more concerned about not putting stuff
> > on a public-facing server that wasn't absolutely necessary.
> Then 90% of your distro is probably also not absolutely necessary.
> If your attacker can run things on your CLI then it is long past game over.
The attack surface isn't binary.
IMO, it's better for the ecosystem to let each admin decide which
things to install or to leave out. If it's an easy split to make, I'd
rather that admins have the option.
> > You'd
> > want that for an audited system, like the "sec" part in NTPsec
> > implies should be possible.
> I've never had that come up in an audit. Every open port gets thorughly
> looked at, but not miscellaneous programs in /usr/bin.
More information about the devel