Examples of 'dpkg --get-selection > packagesinstalled.txt' for firewall

Rob Weir rweir at softhome.net
Mon Nov 25 15:55:39 EST 2002 

On Mon, Nov 25, 2002 at 09:17:36AM +1100, Alex Satrapa wrote:
> I have an ADSL router running Debian Woody, and I've trimmed it down to 
> 119 packages installed (about 153MB used). I was hoping to trim it down 
> further to fit it all onto a 128MB CF, but then I'd have to lose stuff 
> like NTP and OpenVPN (and that would only save me about 1MB all up).

You could always burn the system on to a CD, and mount /var over NFS
from somewhere else.  If anyone actually manages to break in, all you
have to do is reboot.

> To cut it down further, I'll have to do stuff like:
>  - remove editors (use scp to copy files to a remote
>    machine, edit them there, then scp back)

You've still got ed :)  Also, some editors can use the FISH protocol to
edit files over SSH.  I'm fairly sure KDE can handle this with an
ioslave, and I've heard emacs has a module for it too.

>  - remove /usr/share/doc (though I'm sure this will
>    break packages)

I'm fairly sure this will be safe.  I can't imagine how or why any
package would depend on anything in /usr/share/doc/ at run time (aside
from help files, I guess).  They'll be re-created every time you upgrade
a package though.

>  - remove unused locales (could save about 8MB)

Maybe localepurge could help with this?

> I'm not sure how much other stuff I can remove without breaking things - 
> for example, replacing bash with sash would break all the scripts on the 
> box. Thus I'm stuck with stuff like libncurses5. 

dash (a.k.a. ash) is a port of the NetBSD Bourne shell which is much
smaller than bash, and should (i.e.  it's a package bug if it doesn't
work) be able to safely replace bash as your /bin/sh.  You'll have to
check that your homebrew scripts (and some of Debian's, I suppose) don't
explicitly use /bin/bash.

> There's other stuff 
> like diff that I could probably remove if I knew exactly which bits and 
> pieces use it (eg: the setuid tracking stuff).

If you're prepared to give up some convenience you could cut a lot of
cruft: Create a tarball of the existing system.  This will be your
master copy that you edit and upgrade.  Cut out diff, editors, etc, etc
from it until it fits onto the CF card.  Run your firewall off it.
Every now and then, untar the master (on your desktop or whatever), and
chroot into it.  Edit your config files, upgrade with security fixes and
whatever, then trim it down and copy it back on to the CF.

-rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20021125/c0310fcf/attachment.bin

More information about the linux mailing list