>Gentoo and other source-based distros, to me, seem to have the best solution: build only with what you actually need, and disable features you don't need to use. Thus, excess packages get pruned from the dependency tree and you end up with less clutter (and, not incidentally, fewer possible vulnerabilities).
But the trade-off is that every box ends up running its own unique mix of code. Security-wise, this is good in that it increases diversity (so it's less likely someone will be able to pwn *all* Gentoo boxes), but reduces scrutiny on the actual code and interactions present on any particular box (so it's more likely that any particular Gentoo box *can* be pwned, which is probably what most sysadmins care about more).
Hard to know how much extra risk this is in practice, though; that'd make a lovely study, if anyone can figure out how to measure it.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds