Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
Say a bunch of software engineers develop a distribution for themselves, and only for themselves, as a hobby. Then they publish it on the internet in the hope of attracting other software engineers to improve it. The distro is good in many ways and attracts non-software engineers, which was never its intention. Do you really expect the original team to accommodate them when that was never their intention? It's like expecting someone driving a mostly empty bus to pick up, feed, and transport every hitch hiker they see to each individual destination just because they have the room.
I understand that but the situation doesn't seem that extreme to me. There have been several attempts to submit patches but he constantly ignored them and didn't make any progress on what really is a big security hole in 5 years so why should anyone attempt to do the work again since it'll most likely just be ignored again.
The pacman source code is available as as well. And I think the original attitude was that this was a distro for coders. Hence the user-centric bit. Not that this should or shouldn't change, but that's where it's coming from.
Which is fine, but patches were actually submitted and he blew them off.
And no where is Arch really advertising itself. It doesn't even mention security on its front page, or its mission statement. It was built as a hobbyist distro. I'm not saying that excuses security holes, but it explains why they're there. My attitude, in traditional arch form is "alright, I've been itching for a meaningful project for a while anyway. Why not this?" So as a coder I'll get intimate with pacman/other related packages and see what I can do. At the very least I should be able to make some helpful suggestions to speed things along.
And as he mentioned, people tried that and he blew them off because it wasn't 100% what he wanted. As the maintainer and probably majority copyright owner of the code that's his prerogative, but that's a damn shitty way to run any software project.
And just to clarify, aside from the package signing issue, arch is as secure as you make it. You mention holes plural, but I've never heard of any others.
IMO if they're that lax about something as core to the system they're going to be that way about other parts too so why shouldn't I assume there's other half-assed software in there?