Arch Obsession?

[Nothinman]

Say a bunch of software engineers develop a distribution for themselves, and only for themselves, as a hobby. Then they publish it on the internet in the hope of attracting other software engineers to improve it. The distro is good in many ways and attracts non-software engineers, which was never its intention. Do you really expect the original team to accommodate them when that was never their intention? It's like expecting someone driving a mostly empty bus to pick up, feed, and transport every hitch hiker they see to each individual destination just because they have the room.

I understand that but the situation doesn't seem that extreme to me. There have been several attempts to submit patches but he constantly ignored them and didn't make any progress on what really is a big security hole in 5 years so why should anyone attempt to do the work again since it'll most likely just be ignored again.

The pacman source code is available as as well. And I think the original attitude was that this was a distro for coders. Hence the user-centric bit. Not that this should or shouldn't change, but that's where it's coming from.

Which is fine, but patches were actually submitted and he blew them off.

And no where is Arch really advertising itself. It doesn't even mention security on its front page, or its mission statement. It was built as a hobbyist distro. I'm not saying that excuses security holes, but it explains why they're there. My attitude, in traditional arch form is "alright, I've been itching for a meaningful project for a while anyway. Why not this?" So as a coder I'll get intimate with pacman/other related packages and see what I can do. At the very least I should be able to make some helpful suggestions to speed things along.

And as he mentioned, people tried that and he blew them off because it wasn't 100% what he wanted. As the maintainer and probably majority copyright owner of the code that's his prerogative, but that's a damn shitty way to run any software project.

And just to clarify, aside from the package signing issue, arch is as secure as you make it. You mention holes plural, but I've never heard of any others.

IMO if they're that lax about something as core to the system they're going to be that way about other parts too so why shouldn't I assume there's other half-assed software in there?

 

[Cerb]

If it doesn't somehow change, it will blow up, at some point.

Right now, the problems are that Arch works, and unlike Slackware, it grows. It works well. It takes a wee bit longer to set up than plenty of other distros, but is easy to maintain, while still offering quite new versions of most software. With so many distros, "showcasing KDE/Gnome/LXDE/whatever," or otherwise having agendas; other distros being PITAs to manage over the long term (Ubuntu, FI), or consistently having breakage (PCLOS' current samba and nVidia, right now, and a tendency for SimplyMEPIS to get into Apt-paralysis mode, off the top of my head).

 

[irishScott]

I understand that but the situation doesn't seem that extreme to me. There have been several attempts to submit patches but he constantly ignored them and didn't make any progress on what really is a big security hole in 5 years so why should anyone attempt to do the work again since it'll most likely just be ignored again.



Which is fine, but patches were actually submitted and he blew them off.



And as he mentioned, people tried that and he blew them off because it wasn't 100% what he wanted. As the maintainer and probably majority copyright owner of the code that's his prerogative, but that's a damn shitty way to run any software project.



IMO if they're that lax about something as core to the system they're going to be that way about other parts too so why shouldn't I assume there's other half-assed software in there?

Wait, where did he blow off submitted patches again, and where are you getting that it was because "they weren't exactly like he wanted"? He mentions problems with the submitted work, not specific enough to make that kind of accusation. As for the LWN article (if that's what you're referring to), the lead developer says its a pack of lie perpetuated by a rogue blogger, and from what I've seen I'm inclined to believe him. Media sensationalism is nothing new anyway, even in the niche tech media.

And you're welcome to make all the assumptions you like, so long as you realize that they are assumptions. Given that arch is mostly a user-customized distro, the only place you can attribute any security holes to arch as a whole is the core system. Thus far, TMK package signing is the only significant issue that has come to light in that regard.

 

[ObscureCaucasian]

My next build will probably be Arch, but they definitely need to get package signing added if they want to be taken seriously. The attitude of the lead developer of pacman is a little disconcerting though... he seems driven by his personal interests and use cases as opposed to those which are actually in the best interest of the Arch community (which isn't a great quality to have in a lead dev).

 

[Vic Vega]

You're not missing anything. Arch is neat cause it's a roll your own distro that isn't as retarded as Gentoo, but as you noted, it has a critical security flaw due to lack of package signing. I think people just like it cause it isn't as n00b friendly, so they can feel 1337. Just install Debian, and be done with it :^D

Arch does have good documentation, and it's a good resource for other distros too.

This is it.

 

[1saac]

Given that arch is mostly a user-customized distro, the only place you can attribute any security holes to arch as a whole is the core system. Thus far, TMK package signing is the only significant issue that has come to light in that regard.

That being the case, isn't it a little disturbing that it's gone for about five years without being resolved?

 

[Nothinman]

Wait, where did he blow off submitted patches again, and where are you getting that it was because "they weren't exactly like he wanted"? He mentions problems with the submitted work, not specific enough to make that kind of accusation. As for the LWN article (if that's what you're referring to), the lead developer says its a pack of lie perpetuated by a rogue blogger, and from what I've seen I'm inclined to believe him. Media sensationalism is nothing new anyway, even in the niche tech media.

That was the impression I got from reading his blog post whining about the whole situation instead of just fixing it.

And you're welcome to make all the assumptions you like, so long as you realize that they are assumptions. Given that arch is mostly a user-customized distro, the only place you can attribute any security holes to arch as a whole is the core system. Thus far, TMK package signing is the only significant issue that has come to light in that regard.

But those assumptions or educated guesses are based upon past activities and facts. If multiple Arch developers are either completely ignorant about security or just unwilling to fix holes that are pointed out to them in one area why shouldn't I assume they're doing the same in all areas? I understand this is just their hobby, but when you put something out there for others to use there's a certain level of responsibility you should assume. With random attacks from people like lulzsec who knows who the next target will be.

 

[TBSN]

I have had a love/hate relationship with Arch. On the one hand, it is a great distro, has unparalleled documentation and you learn a lot from using it. On the other hand, it has a small, elitist group controlling it. Any mention of package signing (or possible SOLUTIONS) are quickly closed, locked and deleted from the forums. It is not about people whining, its about control. Censorship never feels good, and there is a huge elephant in the room with Arch. That is the problem; any discussion about the downsides of arch is squelched and deleted, which will only hurt the distro in the long run.

 

[Jodell88]

Package signing is coming to ArchLinux with pacman 4.0 which is currently in the release candidate phase. Also, about 50% of its packages are currently signed.

Better nate than lever!

 

[irishScott]

Sweet! And I didn't have to code a single line.

 

[TBSN]

One interesting thing about Arch is that all the software is completely untouched and vanilla and not tailored to the distribution like many others. That makes it challenging but also more customizable I guess.

 

[Nothinman]

One interesting thing about Arch is that all the software is completely untouched and vanilla and not tailored to the distribution like many others. That makes it challenging but also more customizable I guess.

IMO that defeats the purpose of a distribution. One of the main reasons distributions exist is to take a lot of separate software and built a cohesive system out of it. Anyone can download a bunch of tarballs and just build them and hope for the best.

 

[Cerb]

IMO that defeats the purpose of a distribution. One of the main reasons distributions exist is to take a lot of separate software and built a cohesive system out of it. Anyone can download a bunch of tarballs and just build them and hope for the best.

Well, there are three problems, here:

1. It's false that they don't change anything for Arch. Arch is like Slackware, in that it tries not to mess with packages. They do apply patches when needed, but only when needed, rather than customizing by default.

2. There is a package manager, which handles dependencies, and there are repositories. Except for AUR, packages are tested to work properly with the rest of the system, and modified to do so if they do not. IoW, the point of a distro is quite well served. The point should not necessarily be to configure everything into a highly-integrated system, often inviting interdependencies, and general breakage when you have packages you aren't supposed to have (like having more than one DE's metapackage installed). Most other distros that handle this well, like Debian proper, also keep around old software.

3. No, not everyone can download a bunch of tarballs and just build them. Try it some time. Not only will you spend ages tracking down dependencies, but you will also have to fix sources and configurations, not always being able to get everything fixed quickly or easily based on error messages given. Some software will be easy, but some will be practically impossible (vanilla ZSNES comes to mind). This is unreasonable to do, hence bundling them in packages in the repos. Arch's approach is just to do as little as is needed to make it function (including nothing at all, if reasonable), and if that still leaves user configuration to be done, well, that's what the wiki and forum are for.

 

[Nothinman]

2. There is a package manager, which handles dependencies, and there are repositories. Except for AUR, packages are tested to work properly with the rest of the system, and modified to do so if they do not. IoW, the point of a distro is quite well served. The point should not necessarily be to configure everything into a highly-integrated system, often inviting interdependencies, and general breakage when you have packages you aren't supposed to have (like having more than one DE's metapackage installed). Most other distros that handle this well, like Debian proper, also keep around old software.

That most certainly is the point, otherwise you're cheapening it to a brand name which doesn't actually mean anything. Certain packages conflict with others and that's defined in the package metadata itself so that you can't get into a situation like that, if that's not true then there's a bug in those packages, it's that simple.

You most certainly can have different DE's metapackages installed on Debian, I don't know any of them that conflict off the top of my head.

Debian keeps around older packages as necessary for other packages to run, no other reason. Sid tracks current versions fairly well, but I would rather they leave library Y packaged and available until Y+1 is ready, doing otherwise introduces breakage for no reason.

3. No, not everyone can download a bunch of tarballs and just build them. Try it some time. Not only will you spend ages tracking down dependencies, but you will also have to fix sources and configurations, not always being able to get everything fixed quickly or easily based on error messages given. Some software will be easy, but some will be practically impossible (vanilla ZSNES comes to mind). This is unreasonable to do, hence bundling them in packages in the repos. Arch's approach is just to do as little as is needed to make it function (including nothing at all, if reasonable), and if that still leaves user configuration to be done, well, that's what the wiki and forum are for.

I didn't say it wouldn't be tedious, just that it's possible. I know the work involved and it's really not as bad as you paint it out to be.

 

[Cerb]

That most certainly is the point, otherwise you're cheapening it to a brand name which doesn't actually mean anything. Certain packages conflict with others and that's defined in the package metadata itself so that you can't get into a situation like that, if that's not true then there's a bug in those packages, it's that simple.

You most certainly can have different DE's metapackages installed on Debian, I don't know any of them that conflict off the top of my head.

I specifically excluded Debian on that point. PCLOS and Ubuntu consistently have such breakage, FI (like most everyone, I try each new Ubuntu, to see what the fuss is about, then swear it off for another 6 months ).

Debian keeps around older packages as necessary for other packages to run, no other reason. Sid tracks current versions fairly well, but I would rather they leave library Y packaged and available until Y+1 is ready, doing otherwise introduces breakage for no reason.

Meanwhile, I'd rather have newer versions of applications, rather than keeping old broken versions around for no apparent reason, like Debian sticking with pre-1.X versions of VLC for ages, while it was not nearly a fully functional, reliable, stable, application in those old versions, unless all you wanted it for was a demux/mux server for MPEG family formats.

I didn't say it wouldn't be tedious, just that it's possible. I know the work involved and it's really not as bad as you paint it out to be.

Depends on what is being built. When it's largely unmaintained software, and/or esoteric software, it can be a nightmare. It tends to be less frustrating, with esoteric, but maintained, software (software for my cell phone, FI, which effortlessly builds on Arch, but not any Debian-derivative I've tried, Mandriva, nor PCLOS), on distros like Arch and Slack, that expose the pipes, and don't add more default configuration settings than are needed to use the base system.

 

[zokudu]

 

[trollolo]

i've run into a few arch users in my day, and for the most part we clash very harshly. i've always been a fan of .deb distros for their stability and wide support. i feel no need to spend hours tinkering. the above picture holds very true in my opinion

 

[irishScott]

Meh, I like spending hours tinkering and customizing. At the end of the day I know my system down to the last detail. That knowledge and feeling of accomplishment is worth it to me. Now if the tinkering is due to some stupid bug then things get annoying...

I'll admit Arch isn't for the average user. Nor was it ever meant to be. It's meant to be a framework for you to build your system from the ground up without the largely negligible/overcomplicated step of compiling. If that's not for you, great, but don't bash those who see linux as a hobby as well as a tool.

Edit: And pacman has never erased or reset my config files.... Arch is growing, and people other than middle-schoolers find it attractive for some reason. Sure there's the ZOMG I USE ARCH I BE 1337 crowd, but the comic comes off as being less mature than they are.

 

[Cerb]

LOL. As to the config file bit, pacman will not overwrite custom config files, but will rename them, or ask you what to do.

 

[Jodell88]

*comic*

That's so wrong it isn't even funny. A real Arch guy wouldn't even enter that debate. Even if he did he would recommend Ubuntu, Fedora etc. There's a reason for RTFM and most users don't do it.

As for the customization, do it once and you don't have to do it again, Unless upstream makes drastic changes.

 

[Kalessian]

One reason I like arch is because abs is so easy to use.

 

[BurnItDwn]

Ehhh ... I tinkered with Arch a little bit, but still prefer Slackware if I'm on a Linux box.

That said, I prefer OpenBSD over Linux generally.

 

[kermit32]

Arch and UbuntuJEos are 2 of mine 'dearest' linux platforms, 'cos you can customize anything for any usage. So you don't 'missing' anything depends what you need system for. Maybe, just maybe, bigger 'love' can be FreeBSD minimal versio called FreeSbie or something like that, similar to Arch, and even better.Just my 2 cents

 

[H54]

Well, package signing is here.

http://www.archlinux.org/news/pacman-4-moves-to-core/

 

[Jodell88]

Well, package signing is here.

http://www.archlinux.org/news/pacman-4-moves-to-core/

I still don't think I've set it up correctly. I'll have to look into it some more. :hmm: