Not-So-Good Press for Arch

[V.T. Eric Layton]

http://igurublog.wordpress.com/2011/02/19/...e-notso-secret/Sadly, I'd have to agree with this blogger regarding his opinion of Arch's forums. I went there and signed on recently thinking that the community there would be fun and helpful like Arch's wiki... not so. My very first post was met with administrative BS and a reminder to read the forum rules. No one even posted a reply to my intro post.https://bbs.archlinux.org/viewtopic.php?pid=891048#p891048

[amenditman]

I read that a bit earlier, still kind of mulling it over.Wonder if there are other distros that have similar repo/package habits?

[securitybreach]

Yeah well I could told you that the Arch forums are a bit elitest. Their attitude is "Read the wiki, search the forums, and then ask. Otherwise you get flamed". The problem is a lot of the Arch users are developers and programmers so they tend to expect everyone else to have their level of skill. Archlinux is more a developer's distro in a lot of ways. It is not right at all but that is how it has been since I have been using Arch. I realize that they expect you list all output from commands and everything else you tried when starting a thread, so I tend to watch how I ask a question and search throughly before asking.That is one of the main reason I wrote a extensive tutorial and try to help others with Arch, well that and Eric asked me to write the tutorial

[securitybreach]

As far as package signing, all of the packages in the official repositories are all checked throughly just like any other distro. The packages in AUR, plainly have the md5 listed in the PKGBUILD and check against the original checksum. So how is package signing missing in Arch/ Maybe I am not understanding his argument.

[securitybreach]

As far as your post Eric, I do not really see a problem with the Admin reply. There is a huge welcome thread and like alot of forums, they expect you to look at the stickies and point you to them if you missed them.Oh, did not see his edit. That is crap

[thecdn]

The attitude on the Arch forums is why I come here and ask securitybreach.....

[ichase]

The attitude on the Arch forums is why I come here and ask securitybreach.....

I have to agree with thecdn. I sometimes think that I kind of take advantage of Josh. But he continues to be a good sport about it. I have found many solutions for issues on the wiki once you start to learn "HOW" to search for an issue. Many times it's all in the way you state your criteria.But at the same time though, I did get some good feed back in the Arch forum on an issue that I was having and it was also solved. But, with that being said, I have read MULTIPLE threads where posters get their backside flamed in a heart beat if someone is able to post a link to either a wiki or another post covering their question. The attitude there in most cases is. "If I can find it......So can you"Josh has kind of spoiled me and I have realized that and started spending more time searching for my solutions. When I fail, Josh and many others on here always have my back. ;)Ian

[securitybreach]

Thanks Ian, I try my best to help or find solutions

[Jeff91]

Wonder if there are other distros that have similar repo/package habits?

Some of us are working on it. Going to be a few months at least before we have anything public for testing though ~Jeff

[securitybreach]

Some of us are working on it. Going to be a few months at least before we have anything public for testing though ~Jeff

Interesting stuff, thanks

[Jeff91]

Interesting stuff, thanks

Mhmm - we have some good ideas cooking. First step fully custom Linux distro, second step - world domination! Mwhahaha!One step at a time though of course ~Jeff

[securitybreach]

Mhmm - we have some good ideas cooking. First step fully custom Linux distro, second step - world domination! Mwhahaha!One step at a time though of course ~Jeff

Of course

[abarbarian]

It first runs sudo pacman to sync and download packages due for update on your system

What does "sudo pacman" mean ? Does this guys patch need SUDO to run ? Well the lack of security checks are a concern as are the attitudes of the developers. If it is reasonably easy to introduce the changes needed then I would have thought it would have been the decent thing to do. Still it is the developers baby and if they do not want to implement the security then it really is up to them.

[V.T. Eric Layton]

Yeah well I could told you that the Arch forums are a bit elitest. Their attitude is "Read the wiki, search the forums, and then ask. Otherwise you get flamed". The problem is a lot of the Arch users are developers and programmers so they tend to expect everyone else to have their level of skill. Archlinux is more a developer's distro in a lot of ways. It is not right at all but that is how it has been since I have been using Arch. I realize that they expect you list all output from commands and everything else you tried when starting a thread, so I tend to watch how I ask a question and search throughly before asking.That is one of the main reason I wrote a extensive tutorial and try to help others with Arch, well that and Eric asked me to write the tutorial

Well, I'd have to be pretty desperate to ask them bastages on that forum anything. I don't have patience for the nicey-wicey shiite. I'll tell 'em wher to go. They can ban me.

As far as package signing, all of the packages in the official repositories are all checked throughly just like any other distro. The packages in AUR, plainly have the md5 listed in the PKGBUILD and check against the original checksum. So how is package signing missing in Arch/ Maybe I am not understanding his argument.

md5sum is not security signing, J. That's just package integrity check. Security signing requires encryption/decoding keys like GNUpg and other security apps. Here's a sample sig used on a Debian update:

-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.10 (GNU/Linux)iD8DBQFNJOIZbxelr8HyTqQRAtSgAJ4lVID2O5XgBe6NASRLz4rw8eJgWgCfVY/5YlCiTRfWVrJ6YXYfPX2m/3M==608/-----END PGP SIGNATURE-----

Oh, did not see his edit. That is crap

Yup. He edited out the nasty RTFM-like comment.=====Well, anyway... Back to topic -->I'm not too worried about this package signing broo-ha-ha. Unfortunately, now that it's getting publicized, someone is bound to test the theory that a package can be corrupted. We'll see...

[SueD]

I refuse to post at the Arch forums...much too intimidating for me. I'm very careful about where I go asking for help, especially once I found out what RTFM means. No one's ever told me that here. :)I like it here. None of yous make me feel like an idiot, especially when I ask what seems to be stupid questions. I've gotten better at looking for my own solutions over the past couple of years but I still need the occasional hand-holding.Thank you all.

[amenditman]

..., especially once I found out what RTFM means. No one's ever told me that here.

'Read The Fine Manual', not what you've been told. Always good advice when the manual is actually well written for users, ie ArchWiki, Mepis Manual, Mint documentation. Most others, not so much.The Mint devs were so impressed with the RTFM responses at the *buntu forums that they created a script which they named RTFM. It helps new users to be able to read the man pages without really knowing how to do it. Remember when you would ask a question someplace and the answers made even less sense than the problem you were trying to solve. I had the same problem the first few times I was told to RTFM, I did not know how to find it or get it to tell me what I needed to know. When I asked about it I was told to RTFM, not very helpful.Ah, the good old days. Edited March 1, 2011 by amenditman

[Eggdog]

Maybe I'm weird, but I've never had a problem at the Ubuntu forums. It may be true that they have more bad guys than other forums, but they have more peeps in general. They also seem to have more social threads that lead nowhere, but I think that is also a function of Ubuntu's unique status as a Linux gateway. I really have nothing bad to say about them.I've never used Mepis or its lightweight cousin AntiX all that much, but that community seems exceptionally friendly.The Arch forums were, to me, a void. That guy who hosts the archlinux.us domain is really cool. When I left Arch, I told him he could cancel my email and give the space to somebody else who might be in a position to contribute to the project, and he was very gracious about that. But I don't think I ever got a reply to anything I ever posted on the forums. It was sort of like I'd come in and said, "Hey, somebody just gave me this fish, do you think I should, like, cook it?""RTFM" is never an appropriate response. Well, maybe not "never". If someone started off their first post by calling the forum host's sister a ****, maybe "RTFM" would work. I understand that some peeps don't want to answer the same question for the 800th time, but "Look on page 53" or "Search for Broadcom 43xx" or "There's a wiki page that will get you going" are OK. Or just ignoring the question and letting somebody else do the dirty work. "RTFM" demonstrates a failure of imagination.

[sunrat]

They also seem to have more social threads that lead nowhere,

As opposed to BATL where posts always stay on topic. RTFM - 'Read The Fine Manual' may be what it means in family friendly forums, but it can be something slightly different when used in anger.

[abarbarian]

Roast The Flipping Maker may be considered a bit on the borderline of decency in some circles but hardly a showstopper in the real world.

[securitybreach]

Well I almost did not post this as it will probably turn some users away from Arch. This is from Archlinux's lead Dev:http://mailman.archlinux.org/pipermail/pac...ary/012483.html

[amenditman]

I can kinda see Allen's point. Crazy I know.He is not an employee, the owner of a company selling something, or any other person of commercial responsibility. He can't even be considered a volunteer. Independent developers of FOSS projects do it for fun or the love of doing it. When the responsibilities of popularity take the fun out of it, someone else needs to do it. We, the users of his 'product', can place absolutely no expectations upon him or any of the other developers of Free Software, by the way, one of the meanings of Free should be that the genius developers behind it are free to do what they want with it. We are all free to move on to something else. Windows or Mac anyone?And, if someone is using it in a life or death kind of situation they should at the least have their head examined. "...they should die." Takes it a bit far, but he was upset and probably over the huge distraction this has been made into. Use a big, commercially supported OS like Red Hat if it's important and you can't support it yourself, otherwise, use CentOS or Debian and do it yourself.I guess I'm done mulling this over and have made up my mind.Arch works very well for me and I have no problems with securing my system myself. I will keep the non-gpg nature of packages in mind but continue as always.

[securitybreach]

I can kinda see Allen's point. Crazy I know.He is not an employee, the owner of a company selling something, or any other person of commercial responsibility. He can't even be considered a volunteer. Independent developers of FOSS projects do it for fun or the love of doing it. When the responsibilities of popularity take the fun out of it, someone else needs to do it. We, the users of his 'product', can place absolutely no expectations upon him or any of the other developers of Free Software, by the way, one of the meanings of Free should be that the genius developers behind it are free to do what they want with it. We are all free to move on to something else. Windows or Mac anyone?And, if someone is using it in a life or death kind of situation they should at the least have their head examined. "...they should die." Takes it a bit far, but he was upset and probably over the huge distraction this has been made into. Use a big, commercially supported OS like Red Hat if it's important and you can't support it yourself, otherwise, use CentOS or Debian and do it yourself.I guess I'm done mulling this over and have made up my mind.Arch works very well for me and I have no problems with securing my system myself. I will keep the non-gpg nature of packages in mind but continue as always.

My thoughts exactly!!!!

[V.T. Eric Layton]

And now we see the true underlying flaws in the "free as in beer" implementation of software. It's always going to be difficult to find altruistic souls who will toil for free to benefit the rest of us. It's a capitalistic world, like it or don't. Reality is everyone expects something in exchange for their efforts eventually.It's a shame that the Arch devs aren't any more concerned about this than they are. And sadly, to me, they sound like a bunch of kids in a garage somewhere building a go cart out of scrap wood and buggy parts. They only care to work on what will benefit them and their agenda. The operating system they maintain just seems to be a hobby/by-product of their tinkering. That doesn't really bode well for the OS, I don't think.It also shows the MAJOR differences between an OS like Arch (as much as I like it) and say... Debian or the OpenSuSE project. Can't really compare with Slackware, though, because Slack is nearly a one-man show. Sad.

[securitybreach]

And now we see the true underlying flaws in the "free as in beer" implementation of software. It's always going to be difficult to find altruistic souls who will toil for free to benefit the rest of us. It's a capitalistic world, like it or don't. Reality is everyone expects something in exchange for their efforts eventually.It's a shame that the Arch devs aren't any more concerned about this than they are. And sadly, to me, they sound like a bunch of kids in a garage somewhere building a go cart out of scrap wood and buggy parts. They only care to work on what will benefit them and their agenda. The operating system they maintain just seems to be a hobby/by-product of their tinkering. That doesn't really bode well for the OS, I don't think.It also shows the MAJOR differences between an OS like Arch (as much as I like it) and say... Debian or the OpenSuSE project. Can't really compare with Slackware, though, because Slack is nearly a one-man show. Sad.

Yeah, I kind of feel the same way Eric. On one hand, I love the simplicity of Archlinux and the control but on the other hand I feel as though it is not complete OS, if that makes sense. Yes, I know you start out with nothing and build it to your liking but sometimes the lack of 'direction' can hurt a project. Archlinux is a distro for hackers (tinkers) and your right sometimes it does feel as though it is a hobby for the devs and not a distro for an end user.Over the years, I have used every distro under the sun but finally settled on Archlinux for the same reasons we have discussed. Yes it is more of a developer's distro, but I enjoy the control over what services and packages are installed. Heck I would probably be still using Slackware if it were not for the lack of package management. That said, all of the discussion lately has got me rethinking my Linux experience. Not saying I will leave Archlinux but who knows I may try outLFS

[V.T. Eric Layton]

...but who knows I may try outLFS

Or maybe even Gentoo. :lol:Seriously though, I don't want to slam Arch in any way. That distribution is MUCH more than just a couple of devs who own the copyrights to the name. It's the entire sum of all the pieces; pieces like you and me, the dedicated folks who edit that wiki, the group that works on apps for the AUR repos, etc. It's every piece of the puzzle. That's what makes Arch a wonderful distribution.So, yeah... it kinda' sucks that you have a very popular distribution that is maintained by folks who really don't seem to appreciate what they have created (or inherited). I could be wrong about them, and probably shouldn't judge on just that one list thread. It just seems that they don't realize what they have. There are very small distributions with super-dedicated devs who do all they can to improve their operating system. It's a passion with some of them; the Ark Linux devs, for instance, or Tomas F. with Foresight Linux. They're constantly striving to better their project. None of them are making any money either... or the hundreds of contributors to Debian, for that matter. How 'bout Pat V. and the handful who help him (Eric Hameleers, Robby Workman, etc.)? Talk about dedication.Anyway, I hope that Allan McRae was just miffed at IgnorantGuru in that thread. I hope that he doesn't really not give a shiite, as much as he made it sound there in that thread. Time will tell...G'night...

[amenditman]

I looked at LFS after Thanksgiving 2010. I finally decided that even disabled and unemployed I didn't have enough time for it. Too many other important things I want to do. Just me exercising my freedom to do what I enjoy and want to do. Plus, there's always Debian Sid if I want to use something fun and mostly functional to tinker with.

[V.T. Eric Layton]

=====Heh! It's kinda' funny, but it seems that every time I take a poke at Gentoo (all in fun, I might add), Greg (trigggl) shows up shortly afterwards. I must add the obligatory, "Sorry, Greg. Just kidding about Gentoo."

[securitybreach]

@amenditman I was kidding, I do not think I am ready to tackle that one just yet. @Eric I agree....and you better watch out Greg could be right around the corner

[BarryB]

I'm playing devils advocate for a second. While I don't agree with how they handle package signing...I can't think of a time Arch ever claimed to be, anything other than what it was. I have never read "welcome new explorers" on their web sites. They just seem to be the more elite of the elite...and have made no claim to be other than that. I tend to think they have been more honest in that aspect than many others.Lets switch the roles around..how about, I use your system because it's free...but it doesn't come up to my standards..I demand you give more of your time to make it fit my standards, I don't have solutions myself...I don't like the way you explain things..but you better make it perfect for me..but you must do it in a way that doesn't show that a. you know more than i dob. that I can blame you if I don't understand....even if you have no way of knowing my actual knowledge levelc. That if I go my own direction..it will still be your faultNow off with you...MY time is valuable..after all ..I have a real Job..you should be grateful I allow you to use your free time for me.I know no one here thinks that way...But I have wondered how it sounds to the other side.

[trigggl]

=====Heh! It's kinda' funny, but it seems that every time I take a poke at Gentoo (all in fun, I might add), Greg (trigggl) shows up shortly afterwards. I must add the obligatory, "Sorry, Greg. Just kidding about Gentoo."

Did somebody say something?

@amenditman I was kidding, I do not think I am ready to tackle that one just yet. @Eric I agree....and you better watch out Greg could be right around the corner

You never know when I'll show up.