Not-So-Good Press for Arch

[ssri]

Getting back on topic, it is interesting that the Chakra devs (the ones who built and maintained KDEMod for Arch) think that package signing is important and deserves attention (thread is stickied): http://chakra-project.org/bbs/viewtopic.php?pid=28998. AFAIK they still use pacman as their package manager, which is to be replaced sometime in the future.Granted, it should be acknowledged that over the years there has been some fits and starts with developing package signing on Arch adhering to KISS for its package manager, pacman. The most notable one I recall was in 2008 that never really picked up any head of steam. Still, Arch is a nice distro for testing/seeing what's the latest and greatest and it does many things right. Security, as of this moment sadly, is not one of them. Then again, package signing is not the end all be all, as evidenced by the breach of Red Hat's servers, including the one used for Fedora's package signing. Thankfully, AFAIK, it didn't lead to any malicious packages being distributed.

Honestly, Aaron and I care very little about making this distro popular, so we aren't looking to ride the happy train to the Distrowatch #1 spot here. So if you think your threats of leaving the distro help, you're wrong. --Dan McGee

https://bugs.archlinux.org/task/5331 Edited March 7, 2011 by ssri

[V.T. Eric Layton]

Welcome to Scot's and to BATL, ssri!

[securitybreach]

Welcome to the forums ssri and thanks for the info

[ssri]

Wow, the sh*t hit fan...http://lwn.net/Articles/434990/http://lwn.net/Articles/435251/

[securitybreach]

Wow, the sh*t hit fan...http://lwn.net/Articles/434990/http://lwn.net/Articles/435251/

Yeah I just posted a thread here about that last night. Thanks for the info though.