Announcement

Collapse
No announcement yet.

Arch's Dirty Little Not-So-Secret

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Arch's Dirty Little Not-So-Secret

    Catchy title, huh? Greetings - haven't posted here for awhile now that I'm no longer a Kubuntu user, but I see some familiar names. Awhile back I made my Big Move To Arch, so I thought I would follow-up on that a bit. I actually came here looking for distro ideas, because I've decided to move on from Arch. (Kubuntu Forums has this great 'Distribution Showdown' area which the other forums can't handle.)

    Arch has a lot going for it in its design, but those seriously considering it should read Arch's Dirty Little Not-So-Secret so you know what you're getting into. I knew from the start that Arch had no gpg signatures on their packages, but I thought they must have something protecting the data. I was wrong, and after it was brought to my attention, I looked into it and found more than I bargained for. Not only is Arch's package management a huge security vulnerability just waiting for exploitation, but the attitudes of the Arch devs toward their users and toward security is highly disappointing, right down to the lead developer. That is why I'm now OS shopping, because even if they add package signing (some year?), I still wouldn't trust their product given the conversations I've had.

    But Arch was good for me in a number of ways. I learned a lot setting it up and using it, and its flexibility and simplicity are great. As I've said before, any K/Ubuntu user who has a little practice with the command line can handle Arch. The big bonus from Kubuntu for me was the control I had over how little or how much to have installed and running on my system, and I knew how it all worked since I set it up from scratch. You will get a little breakage now and then due to the cutting edge mentality, but it's nothing much to handle. Arch has almost become boring in its stability. Yet the forums really really bite, and most Arch users will tell you this if they're honest. The attitude toward newbies is horrid, and any even slightly controversial topic is deleted. Worse, any discussion of Arch's security problems are forbidden (deleted). When I published my article (which was picked up by Linux Today and gave my blog the biggest traffic it's ever had AND crashed my mail server all in one day), I was surprised by the number of Arch users who were unaware of this gaping hole. But with any posts on the forum about it removed, it's not transparent enough, which was why I encouraged discussion of it on my blog. I have to be honest and say I haven't missed K/Ubuntu much, EXCEPT the forums. It's impossible to have a productive conversation on the Arch forums, and I was used to the way people of very different knowledge-levels get along here.

    So now I'm thinking of Gentoo, because they have good security from what I hear, and are also rolling release, which I like. I'm just wondering how up-to-date it will be compared to Arch, but I don't need the latest and greatest. And I'm also trying FreeBSD. Has its positives, but limited hardware support may do me in there - I've been trying to get my Brother printer working with it.

    Where does one go on graduating from Arch? They didn't tell us this at freshman orientation, but they also didn't mention their compromised mirrors. At any rate, don't take any BS from Arch users - just bring up package signing and watch them blanch.

    Also, a reminder that my blog has some useful scripts and things, and most of my stuff works on any Linux distro, so don't feel left out just because you don't see *buntu mentioned everywhere. I make it a point to make my tools as distro-non-specific as possible (partly because I always seem to be on the move myself). Recently, there's a new tool there called devmon that allows you to build a custom auto-mounting solution with no configuration.

    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

    #2
    Re: Arch's Dirty Little Not-So-Secret

    go slackware

    VINNY
    i7 4core HT 8MB L3 2.9GHz
    16GB RAM
    Nvidia GTX 860M 4GB RAM 1152 cuda cores

    Comment


      #3
      Re: Arch's Dirty Little Not-So-Secret

      I tried Arch a year ago. Or was it 2 years? Sorry, temporal dyslexia. I agree on the excellent learning experience part of it but it was just too much for me to keep it working. Didn't know about the security issues.

      Debian's Aptosid? I understand is a new rolling release version of Debian I may try some day. But after failing to get Squeeze to work on this old P4 I don't know.

      I'v tried a number of other distros but alway seem to prefer Kubuntu.

      Found this http://en.wikipedia.org/wiki/Rolling_release on wikipedia.

      Ken.
      Opinions are like rear-ends, everybody has one. Here's mine. (|)

      Comment


        #4
        Re: Arch's Dirty Little Not-So-Secret

        Hey man, long time no see. I think many of us here use more than one distro, but Kubuntu will remain on my primary desktop for the now.

        Package signing is too important an issue to ignore if you ask me. That digital signature is the only way you know for sure where the code came from. Otherwise, any one can put anything in the package and call it whatever they want to. For example, and this affected Gentoo as well:

        http://www.webupd8.org/2010/06/linux...-for-year.html

        This reminds us that an OS is as secure as the owner makes it. Remember to always check the source code before running a script / application. Better yet, only install applications from your distribution's official repositories and very trusted sources.
        As Vinny said there is Slackware. I haven't used it in some time, but it was very tempting the last time I did.

        Have you tried Linux From scratch? That would be one way to get a system customized to your liking. And since you're compiling everything from source you always have the opportunity to validate the code for yourself.

        If you do switch to Gentoo then I hope you'll let us know how you like it.
        Welcome newbies!
        Verify the ISO
        Kubuntu's documentation

        Comment


          #5
          Re: Arch's Dirty Little Not-So-Secret

          Debian's package management system (APT) is what keeps me firmly in the camp of Debian and Kubuntu. I've had aptosid as my primary OS for some time, in order to have early access to the new packages and kernel developments, and also because "rolling" is much more convenient for me than letting fixed versions age until they have to be replaced.

          But I also like to keep a Kubuntu "next version" OS around -- same reason. Actually if you want KDE 4.6 you kinda have to run Kubuntu, at the moment (to stay in the Debian camp). But it will enter the Sid repos within the next 6 weeks or so.

          Comment


            #6
            Re: Arch's Dirty Little Not-So-Secret

            Hey guys. I've heard good things about Slackware too. Something turned me off from it, but now I don't recall what it was. But I'm going to look again. It might have just been the lack of rolling release. Not sure I would be happy without some degree of rolling release. I found version updates on Kubuntu to be too much work - I prefer the little at a time approach.

            My trick for dealing with Arch's instability was to make a partition backup of the root fs, then update. If it went badly and I couldn't quickly resolve it, I usually just rolled it back. Then I would either wait until the problems were resolved, or would look into them more on the forums. Worked well - usually any problems that magically appeared also magically disappeared.

            I agree Debian has a good package management system. But I want to get away from distros that mod things so much for their own purposes. Linux from scratch is an interesting idea! Not sure if I could handle that - maybe Gentoo would get me closer to that point. I didn't actually compile much in Arch. Haven't heard of Aptosid before - thanks I'll check that out.

            > http://www.webupd8.org/2010/06/linux...-for-year.html

            Interesting! Arch users should take note of that. But I don't see any mention of Gentoo in relationship to that.

            I'll definitely check back and let you know where I end up and how I like it. Thanks for the input.

            Edit: Oh, and forgot to mention, I'm just using Openbox now. I really like it as a very minimal window manager. I don't even have an icon-capable desktop (although I could).
            Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

            Comment


              #7
              Re: Arch's Dirty Little Not-So-Secret

              Originally posted by IgnorantGuru
              But I don't see any mention of Gentoo in relationship to that.
              Here's an article with more details about exactly how the attack occurred. The developers of the program weren't using any kind of code signing or verification, so all the hacker had to do was replace the official source tarball on the developers' download server with his trojan.

              http://www.h-online.com/security/new...e-1020987.html

              The contaminated source files have also found their way into the Gentoo Linux distributions repositories. The Gentoo package has already been updated with a non infected version (unrealircd-3.2.8.1-r1 ebuild) and is available, but some mirror servers are still carrying the old version. Details of how the systems failed on the UnrealIRCd server are not yet available because investigations are still ongoing.
              And here's a copy of the Gentoo security advisory explaining that the packaged code was compromised. That means the malicious code was packaged (unwittingly) by the Gentoo team and (probably) delivered to clients.

              http://www.linuxcompatible.org/news/...in_gentoo.html
              Welcome newbies!
              Verify the ISO
              Kubuntu's documentation

              Comment


                #8
                Re: Arch's Dirty Little Not-So-Secret

                I-G, good to see you again. Thanks for maintaining kscrubber for KDE4. I'm about to make the move 'down' from my 8.04.3 to 10.4 ( ) and will definitely appreciate the convenience of kscrubber.
                An intellectual says a simple thing in a hard way. An artist says a hard thing in a simple way. Charles Bukowski

                Comment


                  #9
                  Re: Arch's Dirty Little Not-So-Secret

                  Kscrubber has been a systems maintenance tool that I use on a regular basis. I recently installed Natty as my third OS, and Ksrubber was installed there as well.

                  I-G has, and continues to be, a valuable 'resource' to the Linux community.
                  Windows no longer obstructs my view.
                  Using Kubuntu Linux since March 23, 2007.
                  "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                  Comment


                    #10
                    Re: Arch's Dirty Little Not-So-Secret

                    Hi IG, sorry to see you move from Arch but your reasons are valid.

                    While aptosid will fit you like a glove you will long for the AUR, damn, everyone who has had the luxury of it will not want to give it up.

                    All the best in your search for your perfect distro
                    Once your problem is solved please mark the topic of the first post as SOLVED so others know and can benefit from your experience! / FAQ

                    Comment


                      #11
                      Re: Arch's Dirty Little Not-So-Secret

                      Hi again! Glad kscrubber is still of use. Just note that it was last updated for KDE 4.4, so when using it with newer versions just make sure it's not missing anything. But that's good to do anyway because everyone's setup is different.

                      I've heard about Gentoo's security advisories - they're supposed to have a good team in place for that. I don't think Gentoo 'packaged' it, as they don't distribute many binaries, but the ebuild is for automated building, and they might have included the source. It's a great example of what Arch is vulnerable to, and I added it to my blog comment on the subject - nothing like an example to drive the point home. Security is like that - easy to take for granted until an incident occurs.

                      Toad, you really get around! The AUR is handy, but for the few programs I use from it, I think I can fashion my own.

                      I don't need a perfect distro, I just want a perfect combination of top-notch security, up-to-date packages, automated building of unlimited software, and devoted devs.
                      Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

                      Comment


                        #12
                        Re: Arch's Dirty Little Not-So-Secret

                        Originally posted by IgnorantGuru
                        I don't think Gentoo 'packaged' it, as they don't distribute many binaries, but the ebuild is for automated building, and they might have included the source.
                        It fits my own loose definition of package well enough. Yeah, they did include the compromised code.

                        I don't need a perfect distro, I just want a perfect combination of top-notch security, up-to-date packages, automated building of unlimited software, and devoted devs.
                        Don't we all?
                        Welcome newbies!
                        Verify the ISO
                        Kubuntu's documentation

                        Comment


                          #13
                          Re: Arch's Dirty Little Not-So-Secret

                          Well, I moved over to Arch from Kubuntu some 5 or 6 months ago and have been pretty happy with the move. I went and checked out your threads and other threads relating to this issue, and can see where you're coming from. I agree that I'd like to see this being implemented as well. However, from what I can see, people are currently working on it. Admittedly this has been under way for some time (as you refer to in your post), and may not be moving along as fast as you or I would like. But, I think, that's typical of Arch : It's a distribution run by the devs and for the devs. But from what I see in the pacman-dev mailing lists and in pacman.git things are still being worked on.

                          I'm sure, IgnorantGuru, that you'll disagree with me given that you've been more involved in the process than I have; but whatever.

                          Slightly off topic, but I assume that you'll be abandoning paccheck when you change distributions?

                          Anyway, as a final note, if you find a distribution that encompasses Arch's lightweight, rolling-release system and -- what is for me, at least -- perfect mix of control and simplicity then I'd appreciate a heads up. I've looked around a bit but can't seem to find anything that offers package signing AND equals Arch in the above points.

                          Comment


                            #14
                            Re: Arch's Dirty Little Not-So-Secret

                            Originally posted by miKeyBabid
                            Admittedly this has been under way for some time (as you refer to in your post), and may not be moving along as fast as you or I would like.
                            Well, just remember that 3 years ago when a dev suggested signing their database, it was shot down because package signing was "mostly implemented". 3 years is a long time in computer years, especially for something as basic as secure package management. From what I could tell, they've been dragging their feet on this for years despite some of their own devs wanting to move it forward. The good news is it's now on the pacman roadmap, but that is subject to change.

                            But, I think, that's typical of Arch : It's a distribution run by the devs and for the devs.
                            Indeed. Having spoken with the devs, I was left with a sense that they don't care about their users or their users' security, or much else. What devs are left don't seem very happy with the upper-level devs either. If it was just the package signing issue, I might be inclined to wait it out, paccheck in hand. But it was like going into the kitchen of your favorite restaurant and finding rat droppings and filth - changes the enjoyability of the food. I just don't trust them, nor do I like their attitude. And I've never liked their forums and the attitudes there. So my decision to move on was due to the bigger picture.

                            I do think highly of some aspects of the Arch design. I don't think there's a distro quite like it. But it doesn't seem to know how to grow into a mature, secure distro, or perhaps doesn't want to. As fun and handy as it is, I can't ignore the big problems. But I hope they get their act together, or someone takes it into a new leadership. But only years will tell.

                            Slightly off topic, but I assume that you'll be abandoning paccheck when you change distributions?
                            Once i'm no longer using Arch, and perhaps before, I will stop support, as its not practical to support it when I can't test it. But I never planned on taking it much further, as any work on it will be obsolete when/if package signing is implemented. Also, it's GPL so anyone can continue it with no complaints from me.

                            Anyway, as a final note, if you find a distribution that encompasses Arch's lightweight, rolling-release system and -- what is for me, at least -- perfect mix of control and simplicity then I'd appreciate a heads up. I've looked around a bit but can't seem to find anything that offers package signing AND equals Arch in the above points.
                            Keep an eye on or subscribe to my blog as well, as I tend to discuss it there (the subscription just emails you new posts, no spam).

                            Yesterday and today I started on Gentoo, and I now have Openbox running - a black screen with a mouse cursor, which is all Openbox has to say until you configure it. Wasn't too bad so far. Only places I got bogged down was determining which module my nic needed in the kernel config, and trying to use the nouveau driver with X, because their docs are out of date and don't work for the current Xorg version. So I went with nvidia and that worked okay. Here were my approximate download+compile times:
                            kernel: 7 minutes
                            xorg-server: 10 minutes
                            openbox: 9 minutes

                            Since I'm not using kde or gnome, it moved right along. In some ways it is similar to Arch, and Arch was good training. But the documentation is a little more scattered and out of date, and it requires a little more tweaking since it's building from source. I get the sense that no one really knows what all the kernel options do. Like in Arch, you just follow the guide and set what needs to be set for what you're doing, and leave the rest alone. So far install was roughly equivalent to Arch in terms of difficulty. It's a candidate, and I've noted some promising advantages over Arch. Time will tell whether it holds up or becomes unstable as updates roll in. One advantage is that I'm learning even more than I did in Arch - the install procedure was pretty neat. Package management is pretty sophisticated too. And the forums seem more human from what I've seen. I could see myself growing to like Gentoo, or getting annoyed with the details - time will tell.

                            I'm also tempted by Slackware - it seems you can limit the install to skip kde and such, giving you a minimal system. But the 4Gig download would have taken me all day, which disappointed me because I'm installing a minimal system with no big DM, so 4G is unreasonable. Plus I wanted to get started NOW, so I decided to try Gentoo (124MB). If that doesn't work out or proves too unstable, I think Slack will be my next experiment. It has many devoted users, which says a lot. Interesting discussion here.

                            Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

                            Comment


                              #15
                              Re: Arch's Dirty Little Not-So-Secret

                              Originally posted by IgnorantGuru
                              Indeed. Having spoken with the devs, I was left with a sense that they don't care about their users or their users' security, or much else.
                              I think there's an important point to be made here. When choosing a Linux distro, you are also choosing a community. At the time I chose Ku|Ubuntu I was thinking of how I would get support for my new OS. (Ku|Ubuntu has the broadest and most helpful spectrum of support options of any distro I've used.) I may have better thought, "Which community would I like to join?"

                              I would not want to belong to a community wherein those at the top of the hierarchy look down with contempt at their users. You certainly painted the Arch devs in an extremely negative light from my perspective. I don't think I will ever go there.

                              Gentoo is sounding tasty though after reading your update. I'll look at it again next time I'm distro-shopping.
                              Welcome newbies!
                              Verify the ISO
                              Kubuntu's documentation

                              Comment

                              Working...
                              X