IgnorantGuru's Blog

Linux software, news, and tips

The Forbidden Subject

I am reprinting my recent post on the Arch Linux forums below so this is accessible and searchable – one value of having your own blog. One of the forum moderators (jasonwryan?) imposed an 8 week ban on me for “Trolling despite repeated warnings” for the post below, so I am not welcome there until May. (I don’t recall any Warnings, but apparently my memory is faulty?) Granted I wasn’t saying what they like to hear, but given the number of users’ threads and questions on this subject that they’re deleting, I think it needed to be addressed. At any rate, I cannot update or respond to the paccheck or other threads there, but you may bring any issues to my attention here or via email. They have also banned my IP from even viewing the forum – I guess that is a danger – so even though that’s easy to work around, don’t assume I’m reading there, as I probably won’t be automatically notified of new posts in threads.

My ‘8 week ban’ post follows:


Allan wrote somewhere (you must be logged in):

I will repeat my offer. If anyone provides patches for the remaining issues with pacman as given on this page: https://wiki.archlinux.org/index.php/Us … ge_Signing , then I will get all the patches in a format suitable for actual merging to the pacman code base. I made this offer several weeks ago on pacman-dev and quite a few people said they had patches that were “almost ready”. As usual, none ever eventuated…

Now as to whether this is really important… well, it is… but:
1) the described ARP attacks require the hacker be on your network. That is not a particularly practical attack for most Arch usages (home computer…).
2) exploited mirrors are likely to be detected quickly. Even faster now paccheck has been provided. But they would have been detected by people who segment their downloads across mirrors anyway (or even downloaded packages from a different mirror than their database) and there are a lot of people who did that.
3) if it was that important, people would have the motivation to actually code on it…

The quickest way (in fact, probably the only way) to get this fixed is to provide the patches for pacman. Having the feature implemented there will likely increase the motivation to get signing used in the repos.

I would like to reply to Allan’s third point and his alleged invitation.

I attempted to contribute a very effective interim solution. I submitted two flysprays that could hugely improve Arch’s security in this area with virtually no work needing to be done. It turns out that one of these ideas – to have the server automatically sign the database – was submitted by one of their own developers 3 years ago (a virtual eternity in the world of computers). It was shot down at that time because pacman package signing was ‘almost complete’. He is still an Arch developer and offered to implement it immediately when he saw my request, but there is no one willing to authorize the simple change required. With the use of a simple signature checking script which I offered to write, this change would make 150+ mirrors as secure as the primary Arch server. The other idea – to include SHA256 sums in the database – would make paccheck’s job more thorough without the need for full mirror compare. I even provided a simple patch for their script. Yet they simply refuse to include it for no known reason. You can see and vote on these here and here. They are very effective interim solutions which will improve your security substantially while the pacman devs wrestle with their full-blown package signing (for how many more years no one knows).

As for coding pacman, my discussion with the devs revealed that at least some are disgruntled with Allan’s handling of the code they submit, in that it never sees the light of day. It is discouraging to put work into something only to have that work disregarded. I myself would consider working on this, but I have to believe that Allan (or whomever) would simply find an excuse to dismiss whatever I submit, just like Allan seems to do with every idea and patch submitted in this area, despite his claims and invitations to the contrary. Arch is unapproachable in this area – why?

So Allan’s endlessly repeated claim that there is just insufficient manpower to immediately close this security hole is simply false – signing the database would close much of the problem, and I have offered to adjust paccheck to make use of such a signature. Adding this signature is trivial and there is a developer willing to make that change. It is simply being blocked by a bureaucracy – Arch is not maturing well. It is run more like a closely guarded personal pet project than a community-supported project. His claim that no one is willing to contribute is false.

From what I can tell, Allan is the main stopping point for why this has gone nowhere for YEARS. He claims he doesn’t care about it, but aggressively campaigns against any improvement to Arch’s security in this area, no matter how trivial. I can’t even have a conversation about it with the other devs without him butting in and aggressively derailing it. I can’t explain the reason for this behavior, and believe what you will, but Allan’s claims are largely false. I can easily see why the developers are discouraged and have stopped attempting to contribute to Arch (which is actually a larger issue affecting Arch in general – I can’t imagine why.)

As for being lucky in spotting a compromised mirror among over 150 mirrors before someone is affected, good luck with that.

In case you think this is all theory, here is a real life example of a compromised Linux mirror, which wasn’t discovered for almost one year.

As for the behavior on this forum of hiding this information from users, I think it is very poor practice. If you deem it necessary to close some of these threads, so be it. But why are you moving them off the main boards into the dustbin? Obviously it’s embarrassing to the Arch devs, but users have a right to be made aware of this issue so they can evaluate how it affects them. And you might consider that the reason the issue keeps coming up is that people want to discuss it. At any rate, anyone is welcome to discuss it on my blog – I don’t delete non-spam comments, even when people call me names and later apologize. The discussion there evolved quite well and eventually quieted down, when everyone had had their say. A novel concept to you perhaps, but intelligent discourse has its advantages. As the Arch devs are abandoning the users in this area, it would be helpful for users to discuss the ramifications and makeshift solutions. Compare this forum’s behavior with the ArchBang forum, where a similar thread was made a sticky.

Perhaps it would be best to make the trollbin/dustbin open for posting if you can’t tolerate discussion about Arch in the Arch Discussion forum.

Also, I would encourage Arch users to find another forum for discussing this openly – don’t limit yourself to this forum. LinuxQuestions, Archbang forum, etc. – there are many out there, some already with discussions about it (search for “Arch’s Dirty Little Not-So Secret”, as that article was picked up by Linux Today and resulted in a lot of discussion about Arch elsewhere). Arch Forums is indeed free to run their forums however they please, even to the point where it inhibits Arch’s development and growth, and since they don’t seem to respond functionally to any feedback on their practices, it may be best to abandon it for more helpful and honest forums. Regardless of your take on this issue, it is hard to argue that users shouldn’t evaluate it for themselves.

A few links:
Anandtech Forum: Critical Security Flaw in Arch
Reddit: Arch’s Dirty Little Not-So-Secret
Kubuntu Forums: Arch’s Dirty Little Not-So-Secret (started by me but others’ opinions there as well)
Slashdot comments
Arch Dustbin: 0wning Arch: Why Package Signing Is Important (no, I am not the author of that thread, despite Misfit’s allegations – perhaps the intelligence of the post fooled you, but you would do well not to make unfounded statements about my posting under false names – I have no need to do so) [reprint]

and more – lots of places to discuss this and anything else about Arch forbidden here.


UPDATE: My Move From Arch To Aptosid
 

March 16, 2011 - Posted by | Tips

16 Comments

  1. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    I do not speak for Arch, these views are all my own, etc.

    I really liked the work you did. Paccheck was good. I feel for your pain in dragging Arch into the future. (My personal peev is the AUR. So I made aur3.org to gradually fix everything that is wrong.) Of course, now I know my ideas usually suck (search R.Daneel on the aur-general ML for example) and AUR3 gives me a place to refine my code.

    Paccheck is good and useful, probably the best of your various scripts. However, you have not submitted patches to the bugtracker, just demands:

    https://bugs.archlinux.org/task/23103

    Allan has recently spent several months writing signing into pacman. It was not ready for the 3.5 release, but you can read the code here:

    http://projects.archlinux.org/users/allan/pacman.git

    It has also been discussed to death on the pacman-dev mailing list. Had you read some of this background, you could have been much more persuasive and avoided sounded like a stereotypical fearmonger. You probably mean well, but you have inadvertently become what everyone assumed you were.

    The forum mods are thin skinned and heavy handed. Sadly, you have been just as immature. Criticism of your work is not an attack on your person. Standing on a street corner preaching “Signatures are salvation!” while accusing everyone of conspiracy against you is not an effective way to garner trust or produce change. It makes you look like someone who will never contribute anything useful.

    Your erratic behavior is damaging. Hell, I like what you are doing and feel the majority of your complaints are perfectly valid. But even I don’t trust you much any more. Keep on writing code and remember that to convince people you must first become their definition of convincing. Comment mirrored at http://kmkeen.com/tmp/iguru-01

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.11 (GNU/Linux)

    iQEcBAEBAgAGBQJNgYP1AAoJEDluPiW6sULBa1sH/3BflwBIde0eKa5PXCiKTF62
    e1z0rjPbhSZ3PWRDH0vcpIBfJXw49OH5wuxtF1iagoIn7oA9+57gcjtT+abmiC5V
    L/JyWOFrHajKX/edOM2iT5ABMUEX7FnCHjVmQPpBBeVjjaSDY/e2DjtXpFLQecEP
    dc5Qv3l9tvD5KOMl0+2CIH0UAT1h92nEXemta6o8gBiJPndJKq0Ptx5le+Zrgyqn
    8eoFub0XCymmzSdwOKT8iG1+bHilrXLfbxrtGOG+ibPytkAtKo8YrDITHvIYyfck
    A2X2xZGMfm87l4wkyTFI/kYpqqL3rNKCkTfA3ca2t6D641O4MBnOEStlz1Eqn7Q=
    =5BnF
    —–END PGP SIGNATURE—–

    Comment by Kyle | March 16, 2011

    • I really liked the work you did. Paccheck was good. I feel for your pain in dragging Arch into the future. (My personal peev is the AUR. So I made aur3.org to gradually fix everything that is wrong.) Of course, now I know my ideas usually suck (search R.Daneel on the aur-general ML for example) and AUR3 gives me a place to refine my code.

      AUR3 looks promising – I obviously like the package signing. To the extent I do anything more with Arch, I may make use of that.

      Paccheck is good and useful, probably the best of your various scripts. However, you have not submitted patches to the bugtracker, just demands:

      https://bugs.archlinux.org/task/23103

      You seem to have trouble distinguishing a request from a demand. At any rate, paccheck is a fairly straightforward script that took me about a day to write and a few more to refine. Sadly, it’s the largest improvement to Arch’s security in many years.

      Allan has recently spent several months writing signing into pacman.

      He must type reeeeally slowly, that’s sad to hear that he is disabled. I wish him the best. Had I known I would have gone easier on him – thanks for letting me know.

      As for your analysis, your initial assumptions are faulty. My goals are not to “convince” anyone of my point of view, believe it or not (except the devs, but there’s no convincing them of anything). I’m merely making people aware of an issue and I did what I could to change it (there I accomplished little, but more than others before me). I offer my point of view, but I trust people to evaluate the situation for themselves.

      If you’re an expert on being convincing and have known about this issue for so long, why haven’t you accomplished more in terms of making users aware and getting changes implemented? I would say my approach has accomplished more than yours in this area.

      Hell, I like what you are doing and feel the majority of your complaints are perfectly valid. But even I don’t trust you much any more.

      On one hand I have you telling me this, on the other I have users thanking me for making them aware of this issue. So you don’t trust the person who makes a security problem visible and contributes an immediate technical improvement, as well as campaigning for more improvements, but you trust developers who hide the problem, ban users for discussing it, and refuse to improve it for years. This trust model must be standard issue for Arch developers. You might want to re-evaluate it. I put users’ security at the top of my list of priorities, and have for many years of OSS development. I don’t really care about your offended devs, who are incompetent and careless in my view.

      I will admit I’m no diplomat. But no one else was moving it anywhere practical, so I thought I’d chip in. If you can do better, get to it.

      Comment by igurublog | March 17, 2011

  2. I would not normally reply to a post like this because it is mostly a pointless exercise, but I will make an exception given it seems that it is almost entirely directed at me and full of misinformation.

    1) Re: SHA256 sum “they simply refuse to include it for no known reason”. You were asked to provide a patch as documented in the “submitting patches” guidelines by the lead developer. But you for some reason decided he was wasting your time. If you had provided a patch like you were asked to, it would have probably been in the latest pacman release. Just to make it abundantly clear, I made no comments for or against that idea, so lack of progress there is entirely your fault.

    2) Re: “no one willing to authorize the simple change required”. As far as I can tell, the developer you refer to who “volunteered” to implement this is either Pierre or Thomas. Maybe the latter given Pierre said “Once there is a version of pacman which supports signed packages I can start implementing these ideas”, which indicates he is waiting. Anyway, both are very senior developers in the Arch team (they were around long before I was) and need no authorisation to do anything. There would be little I could do to stop them without a number of the other developers agreeing with me.

    3) Re: “discussion with the devs revealed that at least some are disgruntled with Allan’s handling of the code they submit”. I call bullshit. Can you point out a single patch for package signing that I have rejected? And I mean rejected and not asked to be revised. Here is a list of people (apart from me) who have submitted package signing work over the last few years: Geoffroy Carrier, Dan McGee, Xavier Chantry, Chris Brannon and Denis A Altoe Falqueto. That is all. I know 2/5 are definitely not pissed at me and I’m fairly sure a third would let me know if he was. One disappeared from the face of the planet, and the other is still submitting revisions to his patches and those are being integrated. So I fail to see who is pissed at me and how I am stopping progress here. Also, I do not get final say in any of this given I do not actually have commit rights to the pacman code base.

    4) Re: “Allan is the main stopping point for why this has gone nowhere for YEARS”. I’m glad you think I have that much influence… Strange that my “aggressive campaign” against signing has involved being the one person who keeps the current patches for pacman together in a git repo along with a TODO list of what needs to be done. Also I am so far the only person to actually provide patches for Arch’s devtools and dbscripts to implement uploading signatures alongside packages. So it seems I am actually the main person involved in getting this implemented. Which is the exact opposite to your claim…

    I assume much of this campaign against me is due to the comments against is your suggestion for how to sign a package databases. Note it is the HOW that I was against, not the need to do it. And that was because I think there is a better way to do it with less security flaws and if time is going to be put into getting this fixed, I would prefer to do it properly. As already pointed out, if someone provided patches to do it the way you suggested, and the developer(s) responsible for Arch’s devtools/dbscripts (which is not me…) decide to use them, then I could not stop it.

    The real issue here, is everybody who says this is a good idea and that they are willing to implement it, never actually does. We had several people on pacman-dev who said they were working on patches to finish implementing this a month or so ago, but nothing was ever submitted. That has been the pattern for a long time now.

    Comment by Allan | March 16, 2011

    • Allan, thank you for taking the time to give us your input. I have no personal vendetta against you, I’m merely sharing my observations, including those which involve you. You seem to be a person who says one thing and does another, so I don’t know if there’s much value in discussing it further, but I’ll address a few points.

      1) Re: SHA256 sum “they simply refuse to include it for no known reason”. You were asked to provide a patch as documented in the “submitting patches” guidelines by the lead developer. But you for some reason decided he was wasting your time. If you had provided a patch like you were asked to, it would have probably been in the latest pacman release.

      I highly doubt that, but I’ll give you my take on it. Dan ridiculed my analysis and request, describing it as “hilarious”, and then added that “either way”, my patch wasn’t in the official format you accept. Given that everything I have attempted to contribute to your team has been completely disregarded, I thought it best to ask if he was willing to add it before taking the time to familiarize myself with your patch specs. I don’t use git so this would take some effort. So I asked him if he was serious and told him I would be happy to submit a patch if so. That was two weeks ago and he still hasn’t replied, so I assumed he isn’t serious and was just ridiculing me. Nice lead developer who ‘welcomes contributions to Arch’.

      2) Re: “no one willing to authorize the simple change required”. As far as I can tell, the developer you refer to who “volunteered” to implement this is either Pierre or Thomas. Maybe the latter given Pierre said “Once there is a version of pacman which supports signed packages I can start implementing these ideas”, which indicates he is waiting. Anyway, both are very senior developers in the Arch team (they were around long before I was) and need no authorisation to do anything.

      Pierre Schmitz wrote:

      1) Ensure that packages are not modified on their way from the main server to the end user with probably several mirrors in between.

      Number one can easily be implemented [emphasis mine] by having the private key on the server and just sign the db files.

      In genereal I wouldn’t mind implementing part one if we communitcate correctly which level of security is reached by this approcach and what issues remain. (Afaik this approach was reject for some reason a long time ago; thread can probably found on the ml (afaik it was even started by me) [it was]

      So like you Pierre apparently says he is willing but does nothing in reality (I gave him my assessment of the level of security this approach reaches). From what I can tell, all you guys do is talk. It’s a wonder you accomplish anything (and obviously you don’t). At any rate, willingness was expressed but nothing done, so I have no idea what the next step would be. I thought it must be a lack of approval from someone. As Pierre made perfectly clear, it is “easily implemented”. I don’t have access to the Arch server, so I can’t magically have it sign the database. Someone with access and authority has to do it. I could do it in a few minutes – create a key and add a signing line to the script. I think 7 years is unreasonable. Your development team is dysfunctional in the extreme, and part of that dysfunctional is that you don’t see it.

      3) Re: “discussion with the devs revealed that at least some are disgruntled with Allan’s handling of the code they submit”.

      That’s what they told me (and you) in the mailing list, so maybe you should read more carefully.

      4) Re: “Allan is the main stopping point for why this has gone nowhere for YEARS”. I’m glad you think I have that much influence… Strange that my “aggressive campaign” against signing has involved being the one person who keeps the current patches for pacman together in a git repo along with a TODO list of what needs to be done.

      Yes, it is strange. You’ve told me you don’t think package signing is important, yet you make it your thing. You seem to do a little with it, then stop, and make sure no one else can get anything implemented. I have found you to be completely uncooperative – you don’t take security seriously in the first place, so I don’t think you should even be working on this. To put it crudely: shit or get off the pot. You claim you’re ‘working on it’ for years, while all I can see is that you’re making sure nothing gets done. Everytime I bring the issue up anywhere, you’re instantly there to sabotage the discussion. Maybe you can’t see your own behavior – you seem conflicted on the subject of OSS development in general.

      I think there is a better way to do it with less security flaws and if time is going to be put into getting this fixed, I would prefer to do it properly.

      Patches welcome. I notice as soon as I stopped participating in that conversation, you lost interest as well. IOW you don’t give a shit about it, you were just derailing my request. Your tactics don’t fool me, though you’re obviously very practiced in BSing people.

      You think signing the database is ‘flawed’, yet you reply to posts about the current setup, defending the total lack of security. Make up your mind. By standing in the way of the database being signed as an interim solution, your significantly reducing users’ security – it’s as simple as that. So get out of the way already. If you then want to implement an improvement, patches welcome. That is what you like to say, isn’t it? Frankly, I don’t see patches welcome at all in Arch Linux. They seem distinctly UNwelcome.

      The real issue here, is everybody who says this is a good idea and that they are willing to implement it, never actually does.

      As someone who tried to contribute in any way possible, now I’ll call bullshit. And I’m not the only one. I’ve since heard from other devs who tried to get things done with the Arch dev team over the years, especially in this area, and they told me they met the same brick wall. In one person’s word, the Arch dev team is “in rot”, which I thought captured it pretty nicely.

      Comment by igurublog | March 17, 2011

      • EDITOR’S NOTE: The comment below from Allan was trapped unnoticed in the spam folder for awhile, probably due to the number or type of links he used. My apologies. -IG

        >> 3) Re: “discussion with the devs revealed that at least some are disgruntled with Allan’s handling of the code they submit”.

        > That’s what they told me (and you) in the mailing list, so maybe you should read more carefully.

        Links please. I was quite specific in asking you to point to actual evidence of your claim that I am rejecting code. Given I have rejected no patches for package signing at all, I find it hard to believe. Just more made up “facts” from your side.

        >> 4) Re: “Allan is the main stopping point for why this has gone nowhere for YEARS”. I’m glad you think I have that much influence… Strange that my “aggressive campaign” against signing has involved being the one person who keeps the current patches for pacman together in a git repo along with a TODO list of what needs to be done.

        > Yes, it is strange. You’ve told me you don’t think package signing is important, yet you make it your thing. You seem to do a little with it, then stop, and make sure no one else can get anything implemented. I have found you to be completely uncooperative – you don’t take security seriously in the first place, so I don’t think you should even be working on this. To put it crudely: shit or get off the pot.

        I would happily pass on the maintenance of the pacman code for this to someone else. It is not hard to create a git repo and pull the patchset and post it on github, but no-one ever has… And I’m not sure how I am apparently stopping development happening on it. No-one has ever submitted patches for package signing that have not been accepted (after revision). The same would go for an actual patch provided for adding SHA256sum support. Provide a patch… then you can complain if it is not accepted. Until then, you have not even done the prerequisite amount of work to have your idea included.

        Anyway, until someone else does take over the package signing code, it seems to me that it would be better to have someone actually maintaining it rather than nobody… even if it not that persons highest priority. So I will keep maintaining it and await the inundation of other people wanting to work on the code.

        >> I think there is a better way to do it with less security flaws and if time is going to be put into getting this fixed, I would prefer to do it properly.

        > Patches welcome. I notice as soon as I stopped participating in that conversation, you lost interest as well.

        Hmmm… patches like these:
        [1] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019702.html
        [2] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019703.html
        [3] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019705.html
        [4] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019706.html
        [5] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019707.html
        [6] http://mailman.archlinux.org/pipermail/arch-dev-public/2011-March/019708.html

        All provided after I stopped replying to that bug report. So you saying “lack of interest” seems to be some sort of code for me being the only person actually doing work towards this… Even “adding the one line to sign a database” is useless when the current cron jobs to clean the mirrors would just remove it. So I have actually provided the groundwork needed for your method of signing the database to be implemented. But as I pointed out, I do not like that way of signing the database, so I will not provide patches to do it that way. Instead, I will eventually provide patches to get it done in the way I see it best. Someone else is free to supply patches to do it your way in the meantime.

        > I’ve since heard from other devs who tried to get things done with the Arch dev team over the years, especially in this area, and they told me they met the same brick wall.

        That is strange given that is basically not how Arch development works. Developers can essentially do whatever they want and need no permissions from anyone else.

        Then again, I think you have no idea who the Arch developers actually are and just consider anyone a dev… Case in point, comment 6 on this post. “another Arch developer asking why nothing is being done” – a person that has just registered on the bug tracker that day and made a single comment is generally not an Arch developer… Similarly in your first post about this, you quoted “developers” that had never posted to the pacman-dev mailing list before (or ever again). But I suppose it makes a better story if these people are considered developers… don’t let actual facts get in your way.

        Comment by Allan | March 17, 2011

  3. I’m absolutely appalled that you were banned over that post. Does it not occur to the “moderators” (pretty immoderate if you ask me) at Arch’s forum that the reason this is such a volatile issue is that the people expressing concern are getting swept under the rug? Honestly, this is the sort of issue that requires devs to drop *everything* else that they are working on and FIX IT. Seriously, aside from other critical security fixes, we should not be seeing any other package update from Arch until this is fixed. Five *days* would be an excessive amount of time to wait for a fix on this flaw.

    I had some sensitive financial information leaked last month and now I have to wonder if a compromised Arch mirror wasn’t the culprit.

    Comment by Isaac | March 17, 2011

    • Thanks for your comments Isaac. One of the problems with the current setup is that detecting compromise is virtually impossible from a user’s point of view. If Arch ever does implement signing, everyone would be wise to install from scratch. Or you could do so using paccheck.

      But given the attitudes and policies of the devs, I think Arch should be considered a very non-secure distro. I don’t think incompetent and careless would be overstating the situation.

      Comment by igurublog | March 17, 2011

  4. I would like to express my sympathy to IG. I can’t judge if Allans defense to why package singing is still not accomplished is right or not. What seems logical to me that a temporary solution is applied when things have proven to take more time then was hoped.
    That is the essence of what IG is saying, if I understand him well.

    To ban IG from the forum takes the matter to quite a different level.
    I was worried about what happened on the Archforum before.
    Visiting the Arch forum feels like playing a rugby match while your opponent is also the referee. The way they shovelled I. out of the match was not fair play. That he is banned from the forum, is a mark of incompetence that throws questions on the whole Arch community. Why isn’t anybody sticking up for him? The reason is simple: the blunt way power is exerted on the forum. I got a warning for this post: https://bbs.archlinux.org/viewtopic.php?id=114792.
    After that you don’t dare to express your views any more. Through contact with a mod I put forward this proposal about the forum rules:

    http://bbs.archbang.org/viewtopic.php?id=458

    I think it would be useful to discuss this with the users on the forum. But I don’t dare, because I fear this will lead to a ban.
    In the forum rules of the Arch is stated it is not a democracy. But what is it when you can’t express views in an open way for fear of being banned?
    I think the way I. is demonized is beyond comprehension. Sometimes it feels like people are putting up a fight like in a war game. I don’t get the aggression, I don’t understand the roughness and the emotions behind it all.

    Embracing dissent and discussion also needs tolerance and protection against ostracism and shunning. The roughness of the reaction against IG. feels like leadership feels threatened; which feels like really weak behaviour.

    Comment by Paul | March 17, 2011

    • Thanks Paul, I appreciate your comments. Frankly, having tried to get something done in the Arch community, I don’t think it’s very feasible to try to change their forum. I think the best thing Arch users can do for themselves is to bring the discussions to a more open forum. It is often the case that the official forum for something isn’t the most vibrant one. Change the channel. There is little that can be done to improve the situation there because they don’t permit any discussion of the forum on the forum – you’ll simply be banned for making any suggestions there, and anything you email to them won’t do much – they are very set in their ways. Either you accept their way or you don’t.

      To the extent I do anything more with Arch, I may post on LinuxQuestions. They have an Arch section. I don’t know their moderator habits, but I doubt they will take things as personally as the Arch people. And there are other general Linux forums as well – I know because some of the traffic to this blog comes from them.

      Re your proposal, you’ve hit a number of key issues there. The Arch moderators remind me of ‘bad cops’ that break the law themselves. They do ridicule people and such, and then they close the thread. Definitely power-tripping. I think putting up with that kind of nonsense is a mistake.

      As for my ban, it doesn’t trouble me much, so don’t worry about that. The vast majority of what I did on their forum was help others, so they’re only depriving their own users of whatever I would contribute, at least there. As usual the users pay the price for their policies.

      Comment by igurublog | March 17, 2011

  5. Stop trying to make a mountain out of a molehill. There have been 2 known cases in 20 years of malware introduced for Linux. One was a game server and the other was a Gnome theme. Only 1 distribution in 300 plus got the game code introduced into their repository.

    Comment by poodles | March 17, 2011

    • I think your counting skills need improvement.

      PARTIAL list of known Linux malware

      Linux is not as secure as you would have us believe, and malware incidents are actually on the increase in the Linux world.

      Comment by igurublog | March 17, 2011

    • @poodles: And emphasis on *known* cases. Honestly, how would an end user even know if he received a compromised package/list? A corrupt webmaster could trivially dish out a trojan to 10 or so randomly selected victims. The attacker would have root access to all information stored or entered into the affected machines, and no one else would be the wiser.

      I can’t take Arch seriously as a distro until this flaw is patched, and neither should anyone else who values the security of their system.

      Comment by Isaac | March 17, 2011

  6. And now today yet another Arch developer asking why nothing is being done, and offering to do it. Good luck!

    FS#23101 – [ devtools / db-scripts ] Add database signatures
    User who did this – Alex D (Hiroe)

    ———-
    We seem to have to camps here. One camp wants to get a perfect solution and has been working on it for years with no functional implementation. Whenever someone brings up the subject his code is supposed to cover he suggests they provide a patch or stop complaining.

    (As a computer security professional his understanding of exactly what a man in the middle attack is and how to defend against it seems off. He claims that a fix that would remove the possibility for man in the middle attacks and mitigate hacked mirrors wouldn’t, but I don’t want to get all ad hominem-y)

    The other camp has a couple of lines of code that would would solve a whole bunch of problems but if the main server got hacked or used improperly it could be an issue. It’s not quite ideal and we’d want to expand upon it or replace it if the first camp ever completes their code, but it increases security tenfold.

    Why are we debating this?

    If it’s a matter of no one implementing it then I will. It can’t be that hard. bash script wrapper that creates the DB however it’s normally created then signs it. The hardest part would be changing the DB creation script from md5 to sha256.
    ———-

    Comment by igurublog | March 17, 2011

    • Uh, on big problem with your claim.

      Alex D “Hiroe” is not an Arch developer.

      Let me make this easier for you, sinc eoyu seem to have trouble telling fiction from fantasy:

      If they are not on this page: http://www.archlinux.org/developers/ THEY ARE NOT AN ARCH DEVELOPER.

      I don’t even think he’s a TU.

      Look, package signing is important to some people. But your personal crusade against the Arch devs is irrational at best and outright hostile at worst. He told you how to submit a patch. Instead you assumed he was mocking you. If you had actually submitted the patch, chances are it would have been reviewed and accepted unless the patch was flawed or broken.

      Instead you seem to be dreaming up some imaginary vendetta against you. You’ve somehow got it in your head Allan McRae is mocking you and is actively trying to keep signing out of pacman, when in fact, he’s just making sure signing is included PROPERLY.

      Comment by Yaro Kasear | April 11, 2011

  7. I recognize some of the names in provided links, indicating that there’s a core attracted by criticism of Arch’ current leadership. Thus it’s probably time to bite the bullet and either start a separate Arch based project, or drop your current strategy for a more long-time one. If choosing the latter I see no other option than aiming at working broader for the benefit of the Arch community and hence gain a good reputation within the community. This happens all the time, so why shouldn’t it work for you?

    Most things in life seem much easier from the outside. Hence there’s always a need to fight this natural stagnation from the inside. Revolution or evolution? Decide for yourself what benefits the community best.

    Comment by KimTjik | March 18, 2011

    • I think another spinoff would not be a good decision. Rather, everybody should try to resolve conflicts somehow. This discussion will probably help that issue.

      Try improving cooperation instead of separation :)

      Comment by Danilo | March 29, 2011


Sorry, the comment form is closed at this time.

Follow

Get every new post delivered to your Inbox.

Join 142 other followers

%d bloggers like this: