IgnorantGuru's Blog

Linux software, news, and tips

My Big Move To Arch

UPDATE (March 2011): Since writing the material below, I discovered a serious flaw in Arch Linux which tempers my recommendation of it, especially for those who desire a reasonable level of security. My full review of Arch Linux is also available.


I recently migrated my primary system from Kubuntu Karmic/KDE4 to Archlinux with Openbox, so I thought I would share some of my experiences with the move. I thought some Ubuntu users might want to scope this out if they’re considering changing. I have used Ubuntu for years and when I decided to go to Arch, I wondered what I was in for! Long story short – I love it.

First, a little background… The first linux I used seriously was SUSE, which I liked overall, but package maintenance was a PAIN (regardless of what they claim), and eventually it just started to feel too corporate and evil-empirish, like Windows. So a few years ago I moved to Kubuntu which I really like for its apt-get of course. But lately I’ve been grumbling a lot. I don’t really like KDE4 – it’s way too overdone and heavy, too much of a Vista-wannabe. I also don’t like some of the decisions Ubuntu is making in general when it comes to packages, and especially the way the recent trend is to stop the user from removing some packages – too bossy lately. There are also security issues that IMO are beginning to enter the realm of Microsoft – things which I believe are not done for the benefit of the users. Thus I found myself having to remove and disable all kinds of junk after a fresh install. I’ve also had very poor results with reporting bugs in KDE and Ubuntu lately – they just aren’t addressed, and there are way too many to begin with. The release cycle seems rushed, and quality is the loser in this. I was fighting against the distribution too much. That’s when I began to realize it was probably time for a bigger change. I was reluctant because hey it’s a lot of work to get used to something new. But it can also be cool, I kept telling myself, as I remembered how cool it was to lose Windows.

I ended up selecting Arch Linux because I liked a few ideas. One, it was supposed to have a good package manager comparable to apt-get (known as pacman). Also, I liked the rolling release idea, where instead of releases and upgrade/reinstalls, packages are just gradually updated to their latest versions every day. The install CDs have versions, but if you’re running Arch, you’re running the ‘NOW’ release. This is explained more here. Most of all, I really like that Arch uses software packages that are presented the way the original makers designed. Mods and alterations are very minimal. I like this because I found so many of the bugs in Ubuntu are related to changes the packagers made which broke the functionality of the original software. Arch honors the original software rather than trying to make it fit a particular scheme – and this includes servers and daemons. I really REALLY like this idea because as we all know having a middleman introduces problems, and original developers take the time to make their software work more carefully than packagers.

I was also a little scared of Arch because it was supposed to be more work, less noob-friendly. I can handle some complexity, but frankly I don’t enjoy having to do everything the hard way. There is something to be said for convenience. Plus using a mainstream distribution like Ubuntu has its advantages – lots of packages and support. But I decided to give it an honest chance.

I also decided I was going to drop KDE. It’s only going to get more convoluted and Windows-like IMO, so I figured I might as well get on a more fitting track. So I was also shopping for a new desktop manager.

THE RESULTS

I have had a truly excellent experience with Arch. It is just so neat to set things up one step at a time, and I pleasantly learned more in a week about the inner workings of linux than I have in years of using Ubuntu. I really feel like I know my system now. It’s also a simpler system, and I know what’s running and why. It’s also fast as hell! The few problems I did have, the community support and wiki were excellent – very knowledge people who like doing things themselves. Overall, my opinion is that any reasonably experienced Ubuntu user will feel right at home. You’ve probably edited a few configuration files, entered some CLI commands, and messed with the inner workings enough on occassion that you won’t be lost in Arch. And in the long run I think it’s MUCH LESS of a hassle, especially because you get a better understanding.

The 64 bit install CD (I used the net install CD) was a lot like the alternate install CD for K/Ubuntu. Same basic stuff. The main difference is that it just installs the core system, so you boot into a shell. Then you install Xorg, which I thought was really cool (and very easy). I’ve never installed Xorg by itself like that. Then the nvidia driver went in without trouble, also from a package. (Interestingly, it cured a problem I had with not being able to go back to a shell once X started in Kubuntu. Same nvidia driver, so once again it shows that the problem was in the Ubuntu package, not NVidia’s driver or Xorg!) Then you choose your desktop and install that. Then you edit the xinitrc file to tell X to start your desktop! It’s great knowing how it all fits together.

In my case I decided to go with Openbox desktop because it seemed to allow you to build your desktop the way you want. Openbox is very minimal at the start – you build your desktop by adding taskbars and such that you choose. This may seem like a lot of work, but it was really neat. I’m also running a few KDE apps that I like, and Openbox runs them with no problems. I chose lxpanel as my taskbar – works great and has a clock, quick-start tray, system tray, and a menu that automatically updates itself when you install software. Reminds me of KDE3.

The pacman package installer works very well. There were only a few programs that I wanted that it didn’t have: rdate, google-earth, secure-delete, and crystal-cursors. rdate and google-earth had community-supported build packages available. These let you build the packages easily yourself and then install them with pacman. secure-delete I just copied the executables from my Kubuntu partition – they run fine. (The same was true of rdate, but that I built.) And I found crystal-cursors and compiled it. I learned great things about X cursors, so it was well worth the hour or so I spent with it.

Everything else, including media players, editors, KDE apps, image viewers and editors, servers, and open office were in pacman packages. Easy as using apt-get to install them. Plus they come out exactly as the original designers had in mind, which is neat to see – same as installing them from the websites for the most part.

One difference (which I like), is that when you install a server or daemon, such as NFS, it just puts the program on your system, it doesn’t configure or start it. I never liked the way Ubuntu started things as soon as you installed them. This way I can look over the (usually simple) installation steps and decide how I want it to work. For example, to auto-mount a CD when I insert it, I installed the autofs daemon right from instructions on the wiki. Works better and solved problems I had with automounting/unmounting in Ubuntu.

And instead of all the init.d and /etc/modules complexity, there is one file (/etc/rc.conf) with simple lists of modules and daemons to start at boot. So much cleaner and easier to maintain.

My system has so much less running on it as a result – just what I need, rather than what every Ubuntu user might need. Part of this is due to dropping KDE as well. If you do want KDE, Arch is supposed to have a good implementation of it. There is also kdemod, which is a modified version of KDE for Arch (part of the Chakra project).

As for the rolling release, I really like it thus far. From what I’ve read, occassionally new package updates will break a program and you’ll have to update your config files to correct it. But these potential problems are announced on the forums, and IMO that’s simpler than going through the mess of upgrades and reinstalls, where so much changes at once. Plus, the package updates never change your config files – you do that yourself, and when using Arch you’ll know how.

Aside from the apps I use, there are NO GUI ‘system settings’. I maintain everything by editing the config files. But what I’ve found is that instead of finding this too messy or laborious, I like it a lot better. The config files have everything laid out cleanly and commented, and I have access to all of it. Whereas GUIs rarely give you complete control, and rarely work as well. I did have to learn a bit that used to be done in a GUI, but as a result I understand things so much better, instead of feeling confused and frustrated behind the GUI. But if you do like the ‘system settings’ stuff, if you can install a more bells & whistles desktop like KDE or Gnome – then you’ll get some of that. It’s just not made by Arch. They leave it up to you to decide what programs to install, REALLY. For example, I chose my sound server (alsa – which always worked great for me and I hated the pulse junk that Ubuntu went to. And yes, alsa can play several sounds at once – mix.)

Here are some of the wiki entries I used, more or less in the order I used them. You can look these over to get a pretty good idea of what you’ll be doing once you’ve used the install CD to install the core. The wiki is THE place to go when you want to know how to install something. You’ll usually find detailed instructions that work perfectly. Also, since everyone uses the same version of Arch (the NOW version), you don’t have to wrestle with multiple sets of instructions. I find that the first few parts of the wiki instructions is all I use – the lower parts of the pages tend to be for more complex setups.

http://wiki.archlinux.org/index.php/Main_Page
http://wiki.archlinux.org/index.php/Official_Arch_Linux_Install_Guide
http://wiki.archlinux.org/index.php/Official_Arch_Linux_Install_Guide_Appendix
http://wiki.archlinux.org/index.php/Xorg
http://wiki.archlinux.org/index.php/NVIDIA
http://wiki.archlinux.org/index.php/X11_Cursors
http://wiki.archlinux.org/index.php/Openbox
http://wiki.archlinux.org/index.php/CUPS
http://wiki.archlinux.org/index.php/Brother_MFC-420CN
http://wiki.archlinux.org/index.php/Configuring_network
http://wiki.archlinux.org/index.php/IPv6_-_Disabling_the_Module
http://wiki.archlinux.org/index.php/ALSA
http://wiki.archlinux.org/index.php/HAL
http://wiki.archlinux.org/index.php/Autofs
http://wiki.archlinux.org/index.php/Sane

And the forums are at
http://bbs.archlinux.org/

Just keep in mind that until you get X and your desktop running, you won’t have a (graphical) web browser. So if you don’t have another computer nearby, you may want to print the basics first.

That may look like a lot of manual configuration, but I found it to be very smooth and also a neat experience. I also had many fewer problems than with a typical Kubuntu install – very few in fact. And I had my system done in a couple days (where I was using it as my primary system instead of Kubuntu which I still have on another partition), with a couple more days for spit & polish. And that’s with my being a complete noob to Arch, and also trying out some alternative software to the ones I’ve been using.

K/Ubuntu was actually great training for Arch, because you tend to have to do a little manual configuring to get Kubuntu running the way you want anyway, and fixing problems. And Arch isn’t for linux noobs, so I think Kubuntu still is useful. But if you now want to try building a more custom system from the ground up, I think Arch is an excellent choice. Overall my system is running faster and lighter, and I’m so glad to be free of KDE, while still having some of my favorite KDE apps.

And Arch still uses Grub v1! Although you can of course change that to v2 if you prefer.

Recommendations: I recommend keeping a backup copy of your Kubuntu home folder – you may want parts of it to look at, especially if you drop KDE but want to run KDE apps. There’s not much, but it was handy a few times. Also, system backups are always great to have… http://en.wikibooks.org/wiki/How_To_…rating_Systems Plus, instead of reconfiguring many of your programs, you can just copy their settings files from your home folder. For example, copy the ~/.mozilla folder and you won’t need to set up Firefox from scratch.

I also like building my new system on a spare partition while still being able to boot my old partition. That way when I get frustrated or tired I get boot in to ‘old reliable’ and relax. I had Arch install grub to the MBR of my second drive, so it didn’t interfere with the boot process. Grub2 detected Arch and added it with update-grub. Then when I was ready to change the boot to my Arch partition and grub, I just installed grub to the MBR of the first drive. Pretty painless way to try a new system, and it also lets you mount and examine your old system partition as you’re setting up the new one.

Below are some software recommendations I’d thought I’d throw in. Everyone likes different things but these are what I’m using for now. And this will give an idea of the variety of apps you can have with Openbox and without full KDE.

First, lxpanel is a great taskbar. In fact the whole LXDE desktop is probably good, because I saw a lot of apps from it that had a nice light but capable design.

For the most part you install these just by typing ‘pacman -S PACKAGENAME’, and they’re ready to run.

Ark
Knotes
Krusader (capable file manager from KDE)
Dolphin (simple file manager from KDE)
Speedcrunch (calculator)
GQView (like KDE Gwenview – or Arch has Gwenview as well)
GIMP
KGrab (from KDE, for window snapshots)
XSane
Firefox
flashplugin
jre (this pacman package install the 64 bit version of Sun Java with plugins – one step!)
KMail (still using it for now but I may look at others)
KWalletManager
Pidgin
OpenOffice
epdfview (like Ocular – very simply and light PDF viewer)
Kate
Ghex (Gnome’s Hex Editor)
k3b (also needs dvd+rw-tools and cdrdao)
SMPlayer/Mplayer
VLC
avidemux
Htop (process watcher)
Konsole
autofs (automounts CDs/DVDs, usbsticks, and even networks if you want)
ttf-ms-fonts and ttf-dejavu (fonts)
imagemagick
libdvdcss
mpg123 (command line MP3 player)
vorbis-tools (for ogg123 command-line player)
alsa (for sound)

Related Forum Thread: My Big Move To Arch

December 20, 2009 - Posted by | Tips

12 Comments

  1. I had the same experience about a year ago (except that I sticked to KDEmod) for the very same reasons you had. Now that I read you post, I feel I should try other WMs as well, especially OpenBox ;-)
    Thanks for sharing your story, I found it from your sig in the Arch forum.

    Comment by SanskritFritz | January 18, 2010

    • I still like Openbox – simple but extendable. Or for a more complete desktop there is LXDE which I put on my netbook and really like – it uses Openbox as its WM. Plus you can install all the KDE apps you still want – I’m still using a few. That makes the move a little easier. kdemod is a good choice – I should look into that for the apps I use.
      I’ve been meaning to post a followup on my move to Arch – coming soon. It’s been a smooth ride.

      Comment by igurublog | January 18, 2010

  2. First I should say: I love your blog! After rmdupe saved me hours of work, I spent some time looking over the rest of your site and I subscribed right away.

    As a current KDE user, I am always looking for alternatives, and it seems that you were in precisely in the same situation a few months ago as I am now.

    (K)Ubuntu is the only “modern” Linux installation I have ever used, so I don’t have a baseline to compare it against. You mention that:

    I also don’t like some of the decisions Ubuntu is making in general when it comes to packages, and especially the way the recent trend is to stop the user from removing some packages – too bossy lately. There are also security issues that IMO are beginning to enter the realm of Microsoft – things which I believe are not done for the benefit of the users. Thus I found myself having to remove and disable all kinds of junk after a fresh install.

    Could you elaborate on those statements?
    Which packages are forced by the distribution?
    I’d especially like to know about the security issues. I wasn’t aware of any, but it’s scary to know if there are any.
    Also, what “kinds of junk” would you disable after a fresh install?

    Looking forward to reading more on your blog.

    Comment by John | February 6, 2010

    • Hi John, Thanks for your feedback, and welcome to Linux!

      Of course things are all relative. When I migrated from Windows some years ago I felt very liberated. But as I got to know Linux better I saw its imperfections and developed preferences . I still think Ubuntu is a great OS in many ways. Relative to Windows its very open, flexible, and secure. So my comments have to be taken in that context.

      Having used (K)ubuntu for a few years, and KDE as well, I have seen recent trends in both that personally I just don’t like. To me they are moving closer to Windows. One recent example is the decision by Ubuntu to include only Google Docs on its netbook edition. To me Google is every bit as undesirable as Microsoft, so I don’t like it one bit _ I think it was a purely money-based decision, not for the user. It’s just a trend I see in many ways – Ubuntu is becoming more commercial, and KDE is aiming to enter the Windows market. I see growing corporate interest in Linux – much of the Linux kernel is now written as a for-pay job, at the behest of a corporation. I think this is contaminating some of the free and open spirit of the Linux project. So I believe in being a conscientious user – sort of similar to being a conscientious shopper.

      As for forced packages and decision specifics, one example that I didn’t like was the replacement of cdrtools with the perpetually broken and ill-maintained wodim. It wasn’t just that I feel they made a poor choice, it was the way they went about it – they make wodim a link to cdrtools, usurping the cdrtools program names, so most people didn’t even realize the change, they removed the real cdrtools from any supported package, and they made changing back to cdrtools almost impossible. This blacklisting of apps because of politics and personalities is not in the spirit of Linux, where users decide what packages they want. It was more like a Microsoft decree. And this has left many Ubuntu users unable to burn CDs. And after THREE YEARS the problem has still not been corrected.

      Frankly, I think this may be a case of big media companies and groups like the RIAA poisoning Linux from the inside. There seems to be a concerted effort by someone to keep CD and DVD functionality broken. There seems to be no will to address it. This is especially pronounced in Ubuntu, probably due to its increasing corporate connections. Ubuntu users now are given Yahoo/Microsoft Bing as their default search – this means Microsoft is paying for people to use Ubuntu, and are thus influencing Canonical’s decisions. That’s a danger flag in my book.

      Then there is the whole Nepomuk, Strigi, and Akonadi business of KDE4. These daemons, which mostly concern themselves with indexes and searching through all of the files on your system (privacy problems, anyone?), can consume large amounts of RAM and CPU – IOW they can dramatically change the performance of your machine. They are also said to introduce various security issues. Most KDE programs will run fine without these programs, yet they have been made part of KDE itself, rather than optional dependencies for a few programs. They are difficult to remove – you basically have to hack them out. There isn’t even a package called ‘nepomuk’. This breaks with the Linux tradition of making packages optional and modular. I think the decision to make these programs so much a part of KDE is more like the Microsoft decisions to leave backdoors and flaws in their OS – they are simply deliberate attacks on the privacy of PC users as far as I’m concerned.

      At any rate, that is why I included a function in kscrubber to remove them. These are definitely some of the ‘junk’ I remove after a fresh install, both for the sake of security and privacy and also my system running fast and well. KDE4 also has a lot of activity tracking and other ‘features’ that I generally find users don’t want. It’s increasingly like using a Big Brother sponsored OS like Windows.

      Then there was Ubuntu’s decision to go with PulseAudio. Pulse had and probably still does have serious security problems, and it also introduces unnecessary complexity IMO. And once again, Ubuntu didn’t make it a choice, they made it mandatory. Just try removing PulseAudio and replacing it with good ol’ ALSA. For awhile there was a big procedure you had to go through, although now I see that it seems to be easier. Notice how many people in that thread had problems with PulseAudio. And notice how once again Ubuntu made it difficult for the user to choose.

      Then there is the new upstart, suddenly introduced in the late beta stages of Karmic (causing all kinds of problems). People were increasingly mounting /var and /tmp to tmpfs (a ramdrive) because of the use of SSDs. But this also puts the kibosh on some activity tracking. For whatever reason, it seems Ubuntu has gone hostile to the idea of such mounts, breaking them with upstart and simply refusing to fix any bug reports on it (1 2 3). While its not unusual lately to see bugs go unaddressed for years on Ubuntu, this seemed to be handled like the CD/DVD issues are – there seemed to be a concerted effort to NOT fix it. This was actually the bug that drove me from Ubuntu completely – the straw that broke the camel’s back.

      Then there is the Firefox package in Ubuntu, which builds it wrong, thus leaving private user data in the database even after the user has deleted the history in Firefox. This bug was allegedly corrected on the PPA, but the correction was never put into Karmic updates (unless it has been recently, but I doubt it). The result is that users are using a security-broken version of Firefox, and probably will for the life of Karmic. Then when Karmic is replaced, if by some miracle this bug is fixed, they will introduce something else equally harmful to privacy, and won’t fix that for 18 months. (kscrubber vacuums the database to correct this issue, btw.)

      The list goes on and on – while no one issue is iron-clad proof of ill will, I just got the feeling after encountering the same patterns again and again that Ubuntu was becoming Microsoft! I got that same feeling when I was using SUSE and Novell started making deals with Microsoft – that was when I changed to Ubuntu, which at the time was less corporate than it is now.

      But I still think Ubuntu is a good transition from Windows. Just don’t get too drawn into it as ‘the one and only’. Keep in mind that there are other distributions, and give others a try on occassion. This can be done while leaving your current system intact, as described here. Ubuntu is mainstream Linux. Just as getting out of mainstream Windows can be good, so can getting out of mainstream Linux – when you’re ready. I like Arch, but there are many others – that’s one of the advantages of Linux. There are MANY flavors, desktops, window managers, and other possibilities to play with.

      If Ubuntu isn’t annoying you (yet), then maybe keep using it for awhile. I learned a lot on Ubuntu. But when I started using Arch it felt like I learned more in one week than I had in years of using Ubuntu! There is something to be said for a simpler model where you put it together more yourself (although Arch has a nice package manager and is actually pretty pain-free).

      As for the scariness of security issues, there are always issues – that is the nature of computer security. And it also depends on what your security needs and preferences are. Ubuntu folks will say their OS is very secure, while I look at it and I see a lot of packages installed by default that I simply don’t trust, have poor track records, and open unnecessary vulnerabilities, not to mention poor performance. Most of these can be addressed by removing them, cleaning the OS, and modding the system to what you prefer. But at some point that is more work than selecting a simpler distribution, desktop, or window manager. For example, I feel much more comfortable now with Openbox than I did with KDE.

      So anyway, I would encourage you to try alternatives as you get more comfortable with some of the installation issues. That’s the only way you’ll keep moving and growing as a Linux user. And remember that the Ubuntu you’re using is a moving object too – it won’t be the same next year or the year after. Don’t get stuck – know when it no longer fits you and its time to move on. Usually when you start complaining like me, that’s a clue. :)

      In addition to Arch Linux, others on my list as having potential are Mandriva, Sidux, Fedora, Gentoo, Xandros, and many, many others. As for desktops, you can usually try these using Ubuntu, just by installing a package. in addition to the mainstream KDE and Gnome, there is OpenBox, LXDE, FVWM, XMonad, Enlightenment, and many, many others.

      Comment by igurublog | February 6, 2010

  3. Your insights have given me many things to think about, particularly in regards to security. After years of hosting my e-Commerce website on Bluehost (which runs CentOS), I have to move to a VPS solution, which means I can choose the Linux distribution I want.

    I was leaning toward Ubuntu, since I run it on my desktop as well as my office servers, so I am more familiar with it, but since the site processes credit card numbers, security is a key concern. I’ll have to look at the other distributions.

    Of course the possibilities and permutations are huge, which is a bit daunting Choosing from 10 desktop environments on one of 100 distributions creates at least 1000 combinations.

    On my personal machine, I had run into some of the problems you mentioned (particularly with pulseaudio). I assumed these were just Linux stability issues with the packages, not distribution-specific problems, like you assert.

    By the way, your reply has some very good points. How about making it a new blog post entitled “Some Pitfalls in Current Ubuntu Versions” or something like that, instead of burying it in a reply to a 6-week-old blog post? I think it would give it more visibility and I’m sure other people could benefit from it too.

    Comment by John | February 6, 2010

  4. Incidentally, while searching for security issues on Ubuntu, I came across this post on karmic tips and trics (also written by you apparently). It has some food for thought about security issues with ssh-agent, pinentry-qt4, gnupg-agent, and kerneloops-daemon.

    Comment by John | February 6, 2010

    • Yes kernel-loops was no favorite of mine. Even Windows, last I knew, asked you if you wanted to report a problem, rather than just doing it! At least that one you can uninstall. And yes – the agents and pinentry are also very poor choices as a default in my opinion. Unless you know exactly what they do and want that, I suggest removing them as that post detailed. You can always install them later if you have a need for them, which is unlikely.

      As for your credit card purposes, Ubuntu if properly secured is not an unreasonable choice, especially as that’s what you’re familiar with. The main challenge I find with Ubuntu is all the stuff it installs by default – it’s got all kinds of daemons and such running, so it’s a challenge to figure out what much of it is.

      If you have the time, I suggest giving Arch a try. You might find you already have the skill set to use it with a little help from the excellent Arch Wiki, and if so that might be a better choice security-wise, if only because you choose what to install and not install as you set it up. It tends to create a more knowledgeable user/admin than a turn-key solution like Ubuntu. But if you’re not ready for that change just yet, go with Ubuntu. That’s better than getting overwhelmed and discouraged by too many changes at once. Maybe just research what you want running and what you don’t need, and clean up the default install a bit.

      I know what you mean about the 1000s of choices, but it’s an advantage. When I’m in the mood I try some of it. When I’m not in the mood I stick to ‘old reliable’ (whatever I’m currently using). But it’s very nice to have options.

      Also re moving the post or making a new one on Ubuntu, My Big Move and the Followup is in the Library and they still get regular traffic. I am hesitant to comment too much on Ubuntu now because I’m no longer using it on my primary system, and so I don’t feel up on the latest – things change fast in Linux world. I try to comment on things I have direct experience with. Plus people perceive it as Ubuntu-bashing now that I’m an Arch user, although that is not my intent. :) This was kind of my goodbye post – a parting gift, not a parting shot. But I think we’ve unfolded a lot of it here. I’ll leave it to current Ubuntuers to follow through.

      Comment by igurublog | February 6, 2010

      • It was inspiring to read your post, especially after my recent experience with FreeBSD server administration and it’s elegant simplicity. I think you’ve motivated me to try another Linux distribution after years with Ubuntu. ))) You’ve interested me in Arch too, but there is no way I’m going to install it on my desktop, let alone server before they implement package signing. (Their mailing list suggests that this is a milestone of not so near future. Unsigned package installation is a security breach of cyclopic proportions, anyone who hacks your old wifi AP will be able to inject malicious Arch packages by repository poxying, this isn’t even possible with Windows updates. Although Stuxnet shows us that various parties are able to sign malicious code with Microsoft-approved keys, but that’s the news barely worth mentioning.)

        Thank you for your really sincere writing! The problem for me now is to find some spare time — then I’ll probably try Gentoo. ))

        Comment by pipy | February 17, 2011

        • Thanks – I should write an updated review of Arch now that I’ve been using it awhile. Mostly I like it a lot. You’re right about the package signing – it hasn’t been a functional problem that I’ve seen, but it should be taken care of.

          I’ve heard Slackware is a good alternative to Arch as well for those who want things a little more prepared. But I find Arch to be the lowest maintenance distribution I’ve used, even considering the occasional breakage.

          Comment by igurublog | February 18, 2011

          • I’ll definitely try Arch after they implement signing! As of today it looks like they haven’t even reached a consensus on an overall package verification architecture.

            Comment by pipy | February 18, 2011

          • I added your unattributed comments here, so as you can see I fully agree with you.

            That said, I consider Arch more secure than Ubuntu, because Ubuntu is infested from within. But it depends on your threat model as well. Arch gets away with a bit of security through obscurity for now, but that is a false paradise. It also has knowledgeable users, which makes for better security in general – they’re more likely to see and investigate anomalies. This can actually be a stronger security than blindly relying on a digital signature. But I’m not defending their lack of attention to this hole – it’s inexcusable.

            Also, Arch’s database does contain MD5 sums. Because they’re so lethargic on getting the verification setup, I’m tempted to write a script that verifies the local package cache using MD5 sums from several mirrors. It would be better than nothing.

            Comment by igurublog | February 18, 2011

          • I looked into the package signing in Arch and have written an article on what I found. In a word, disappointing.

            Comment by igurublog | February 19, 2011


Sorry, the comment form is closed at this time.