IgnorantGuru's Blog

Linux software, news, and tips

Mirror Mirror

I happened to come across this message posted in July from someone who ran a popular Arch mirror for 4 years:

This mirror will shut down in the upcoming days.

Few funny facts:

* We never got contacted by anyone before we got added in the official mirror list. We just posted this thread and all of the sudden it appeared. No verification of whom we were and what our intension were.

* ArchLinux is fundamentally unscalable in the package manager aspect.

* ArchLinux puts the trust in the hands of every mirror owner and their security. ftp.archlinux.se is the prime example of a machine vulnerable to all sorts of things. This affect YOUR security. This is why it’s being put down. If the ArchLinux authors would start signing packages this would not be a risk to you.

* We posted a suggestion of this in 2006. http://bugs.archlinux.org/task/5331 — This is 4 years of insecurity.

* We recommend all of you to switch to a distribution caring about user security and atleast signs their packages. Most RPM and APT based distros does this (Ubuntu, Debian, RedHat, CentOS, SuSE, OpenSuSE, etc etc etc).

Have fun. :-)

Yours,
Mikael

Of course the moderators closed the thread and moved it to the troll bin for what was said there. Then Mikael wrote in another thread :

Just noticed that the forum admin/moderator “Misfit138” moved a thread which we started 2006-08-31 to the “Dust/troll-bin” area. smile

This after hosting several TB of data to the community, and then speaking our minds and telling some perhaps stinging facts.

What kind of a community is that.

Thread located @ http://bbs.archlinux.org/viewtopic.php?id=24666

As always, yours,

Mikael

which was also moved to the troll bin. It seems the Arch moderators REALLY don’t like anyone discussing Arch’s security issues.

Of all the things about Arch, I have always found the forum the most disappointing. It is over-moderated to a ridiculous extent – looking through the troll bin I have to think “Why was this thread closed?” again and again. And the attitude toward newbies is ugly. There are some helpful people in the Arch community, but the forum as it stands is not worthy of that community.

February 25, 2011 - Posted by | Uncategorized

14 Comments

  1. BOFH moderator group is clearly thriving on a lack of leadership.

    Comment by pipy | February 26, 2011

  2. while, I don’t remember where I found it: archwiki had somewhere a phrasing like: we build arch for ourselves, any suggestions we don’t like, are you problems.
    Seeing that childish attitude, I adhere myself from using arch, despite it being great from it’s concepts and application of them.
    The childish attitude just does not do it to me. Your post only strengthens my opinion on archlinux as being run by people who lack openness and maturity, which makes me stick to Debian !

    Comment by Oz123 | March 1, 2011

  3. This security issue has been discussed several times, and it’s not a secret. It’s neither a problem that isn’t to be discussed, but if discussed it’s supposed to be accomplished with real suggestions, e g technical ones, of how to resolve it. Sure, some forums are viewed as more open, because it contains endless none productive discussions about the same questions over and over again.

    I’m not involved in anything but at times adding something to the Wiki, but I’ve at least some years of experience following the forum. Arch forum has a stricter policy than some are used to. You don’t ask before checking, and checking again that the same topic isn’t already covered or discussed. Duplications are closed immediately. Some don’t like this, and view any limitation as infringement on one’s own freedom. Others view this as a good clean up solution, keeping the forum more efficient, while avoiding contraindicative and confusing information.

    I remember very well the day Mikael “dropped the bomb”, or did he? Yes, in the sense that even though Arch is a community driven project, he hadn’t done anything productive to help out. For some reason, he probably only himself knows, he decided to simply stir up commotion. Decide for yourself if it’s a mature move, and if it’s worth such attention.

    I’m sure developers will appreciate a working solutions, like the ones that been discussed about signings. If not a blog like this is probably better, as it at least doesn’t take up resources of a forum where such issues can’t be resolved.

    Arch hasn’t tried to attracted users by numbers, but it’s there for those who share similar ideas. It’s not aimed at “newbies”, just like my HiFi equipment at home isn’t. Is newbies the only real goal of Linux? My impression is that there are several good choices for newbies out there, doing them better favour than choosing Arch. If these users some day decides Arch is for them, they will appreciate that it isn’t made for the newbies they ones were.

    Are you more mature choosing Debian, Oz123? If you feel so, it’s probably a good choice for you. Hence it’s a decision, and decisions are worthless if there’s no difference between distributions. Whether you love it or hate, these feelings confirms the strength of Linux; it comes in enough flavours to satisfy most.

    Comment by KimTjik | March 1, 2011

  4. @KimTjik why do I have the feeling that every discussion with archlinux about criticism will end with “it is not for newbies” ?

    No body here was talking about being user friendly or not !
    Even ‘old timers’ can miss the fact that Arch packages lack signing. Or maybe ‘missing’ is too kind ? This should be everywhere that Archmirros are not signed.

    The policy of ‘it’s your problem from where you get your software, is your problem and not the developers’ has already been tried by Microsoft, and it led to horrible results. Now, imagine Archlinux solves Bug #1 (see launchpad if you don’t know what I mean) and what do we have ? We have a great Linux distro, with software model which was already a failure by MS.
    Of course- there is also the other end – total dictatorship like apple appstore.

    I think most linux distro’s have found the magic path between both ends.

    As for solution: it is already in the body of the post…

    *** SIGH *** SIGNING PACKAGES ***

    Comment by Oz123 | March 1, 2011

  5. I agree that the archlinux forums are more moderated than most, but i think this is a good thing. It makes the forum cleaner, topics get moved to TGN when someone asks a question that can be easily resolved by searching the wiki, forum or a 5 minute google search. Many other forums get swamped by people asking the same questions over and over again. The forum is for getting things done, and whenever i have a problem caused by an upgrade, i can usually jump to the forums and get a solution in the first couple of threads i see on there. The community has a try stuff first, if that doesn’t work try the forums attitude, and a lot of people don’t seem to get that, but jump to asking for help on the first snag they run into, when it can be solved without adding clutter to the forums.
    As for the package signing, every now and then a thread pops up with the user posting more or less the exact same thing(we need package signing), and the same replies(yes we do). We need to find a solution, not sit around nodding our heads at the problem again. If you post something constructive, I don’t think it’s going to get closed, duplicated threads will.

    Comment by shwick | March 1, 2011

  6. Some one made me aware that package signing IS PLANNED on version 3.6 of pacman.
    That is a very good thing.
    Look at:
    https://wiki.archlinux.org/index.php/Pacman_Roadmap

    Comment by Oz123 | March 1, 2011

  7. # 4

    “No body here was talking about being user friendly or not!”

    Hm, as far as I can see it’s part of the argument in the article, as it states:

    “And the attitude toward newbies is ugly. There are some helpful people in the Arch community, but the forum as it stands is not worthy of that community.”

    Why do you twist my comment by denying what’s written? If it’s not part of the argument, then remove that part from the article. I didn’t mention newbies as an argument against a more secure package policy, I mentioned it as a separate response to a remark made in the article. No, need to sigh if you think clear and compare the article to my response. Keep an open mind, and don’t apply bias when interpreting responses, please.

    “I think most linux distro’s have found the magic path between both ends.”

    Fine, but not every distribution has to be a “path between both ends”. A Linux distribution doesn’t have to adopt a market strategy. If you’re concerned about freedom, then respect the choice of not trying to be like the other distributions you refer to.

    The remark about Arch’ policy being somehow similar to Microsoft’s isn’t productive, and only works as a provocation. It’s your blog however, and hence it’s your choice to choose direction of it.

    Compared to most users I’m pretty old. I’ve seen and experienced all kinds of forums related to computing. My experience tells me that Arch’ forum is one of the better during all this time. Your view is critical, just as some blog writers praise it. Maybe that’s because we humans are different, not necessarily because one forum is superior or inferior to others. Remember, when pointing a finger at someone, at least three point at yourself.

    Comment by KimTjik | March 1, 2011

    • Just a correction: my writing became a mix of responses to both the author of the article and Oz123. I apologize for that. It’s however still possible to understand my ideas…

      Comment by KimTjik | March 1, 2011

  8. Hi Kim Tijk!

    I usually agree with your well-reasoned comments (a.o. Distrowatch), but in this case I beg to differ. In my opinion the Arch Linux devs and moderators fully deserve the criticism they are _attracting.

    Arch is a fine distro, but it has severe security flaws. I can only think of two possible reasons for this unprofessional state of affairs: the distro is without a functioning leadership, or the leadership is lacking in will or ability to prioritize responsibly. I have the same guesses for the abominable atmosphere in the fora. Snapping and yelling at inexperienced users willing to try out your product is simply unheard of.

    Offering a distro to the general public without taking minimal precautions to secure packages is close to placing a virus in the wild. At least in principle.

    Yes, Linux offers choice, but offering a distro carries responsiblities. Or it ought to. If we Linux users are unwilling to keep our house(s) in order, there are enough of outsiders who will eagerly do it for us and severely restrict our freedom while at it.

    The Arch leadership, if it exists, needs to smarten up and shape up.

    Comment by SES | March 3, 2011

    • Great! I agree with you, totally!

      Comment by Ravenman | March 3, 2011

    • To begin with all projects deserve criticism; without constructive criticism progress will slow down. Arch has strengths and weaknesses, and the discussed one is a weakness. I’ve no problem in accepting this as a technical weakness, but I’ve enough experience of Arch to distinguish when criticism is non-constructive or when problems are exaggerated and experiences are interpreted as being proof of something it isn’t. Let me explain a couple of things:

      – within open-source we see a tendency of folks applying democracy to every project as a justification for taking offence for every matter that means disagreement. Unfortunately some react this way even though lacking equal knowledge. Criticism of the forum, e g criticism of its moderators, because if criticising the forum per se, it would mean you criticise Linux users in general, is in my opinion a good sign. Why? Because I’m sick and tired of useless forums. A Linux forum doesn’t need to fill a social function, as a replacement for “normal” needs of friends; it’s foremost a tool for technical advice, targeted at already somehow experienced Linux users. No one has any right to by superior virtue demand a forum of volunteers to serve the interest of others than its target audience.

      – I don’t agree with you that creating a distribution automatically means accepting responsibilities fitting a professional or business organisation. Still very few distributions, even the obviously pro-oriented ones, can compete with Arch’ Wiki, a result of the kind of leadership it actually has. Applying limitation to ones freedom of sharing is absurd. With all respect, what you propose doesn’t have boarders. Home PCs is already a risk for security, and always have. The absolute solution to that would be something neither of us wants, and hence we have to settle for a sound compromise. You can’t shovel responsibilities one way and blindfold the other. Another topic which has been up for flame wars outside of the Arch community, is the demand for a “easy” installer. Don’t you think that the current policy by itself sort out a user base that is somehow capable of understanding the pros and cons of Arch?

      I stop here for now, since I have to get back to work. We all have to smarten up, otherwise we die.

      Comment by KimTjik | March 4, 2011

      • I don’t want one “easy installer” (I hate the lastest version framework, gggrrr) only I want signed packages. I only want security in my Arch Linux installations/upgradings … Is that too much to ask?

        Comment by Ravenman | March 4, 2011

        • Of course not, and it will be implemented. As you can see I’ve never questioned the actual implementation of higher security, on the contrary I welcome it. I only question the manner in which some rise controversy about it, and how too much is interpreted into what this tells about the Arch community in its totality.

          You’ve always the right to ask, as long as you don’t demand, and/or talk trash about volunteers willing to share their work. I’m confident in that you avoid the latter, and support the community the best you can.

          Comment by KimTjik | March 4, 2011

  9. Kim Tijk:”I don’t agree with you that creating a distribution automatically means accepting responsibilities fitting a professional or business organisation.”

    Signed packages is an elementary and _very minimal security precaution and therefore one which I think should be obligatory practice. Perhaps not in strictly legal terms, but a prerequisite for calling a code distribution system professional. Attitude about one’s practice is important. Package signatures help protect _all Internet users, directly or indirectly.

    If Arch Linux had been a shoddy, unimportant distro, I might not have bothered to respond to IgnorantGuru’s important wake-up call. However, it is a good distro which seems to rise in popularity, so whatever happens at/with Arch will reflect on Linux in general. A simple thing like package signatures would have been implemented years ago, or from the disto’s get go, if the leadership had been acting in a responsible manner. This is a mere fact.

    About tone: Linux discussions are too often (read: nearly always) too polite – so much so as to border on inanity. Harsh criticism is sometimes both well deserved and even necessary, as in this case. Note, I am saying _criticism, which is a constructive thing, as opposed to personally offending responses amounting to ‘Sod off!’ that one can witness in the Arch fora.

    Democracy: Yes, we all have our freedom to choose what to offer or listen to. I want Arch Linux to succeed and grow and I therefore believe the Arch power that be would do well to listen to the users.

    Meanwhile I agree that we all need to smarten up.

    Comment by SES | March 4, 2011


Sorry, the comment form is closed at this time.

%d bloggers like this: