Author Topic: Stability vs Security is something you configure  (Read 16562 times)

0 Members and 1 Guest are viewing this topic.

Offline philm

  • Core Team
  • *****
  • Posts: 10671
    • Manjaro Linux
  • Branch: Unstable
  • Desktop: XFCE
  • GPU Card: Geforce GTX 650
  • GPU driver: non-free
  • Kernel: Maintainer - so all ;)
  • Skill: Guru
Stability vs Security is something you configure
« on: 18. November 2013, 19:51:44 »


I still hear about Manjaro to be not so secure as Archlinux is. We are a young distribution, which isn't stable yet, but already ranking distrowatchs top ten.

Code: [Select]
Popularity (hits per day): 12 months: 9 (1,023), 6 months: 8 (1,088), 3 months: 8 (1,210), 4 weeks: 7 (1,122), 1 week: 8 (1,003)
There are several Arch-based distros out there: Antergos, ArchBang, Bridge Linux, just to name a few. They are not so popular as we are. There is also no such a big hassle being around. They are all distrolets, based on Archlinux.

So, what is a distrolet? Well, it is more a respin of the original distribution with some extra spice. Chakra was once a distrolet. It used Archlinux repositories and their own kdemod repositories to ship a modified KDE version, to make Arch better. After realizing that Arch is to fast and it is to hard to keep up with their changes, they split up and created their own infrastructure. They kept pacman but built all packages from ground up new. Chakra is now independent from Arch using similar tools but don't relate much on Arch any more. Frugalware, if anyone noticed, is also archbased. They used pacman and modified it to their needs. Some will say, they complicate things. Same here: own release cycles and own infrastructure. We won't start to discuss their security handling here ...

So what is the big difference from Arch to Manjaro. What makes it so popular so some think of it to be a thread? Manjaro is simply different. We play with our own rules. We don't care much about the Arch-Way. Zip it if you want to start here. I simply don't care about it much. Think more of a different way. The way we think it might be best for you, best for the user: easy to use. easy to understand, friendly to communicate. Just use your PC as you like to use it. Not being afraid to lose your stability on each update. You decide when and what you want to update. There are no limits or restrictions set by us.

We use snapshots from Arch Linux and compile our own maintained packages against those pulls. There are also several procotions to prevent a Supergau. This brings us to the first issue: We simply ignore security for stability. To even think about that makes me raise my eyebrows. Sure, you get your packages later in our stable-repositories than in other repository branches we maintain. At that time, it was January we updated only once a month since we had to concentrate more on our next stable release, which was 0.8.5 in the making.  A follow up heated everything up. Even changes to the code won't stop us much. We take time and announce every single update we push to stable. So everybody has a place to discuss his issues. This we do even for our testing branch to get your feedback.

A big popularity boost we got by phoronix after releasing Manjaro 0.8.5 with our new graphical installer. No wonder that we are now compared against Ubuntu and used to represent arch-based distros on phoronix. Some might even got confused on which transiflex project they should translate pacman. All in all, it leads again to a comparsion of security issue handling.

So what is it exactly how we handle updates? Well, we have three branches. Stable is used to get only the most tested packages out there when we think they are ready. It might take one to two weeks to see updates in that branch. There you might be right when Mozilla fixes a security issue on their Firefox and you get it two weeks later. In this time you are vulnerable - not you - your system is.

If you want to have always the latest and greatest you don't have to go back to Arch. Simply switch to our unstable branch. There you get what you get and when we get it on our servers. Since there is almost no testing been done from our end, it might be better if you're more experienced on how you fix your PC - it might similar break as you already know it from Arch. We might have to repack packages to fit changes we got thru these pulls from Arch Linux.

This brings us to our testing branch. In this repository you find package sets our community tests before our developers can give their green light merging it with current stable. This is the most interesting repository branch you should pick if you want a middle way out of stability and security. You get packages maximum one week later. Our developers work hard to push them faster to that branch from unstable. The more test the better the quality will get.

We try to get better with each release. People who want to test our next best thing should play with 0.8.8rc3 I'll announce to the public by tomorrow. So our engines are more directed to get this release properly out into the wild rather than thinking about security issues, as we mostly do.

The funny thing is. Not only our Upstream-Distro is question us, now even Mint gets questioned by Ubuntu about their security handling.

So please, read the book before you judge it by the cover.

kind regards

Phil

Offline thundersqueak

  • Held Mitglied
  • *****
  • Posts: 1755
  • everyone dies
  • Branch: all of em
  • Desktop: gnome
  • GPU Card: nvidia 9300
  • GPU driver: non-free
  • Kernel: most,if not all
  • Skill: Novice
Re: Stability vs Security is something you configure
« Reply #1 on: 18. November 2013, 22:48:48 »
thanks phil for the insight.On the ubuntu/mint thing i think the ubuntu dev just had to get that out days before the next mint release......
"Why is it that every grubby little government i pass has the impertinence to assume that i can spare the time and energy necessary for their destruction?"

Offline Lukimya

  • Held Mitglied
  • *****
  • Posts: 884
  • Branch: Unstable
  • Desktop: Gnome 3.20x
  • GPU Card: Intel HD4400
  • GPU driver: free
  • Kernel: 4.4.5-1-ARCH
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #2 on: 18. November 2013, 23:21:18 »
I would "sticky" this.

Hopefully this clears the air as I am not a friend of such politics :)

Offline Passerby

  • Neuling
  • *
  • Posts: 16
  • Branch: Stable
  • Desktop: XFCE 4.10/4.12
  • GPU Card: Nvidia GTX 650
  • GPU driver: non-free
  • Kernel: 3.11.6-1-MANJARO
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #3 on: 19. November 2013, 00:39:46 »
On the ubuntu/mint thing i think the ubuntu dev just had to get that out days before the next mint release......

Scary thought. They have already lost a lot of users to Mint, so while I don't want to start flinging accusations or cause any controversy, the timing is rather notable.

Either way, methinks Canonical spends too much time arguing and mud-flinging.
Not that that's anything new in the Linux community  :-[
PC: Manjaro/LM 13 x64 XFCE, Kernel 3.11.1-6/3.8.0-32-generic, Nvidia GTX650, i7 3770K, 16GB RAM, Asus Xonar DX

My HTML5 login themes + screenshots

Offline eduardo

  • Sr. Mitglied
  • ****
  • Posts: 316
  • Branch: testing
  • Desktop: KDE plasma 5
  • GPU Card: Intel HDGraphics 4400 / Nvidia Geforce 960M
  • GPU driver: non-free on nvidia
  • Kernel: linux44, linux45_RC
  • Skill: Novice
Re: Stability vs Security is something you configure
« Reply #4 on: 19. November 2013, 03:08:02 »
As I read above, Manjaro is still not in an 1.0 version after all, it's still getting better.
I think there are some software that should be updated more frequently than the rest, for example, firefox, because each update fix a lot of security bugs.
And I guess this apply too to a couple of more packages in the repos. Maybe the solution is to be in an intermediary point, not to delay important software too much time (like firefox), but not to be as unstable as arch. Maybe Allan has and has no reason at the same time.
Another option is to temporary backport important security fixes to the current version of firefox (like ubuntu does), until newer version comes to stable. Of course, I know this can mean extra work (maybe copying ubuntu patches?). Just my opinion, all of this can be debated.
« Last Edit: 19. November 2013, 03:17:42 by eduardo »

Offline Arup

  • Sr. Mitglied
  • ****
  • Posts: 387
  • Branch: unstable
  • Desktop: XFCE
  • GPU Card: nvidia
  • GPU driver: no
  • Kernel: 3.13
  • Skill: Advanced
Re: Stability vs Security is something you configure
« Reply #5 on: 19. November 2013, 04:05:29 »
Ubuntu unlike Manjaro and Arch uses older packages so when security is issued, its not safe to ignore them. In case of Manjaro since its Arch based, the worry is far less and PhilM is right about his stand on this aspect.

Offline thundersqueak

  • Held Mitglied
  • *****
  • Posts: 1755
  • everyone dies
  • Branch: all of em
  • Desktop: gnome
  • GPU Card: nvidia 9300
  • GPU driver: non-free
  • Kernel: most,if not all
  • Skill: Novice
Re: Stability vs Security is something you configure
« Reply #6 on: 19. November 2013, 13:44:43 »
@eduardo i don't think this is open for discussion at all if you read phil's post he is explaining that manjaro is as manjaro does and it won't change,and if you feel you need newer packages you can shift to testing or unstable branches,then you can help with making stable more bug free.
"Why is it that every grubby little government i pass has the impertinence to assume that i can spare the time and energy necessary for their destruction?"

Offline Lukimya

  • Held Mitglied
  • *****
  • Posts: 884
  • Branch: Unstable
  • Desktop: Gnome 3.20x
  • GPU Card: Intel HD4400
  • GPU driver: free
  • Kernel: 4.4.5-1-ARCH
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #7 on: 21. November 2013, 13:22:50 »
Well, if you use custom repos for browser and skype and stuff in ubuntu, you actually  get the latest and greatest, just like in arch. So in that sense manjaro is slower. However it is the ease of use and overall state of the system that counts for me.

Offline mandog

  • Held Mitglied
  • *****
  • Posts: 1921
  • Architect Forum And G+ Forum Owner With Daniel S
  • Branch: All
  • Desktop: Gnome, Mate, E19, Openbox,FLuxbox,Budgie, XFCE openRC,
  • GPU Card: nvidia
  • GPU driver: Non Free
  • Kernel: latest
  • Skill: Advanced
Re: Stability vs Security is something you configure
« Reply #8 on: 21. November 2013, 14:16:10 »
Well, if you use custom repos for browser and skype and stuff in ubuntu, you actually  get the latest and greatest, just like in arch. So in that sense manjaro is slower. However it is the ease of use and overall state of the system that counts for me.
You are wrong totally wrong, if you use custom repros you are opening your system to totally insecure packages that nobody has tested.
A ENGLISHMAN IN PERU
I'm dyslexic Please do not complain about punctuation or spelling,
FANBOY,Taken from the urban dictionary
 A pathetic insult often used by fanboys themselves to try and put down people who don't like whatever it is they like.

Offline Lukimya

  • Held Mitglied
  • *****
  • Posts: 884
  • Branch: Unstable
  • Desktop: Gnome 3.20x
  • GPU Card: Intel HD4400
  • GPU driver: free
  • Kernel: 4.4.5-1-ARCH
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #9 on: 21. November 2013, 14:36:58 »
You are wrong totally wrong, if you use custom repros you are opening your system to totally insecure packages that nobody has tested.

Well, I would assume that if there is a brand new version of skype in aur and at the same day I hear a news on omgUbuntu that there is a new version of Skype available in this and that pp that they would be the same package. How does Skype get better by testing it? Microsoft does anything what they want with it anyways.

Offline mandog

  • Held Mitglied
  • *****
  • Posts: 1921
  • Architect Forum And G+ Forum Owner With Daniel S
  • Branch: All
  • Desktop: Gnome, Mate, E19, Openbox,FLuxbox,Budgie, XFCE openRC,
  • GPU Card: nvidia
  • GPU driver: Non Free
  • Kernel: latest
  • Skill: Advanced
Re: Stability vs Security is something you configure
« Reply #10 on: 21. November 2013, 14:47:26 »
Well, I would assume that if there is a brand new version of skype in aur and at the same day I hear a news on omgUbuntu that there is a new version of Skype available in this and that pp that they would be the same package. How does Skype get better by testing it? Microsoft does anything what they want with it anyways.
Simple In AUR the maintainer has to build it 1st, in Ubuntu it was recompiled by? You cannot compare Ubuntu with arch they are chalk and cheese arch is driven by devs that use it as there distro of choice Ubuntu is a commercial venture and earns money from the project most of the devs don't use it. 
A ENGLISHMAN IN PERU
I'm dyslexic Please do not complain about punctuation or spelling,
FANBOY,Taken from the urban dictionary
 A pathetic insult often used by fanboys themselves to try and put down people who don't like whatever it is they like.

Offline poker98face

  • Held Mitglied
  • *****
  • Posts: 1586
  • Open your Source, Open your Mind
  • Branch: stable Arch
  • Desktop: KDE
  • GPU Card: ATI 5470
  • GPU driver: free
  • Kernel: 3.15 Arch
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #11 on: 21. November 2013, 14:55:19 »
You are wrong totally wrong, if you use custom repros you are opening your system to totally insecure packages that nobody has tested.
And AUR packages are tested by who? In Ubuntu if i add Gnome PPA, packages from this repo are tested by Gnome developers, if i add LO PPA packages are tested by LO developers etc etc. PPA are made by application developer and packages in AUR by Arch users  ;)

PC: Windows 7 Notebook: Arch

Offline excalibur1234

  • Global Moderator
  • *****
  • Posts: 2508
  • Branch: unstable
  • Desktop: net-minimal + LXQt
  • GPU driver: video-nouveau
  • Kernel: 4.6
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #12 on: 21. November 2013, 14:58:51 »
the time the packages spend in the unstable and/or testing repository, NOT ALL packages get tested. some do (especially in the testing repository), but most of the time, we only look whether the update process works and whether out manjaro looks and functions the same way as before the update.

the good thing about holding back packages for a little time is: you (and philm) are able to look at the arch community and what problems they have with the new packages. when you see something like that happening (e.g. there were huge problems with the new cinnamon 2.0), you can either wait until the problems were fixed in arch with a new package release or you can try to fix it yourself (this was the reason cinnamon 2.0 took so long to be released in manjaro). in short, manjaro uses the entire ach community as package testers.

i agree that packages for firefox, midori, chromium, java, flash, and other critical internet programs should be released much earlier. even for the stable branch.
philm has mentioned that manjaro 0.9 will come with a (partially) new package system.
this is good opportunity to talk about package handling in manjaro. i wait until 0.8.8 has been released until i open a thread about it.
Need more information? Search here:   Manjaro Forum   |   Manjaro Wiki   |   Arch Wiki

Offline aaditya

  • OpenRC Team
  • ****
  • Posts: 2844
    • My Website
  • Branch: Testing
  • Desktop: Xfce, Openbox
  • GPU Card: Intel HD 4000
  • Kernel: Linux 4.4 x86_64
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #13 on: 21. November 2013, 14:59:40 »
And AUR packages are tested by who? In Ubuntu if i add Gnome PPA, packages from this repo are tested by Gnome developers, if i add LO PPA packages are tested by LO developers etc etc. PPA are made by application developer and packages in AUR by Arch users  ;)
AUR doesnt have "packages"!
It contains the PKGBUILD to download the source code(hosted by the developer or somewhere else) and then compile it on your system.
The PKGBUILDs are made by the users which you can check and even modify.
In my opinion its more transparent than a PPA.

Offline poker98face

  • Held Mitglied
  • *****
  • Posts: 1586
  • Open your Source, Open your Mind
  • Branch: stable Arch
  • Desktop: KDE
  • GPU Card: ATI 5470
  • GPU driver: free
  • Kernel: 3.15 Arch
  • Skill: Intermediate
Re: Stability vs Security is something you configure
« Reply #14 on: 21. November 2013, 15:16:19 »
AUR doesnt have "packages"!
It contains the PKGBUILD to download the source code(hosted by the developer or somewhere else) and then compile it on your system.
The PKGBUILDs are made by the users which you can check and even modify.
In my opinion its more transparent than a PPA.
Then sorry  ;)

PC: Windows 7 Notebook: Arch