• We should now be fully online following an overnight outage. Apologies for any inconvenience, we do not expect there to be any further issues.

Critical Security Flaw in Arch

lxskllr

No Lifer
Nov 30, 2004
60,085
10,559
126
A reader of my blog recently made a comment about Arch’s lack of package signing, and this got me looking into the issue more carefully. What I found has left me deeply concerned with a number of aspects of Arch

http://igurublog.wordpress.com/2011/02/19/archs-dirty-little-notso-secret/

I was considering playing around with this distro, but this is a deal breaker. One of the biggest benefits of Linux is security, and if that's undermined at the foundation, why bother?
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Yea, that's pretty bad considering how easy it is to implement. RPM has supported signing individual packages for as long as I can remember and while .debs aren't signed individually, the files containing all of the checksums on a mirror are signed so if the checksum on a package doesn't match it's considered invalid.
 

TBSN

Senior member
Nov 12, 2006
925
0
76
Hm, didn't know about that! I'm building an arch system now and I'd try it out anyway!

Who is going to try to attack your little Linux box anyway? At least it won't get viruses :p

*edit* Thanks for the article. Just finished it and it DOES seem to be pretty serious :0
 
Last edited:

lxskllr

No Lifer
Nov 30, 2004
60,085
10,559
126
Hm, didn't know about that! I'm building an arch system now and I'd try it out anyway!

Who is going to try to attack your little Linux box anyway? At least it won't get viruses :p

*edit* Thanks for the article. Just finished it and it DOES seem to be pretty serious :0

Yea, I have a fairly blasé attitude regarding Linux security updates that come down the line. I install them more out of a sense of completeness, and making things right than any real concern that they'll be exploited. The Arch flaw OTOH undermines the whole system, and someone interested in mischief could exploit it fairly easily. Mischief is the best case scenario. Someone interested in nefarious purposes could pwn your box, and you'd be hard pressed to even discover it.
 

TBSN

Senior member
Nov 12, 2006
925
0
76
I posted this article on the Arch forums and it was immediately closed, saying it had been "discussed before." Soon after that it was deleted. I searched for other discussions and they were either very old or had been closed.

It is troubling that they are so sensitive about the subject and actively censor any discussion...
 

lxskllr

No Lifer
Nov 30, 2004
60,085
10,559
126
It is troubling that they are so sensitive about the subject and actively censor any discussion...

Yea, that''s a terrible attitude to take. If they don't feel like fixing it quickly, that's fine, but they should make their users aware of the issue. Imo, a distribution's responsibility is to look after it's users. Screw saving face. If that flaw gets exploited, it's going to make them look much worse than having flaw they actively warned about, but didn't fix.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Easy solution: use another distribution.

Obviously, but if you like a particular distro you'd rather try and make it better instead of just jumping ship. Especially when the fix isn't all that hard and would help so much.
 

weovpac

Golden Member
Apr 12, 2000
1,381
0
76
When I gave Arch a try long ago, I asked the very same question and was dismissed as being paranoid. So I went back to trusty Debian :)
 

TBSN

Senior member
Nov 12, 2006
925
0
76
I just switched to a debian-based distro (crunchbang) from Arch. It wasn't only because of the security problem and snobby community, but that was part of it.

I think I might just go to the source, so to speak, and try debian vanilla. I like customizing in arch and that would probably give me the most flexible system to start with.
 

lxskllr

No Lifer
Nov 30, 2004
60,085
10,559
126
Debian's nice. It isn't particularly hard to deal with or anything. I'm on Ubuntu cause (for now) it's what I want in a desktop. Debian is more or less Ubuntu by the time I'm finished with it, so Ubuntu saves some time :^D

I don't think I like where Ubuntu's going with the desktop. I'm keeping my eye on it, and will try to keep an open mind, but I think it's likely I'll just switch to Debian. If I have to customize a bunch of stuff, I might as well go to the source.
 

eternalone

Golden Member
Sep 10, 2008
1,500
2
81
Good thread I used to think Arch was the elite linux distro for advanced users. Since Im like a linux noob kind of not that much anymore, but I always waited for the day I could build my own Arch linux system, but that seems kind of weird that they are trying to keep it under wraps.
 

TBSN

Senior member
Nov 12, 2006
925
0
76
Good thread I used to think Arch was the elite linux distro for advanced users. Since Im like a linux noob kind of not that much anymore, but I always waited for the day I could build my own Arch linux system, but that seems kind of weird that they are trying to keep it under wraps.

The thing about Arch is that the Wiki is EXCELLENT. It really holds your hand and I learned a lot about the basics of Linux. I was really turned off to it recently by the attitude of the powers-that-be. If you go to the "dustbin" section of the forums you'll see scores of topics that have been closed for even lightly mentioning "taboo" topics, such as criticism.

I'm into open source software mostly for the principle of it, so it really ruined it for me.

But if you want to try it out, you might learn a lot. If you just want a functional desktop, look elsewhere.