Critical Security Flaw in Arch

Toggle sidebar Toggle sidebar
lxskllr

lxskllr

No Lifer
Nov 30, 2004
59,474
9,999
126
A reader of my blog recently made a comment about Arch’s lack of package signing, and this got me looking into the issue more carefully. What I found has left me deeply concerned with a number of aspects of Arch
Click to expand...

http://igurublog.wordpress.com/2011/02/19/archs-dirty-little-notso-secret/

I was considering playing around with this distro, but this is a deal breaker. One of the biggest benefits of Linux is security, and if that's undermined at the foundation, why bother?
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Yea, that's pretty bad considering how easy it is to implement. RPM has supported signing individual packages for as long as I can remember and while .debs aren't signed individually, the files containing all of the checksums on a mirror are signed so if the checksum on a package doesn't match it's considered invalid.
 
TBSN

TBSN

Senior member
Nov 12, 2006
925
0
76
Hm, didn't know about that! I'm building an arch system now and I'd try it out anyway!

Who is going to try to attack your little Linux box anyway? At least it won't get viruses :p

*edit* Thanks for the article. Just finished it and it DOES seem to be pretty serious :0
 
Last edited:
lxskllr

lxskllr

No Lifer
Nov 30, 2004
59,474
9,999
126
TBSN said:
Hm, didn't know about that! I'm building an arch system now and I'd try it out anyway!

Who is going to try to attack your little Linux box anyway? At least it won't get viruses :p

*edit* Thanks for the article. Just finished it and it DOES seem to be pretty serious :0
Click to expand...

Yea, I have a fairly blasé attitude regarding Linux security updates that come down the line. I install them more out of a sense of completeness, and making things right than any real concern that they'll be exploited. The Arch flaw OTOH undermines the whole system, and someone interested in mischief could exploit it fairly easily. Mischief is the best case scenario. Someone interested in nefarious purposes could pwn your box, and you'd be hard pressed to even discover it.
 
TBSN

TBSN

Senior member
Nov 12, 2006
925
0
76
I posted this article on the Arch forums and it was immediately closed, saying it had been "discussed before." Soon after that it was deleted. I searched for other discussions and they were either very old or had been closed.

It is troubling that they are so sensitive about the subject and actively censor any discussion...
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
59,474
9,999
126
TBSN said:
It is troubling that they are so sensitive about the subject and actively censor any discussion...
Click to expand...

Yea, that''s a terrible attitude to take. If they don't feel like fixing it quickly, that's fine, but they should make their users aware of the issue. Imo, a distribution's responsibility is to look after it's users. Screw saving face. If that flaw gets exploited, it's going to make them look much worse than having flaw they actively warned about, but didn't fix.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
jhu said:
Easy solution: use another distribution.
Click to expand...

Obviously, but if you like a particular distro you'd rather try and make it better instead of just jumping ship. Especially when the fix isn't all that hard and would help so much.
 
W

weovpac

Golden Member
Apr 12, 2000
1,381
0
76
When I gave Arch a try long ago, I asked the very same question and was dismissed as being paranoid. So I went back to trusty Debian :)
 
TBSN

TBSN

Senior member
Nov 12, 2006
925
0
76
I just switched to a debian-based distro (crunchbang) from Arch. It wasn't only because of the security problem and snobby community, but that was part of it.

I think I might just go to the source, so to speak, and try debian vanilla. I like customizing in arch and that would probably give me the most flexible system to start with.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
59,474
9,999
126
Debian's nice. It isn't particularly hard to deal with or anything. I'm on Ubuntu cause (for now) it's what I want in a desktop. Debian is more or less Ubuntu by the time I'm finished with it, so Ubuntu saves some time :^D

I don't think I like where Ubuntu's going with the desktop. I'm keeping my eye on it, and will try to keep an open mind, but I think it's likely I'll just switch to Debian. If I have to customize a bunch of stuff, I might as well go to the source.
 
eternalone

eternalone

Golden Member
Sep 10, 2008
1,500
2
81
Good thread I used to think Arch was the elite linux distro for advanced users. Since Im like a linux noob kind of not that much anymore, but I always waited for the day I could build my own Arch linux system, but that seems kind of weird that they are trying to keep it under wraps.
 
TBSN

TBSN

Senior member
Nov 12, 2006
925
0
76
eternalone said:
Good thread I used to think Arch was the elite linux distro for advanced users. Since Im like a linux noob kind of not that much anymore, but I always waited for the day I could build my own Arch linux system, but that seems kind of weird that they are trying to keep it under wraps.
Click to expand...

The thing about Arch is that the Wiki is EXCELLENT. It really holds your hand and I learned a lot about the basics of Linux. I was really turned off to it recently by the attitude of the powers-that-be. If you go to the "dustbin" section of the forums you'll see scores of topics that have been closed for even lightly mentioning "taboo" topics, such as criticism.

I'm into open source software mostly for the principle of it, so it really ruined it for me.

But if you want to try it out, you might learn a lot. If you just want a functional desktop, look elsewhere.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom