Lemongrass38 wrote:Fred Barclay wrote:Manjaro and Arch, on the other hand (if I understand it correctly) trust the upstream developers much more.
Fred, could you please tell me more about this?
Do you have a source (some inner regulation or writing) that proves this? Also, do you know about such a thing for Debian?
It's certainly much easier to hide something from 37*2=74 eyes than from 1022*2=2044 eyes.
Sorry for the late reply - it's hard to find sources when all I have is an impression pieced together from 2+ years of reading about (and occasionally using) Arch.
Do remember that I'm comparing Linux to Linux here... we're still talking about a pretty strong and secure OS whether you use Debian or Arch (or Ubuntu, Mint, Fedora...)
Here's what I
know:
Arch does have 38 developers and 50 Trusted Users (TUs).
https://wiki.archlinux.org/index.php/Tr ... sted_Users The TUs oversee the "Community" repository in Arch, while the developers maintain the "core" and "extra" repos as well as (I presume) "multilib".
The Trusted Users are a separate group from the Arch Linux developers, and there is not a lot of communication between them.
https://wiki.archlinux.org/index.php/Of ... background
[Arch] ships software as released by the original developers (upstream) with minimal distribution-specific (downstream) changes: patches not accepted by upstream are avoided, and Arch's downstream patches consist almost entirely of backported bug fixes that are obsoleted by the project's next release.
https://wiki.archlinux.org/index.php/Arch_Linux
I don't know the nature of these bug fixes. Are they security and cosmetic? Security only? Cosmetic/functionality fixes only? What would they do if they found a security vulnerability but a patch was not accepted upstream? I can't find any clear answers.
Debian proactively fixes security issues. For instance, they've fixed security bugs in Chromium and released 'em before the Chromium devs did! Now whether this is good or bad depends on your perspective. If you like the Arch philosophy of minimal interference with upstream, then you might see this as Debian tampering with code unnecessarily (after all, the Chromium devs did fix the issue themselves) and possibly creating new bugs by doing so. If you prize security above all else, then you'll probably appreciate this as Debian devs doing their job and even beating the Chromium guys in the process.
The AUR obviously can contain malfunctioning or insecure software, but it's not an essential part of Arch (still very useful, though!) Most of the popular packages in the AUR, or at least the ones I've used, seem to be reviewed and commented on frequently by members of the community. That's very good!
Arch doesn't compile their kernels with user namespace support (so, if you use firejail, "--noroot" won't work). I've read both good and bad about user namespace: some people feel it adds a bigger attack surface to the kernel and is not properly implemented, while others see it as a valuable feature. I'm personally of the opinion that it's a good feature that's matured enough for me to trust it, but that's my opinion as an end-user, not a developer.
https://bugs.archlinux.org/task/36969
https://www.spinics.net/lists/arch-gene ... 43068.html
This is
conjecture:
Just because Debian has over 1000 project members doesn't mean that all of them are currently active. But still, I think it's safe to suppose that there are at least a few hundred active. This puts Arch/Manjaro closer to the ballpark of Debian (38 devs + 50 TUs is in the same order of magnitude as 200 or so Debian devs).
Always updating to the latest version means that you
can get hit with every single bug that exists
discretely for that package. Now obviously, this depends on a few factors:
(a). The bug is found and exploited for that version while you are still using it. If you use foobar-0.9.0, update to foobar-0.9.1, and
then a vulnerability is discovered only in 0.9.0, it's no problem. But if the bug exists in 0.9.0 and later versions, then updating doesn't patch it (until upstream is aware and hopefully fixes it).
(b). The bug is discrete - i.e. it depends on and targets only that package. If an exploit for foobar requires you to also have flooblebar installed, and you don't, then it's not a concern even if it affects the version you're using. IMHO, with Arch's KISS philosophy, you're actually less likely to have flooblebar installed than if you were using Debian (though this is highly specific, of course).
And then, of course, it's worth remembering that even Debian Stable gets plenty of security bugs. I've recently subscribed to their mailing list and so far I've been getting about 4-5 emails per week about security updates (many of 'em aren't for packages I have installed, though).
https://www.debian.org/security/#DSAS
https://lists.debian.org/debian-security-announce/
These packages are still vulnerable on Arch according to the tracker:
https://security.archlinux.org/issues/vulnerable
(Keep in mind that "vulnerable" does not mean "easy to exploit". A lot of security bugs require physical access to the computer, and as we all know, physical access == game over.)
Personally, after reading and writing all this I'm feeling a bit better about my concerns (though I would like user namespaces enabled). I might hop over to Manjaro again for yet another trial run...
Hope this helps!
Fred
