Manjaro Linux: A Follow-Up

And… do you know how easy it was to convince a Manjaro developer to ignore their entire stability scheme and push a known broken package into their repos?

The firefox-18-1 package in Arch Linux was known to have an issue with language packs. So all non-English users would have their interface changed into English. The behaviour was the same for dictionaries.

Users were complaining about this issue on the Arch Linux mailing list and forums. But make a comment about it and the entire stability mantra of Manjaro Linux is ignored and the package can is moved into the Manjaro stable repositories (that is about 8 hours after my posting).

So even known usability issues with packages, which is now fixed in the Arch Linux package firefox-18-2, do not get caught by Manjaro’s stability testing. I do not think I have any need to feel threatened

Edit: It appears I misunderstood Phil’s comment in the last post exclaiming “Don’t know what the fuss is all about ?!?” with link to packages moving between repos to mean he moved it to the stable repository. It turns out it only moved to their testing repository. So, users are still exposed to security issues, which is what the fuss was about. And it is only the move from “unstable” to “testing” that showed a lack of the claimed quality control. So apologies to Manjaro – I only showed you have packages with security issues and the stabilization stage controlled by your developers is worthless.

49 thoughts on “Manjaro Linux: A Follow-Up

  1. Wow, thanks man, I didn’t know about this distribution, I am gone try, do you know if they break the system too? Arch is breaking a lot, maybe because the big changes for no reason recently, I thought I had find the best with the Arch, but is really in a bad shape now, so I don’t know if this based distribution suffer the same problems. I don’t use firefox so this is not a problem for me.

  2. Don´t you think that you´re becoming a little obsessed ? And it is really something to be proud of to convince somebody to push a broken package into their stable branch ? Even if you obviously hate Manjaro i don´t think that this is a noble thing to do. And so is insulting Manjaro users in their forum.

    It makes me sad that even within the small community of Linux-users, and even among the even smaller community of users of Arch and its derivates something like this can happen.

    There are no hard feelings from our side. Why can´t we get along better ?

      • I did not say you had. But some Arch-fanboy has. All i’m saying is that i would prefer Manjaro-users and Arch-users get along nicely. And that means that everybody (that includes the Manjaro-users) should refrain from bashing the other or insulting him. That does not mean that YOU insulted someone.

        We’re actually really nice people.

        Let me show you why i prefer Manjaro over Arch. Please have a look at this thread: http://bbs.archbang.org/viewtopic.php?id=3612. It’s about an broken openbox-menu. For you, that’s no big deal. You probably knew about that error before it was even mentioned in that thread. For the average computer user (and that means: windows-user) that’s armageddon. He has no idea what to do, nor where the GUI is to solve that problem by clicking somewhere. Because that’s what he’s used to. The average Linux-user might know that there’s no GUI and that he has to use the console. But he might not know where the autostart is nor where to find menu.xml. Yes, he should know. But there are a lot of people out there that just don’t want to read through forums first before updating. And who don’t want to use the console afterwards. I know that i should and that i should not installing from AUR without editing the file. I’m just not as good as you. I had to search in forums often when i updated my Arch-system. I just did not have the time nor the know-how to keep my system up-to-date (we’re talking about the time when Arch switched to systemd here). That’s why i switched to Manjaro. Not because i think that it is for every user out there the better system. Not because i disliked Arch (i stil like it). But because it was easier for me. For you, Arch is easy enough. For me it’s not. But that’s just me and nothing to start a war for imho.

        • First, your link is to an ArchBang forum thread.

          Second, this “average computer user” you speak of should probably not be using Arch Linux in the first place. You describe the exact type of person that should not (and likely could not) use Arch Linux (I have no idea about Arch Bang, which you apparently see as synonymous with Arch Linux). It states very clearly in the FAQ that it is for competent intermediate to advanced Linux users.

          Third, you, without sufficient time and know how, are the prime candidate for the “find another distro” comment. Which you have, so way to go! Not to say you would be incapable of using Arch, but simply not having time to maintain it means you would be wise to look elsewhere.

          • That´s exactly what i said. Arch is for advanced users who have time on their hands. Why does this make Manjaro bad and evil ?

  3. Hello? I really don’t get you sometimes. This broken package never reached our stable repos yet. Manjaro-Stable is still at Firefox 17. I just pushed it to Manjaro-Testing. Also I don’t know what you try to get out of this fuss?

    • So… Manjaro-Stable users are still using a Firefox with many security issues. And the Manjaro-Unstable is pointless as even the most obvious issues are not caught before packages move to Manjaro-Testing. Sounds ideal…

  4. Allan, this is great.
    Once again you have reminded me why i love Arch.

  5. Allan,

    Yes I did delete the thread on our forum. Lucky for me I released the stupidity of getting involved in this nonsense. So I put a stop to it and apologised to our forum. Shame no-one can say the same about you.

    The bottom line is that all you got out of this was to make yourself look bad. Really bad. Well done on abusing your position of trust and respect to get a new team behind a small distro to push a “broken” package into their TESTING repos. Before gloating about and falsely claiming that it was pushed into their stable ones.

    PS – try looking at the plethora of your own broken packages and updates before casting stones at us from within your own glass house.

    • Yes – I misunderstood Phil’s comment in the last post when he queries what all the fuss was about and provided links to packages being moved between repos. I took that to mean he had fixed the issue, but it turns out the issue of packages with security flaws was still there. I have edited the post to correct this assumption.

  6. Waouh, when I did find your blog few weeks ago, I thought you were rude about a lot of Linux distros, but in fact, you’re way above that. Don’t you think your time and your skills would be more usefull by helping ohters users/developpers trying to create something instead of trying to trap them?

    Grow up. What you’re doing (whatever your opinions are) really doesn’t help humanity getting better.

    • Have you considered that your comment doesn’t “help humanity” either?

  7. I have said and I repeat, it is a troll … do not deserve the respect of GNU/Linux.

    • Allan McRae sure isn´t a troll. He just didn´t understand yet that Manjaro is not made for him but for beginners and intermediate users.

      • Just to be clear, I understand who Manjaro is targeting and that is my issue. It is beginner users that surf dangerous sites on the web and click on silly things with javascript enabled. So minimizing the amount of time they are exposed to web browser exploits is important. As I pointed out in my previous post, at any point in time such updates (like the current Arch firefox and chromium packages) may not even be compatible with the current Manjaro repos, so some big changes need made to fix this.

        • While I don’t agree with you insulting arch derivatives, I do agree with the viewpoint that lesser technologically proficient users, such as the ones manjaro caters to, are less likely to browse in a safe way and so are more prone to browser vulnerabilities.

          So I suggest to manjaro devs that they prioritize the release of some of the more vulnerable software such as firefox.

        • Right. You claim to be concerned for new users due to security vulnerabilities with Firefox… while at the same time gloating because you thought you got a broken version of it onto their systems.

          What a sad story.

          • The broken version at least had all the required security fixes. So I was making a point about the inability of the three core developers to assess the stability of over 6000 packages, while at the same time getting a package with many fixed security issues into the repositories. That seems the use of minimal maliciousness – and perhaps even negative amounts… – in order to make a point.

            The sad story is that the Manjaro developers still appear to not care about security issues in their packages. Now there is two major web browsers with security issues rated as critical not being updated.

            • Allan,

              The sad story here is your continuing obsession with the Manjaro devs and their system.

              First, perhaps you might want to re-read Arch’s own “We are not a democracy” statement. Here’s an interesting quote from it: ‘…anyone who doesn’t like the current direction the Arch Linux development team is taking the distro can start their own development team and run their version exactly the way they want to.’

              Second, you are not a Manjaro dev. I’ll say it again: you are not a Manjaro dev. So, as I suggested before, perhaps it would be more appropriate for you to focus on dealing with your own distro. Perhaps then you might be able to stem the tide of dissatisfied ex-Archers coming to us.

              Third, this howling about “security issues” is pretty sad on your part. You’re obsessing over an issue that not a single Manjaro user has reported a problem with. Only you are repeating yourself about this ad nauseum. Our stable repos are only a few weeks behind Arch’s. Or unstable repos are only a couple of days behind.

              And please drop this quite frankly insulting charade of benevolence. As you admitted right at the beginning of your previous article, you just wanted something to whine about. You are well educated, intelligent, have a good job, and are a developer for a fantastic distro. Try being a bit happier with your lot in life!

              • If not a single Manjaro user has noticed the security issues, then I see your user base has a lack of knowledge about their system. These are the people who need security updates – especially with web browsers – as they will click on things that move advanced computer users know not to.

                I really could not care less about users leaving Arch Linux or not coming to Arch Linux in the first place. But I do think that people should be informed that Manjaro Linux is not a good place for beginners (or anyone…) until this issue is sorted out.

                In the end, I would not pay any attention to what Manjaro is doing, but everything that is being done reflects on Arch. Many pieces of software carry Arch “branding”, in particular in terms of having our bug tracker URL embedded in it. Many packages have an “@archlinux.org” email address in the package information and are signed by Arch Linux PGP keys. There are several packages that Arch Linux has had to get explicit permission to distribute in package format, which Manjaro is now distributing against their license. When Manjaro builds their own packages to remove any implied Arch ownership (even semi automatically following Arch SVN commits), then I will stop commenting on it.

        • I am a Manjaro user. And i just checked- javascript is turned off. I don´t feel like a noob either. Your call.

            • No, you can turn it off. I can show you if you want to. It´s actually rather simple. And i´m always glad to be of help. If you turn it off for a noob though, he can´t watch videos on youtube as he´s used to, he will therefore continue to use Windows.

              The question is: Would you prefer someone to make his first steps with Manjaro or do you prefer him to continue to use Windows ?

              • So what is your argument? As you said, beginner users will not turn it off. And I said beginners are the ones we should provide security fixes to as quickly as possible. In combination, that is a big issue for beginner users with Manjaro. Until this is fixed, there are several other Linux distributions that I will recommend beginners.

                • There are 9 distros which ship FF 18.0. Not Debian Not the *buntus. In fact Arch is (apart from Crux) the only distro that has FF 18.0 in its “normal” repos.

                  Brace ! Brace ! The end of the world is coming ! Hundreds of insecure Linux distros are used ! We´re all going to die soon !

                  Seriosly.
                  a) Not every Manjaro user is unable to turn off javascript
                  b) Those that aren´t probably won´t update their system anyway
                  c) Yes, every distro should try to be as secure as possible. No, the newest package does not always mean more security. And in most cases the newest package means less stability. Arch is doing a tremendous job in being on the bleeding adge and still remaining rather stable. There is simply no other distro that has this new packages. Not Suse, not Fedora, not Debian. They all choose more stability and therefore traded that they are not as current as Arch. This is not Manjaro specific. Bashing Manjaro for the missing FF18 is therefore ridioulous.

                  Which leads to my final question in this thread (sorry, i just don´t have the time):

                  What is all this fuss about ?

                  • And there are many distributions that backported the security fixes to their version of firefox… That is how distributions that do not provide up to date software work. Is Manjaro doing that? Or are they doing nothing?

                  • tl;dr: Manjaro it not a good distro for beginners, since it has no security fixes.

                    You are not providing an argument, it doesn’t matter if the user does his part, takes extra protection measures or if exist other distribuitions that don’t care about security (by the way, I’m implying that’s the case of Debian, Fedora, openSUSE… Debian, for example, uses a modified version so it’s not simple to say “they must patch” or not).

                    The bottom line is: security fixes (fixes for things that was identified as flaws — your “newest package does not always mean more security” is just a sad attempt of denying the reality) should be delivered asap to the users, and this is possible in 2 forms:

                    1) Providing the newest packages (or a patched version, if the upstream did not release a new version).
                    2) Patching the stable version.

                    Archlinux opted by the first option, Ubuntu do a little of both (firefox 18 in the stable up. repo, but for others softwares they backport the fixes) and Debian follows the second way of doing.

                    Is it that hard to recognize that the majanro team should do something about it?

              • Well, I use links 2.7 and am pretty surely exempt from most security concerns… How about making that the default for Manjaro?

                Also, what exactly is your problem with Win? Just don’t give the usual fairytale about viruses and malware…

  8. Allan, please stop. You seem a baby and nothing more with this kind of posts.
    Your work is to make arch better, not spending time watching what is doing manjaro and report everything you don’t like.
    It’s sad to say, but I don’t think arch users would be proud of a developer who behaves like you in this moment :(

    • Surely derivate distributions are made in an attempt improve on Arch so monitoring them is a potential way to do my “work” of making Arch better. And writing about the issues found is a way to inform the other Arch developers so they have less monitoring to do.

      • Those spin-offs are a way to bring people to Arch who otherwise would not install it. Think about it. Look at the *buntus and their users. Then look at Arch. There is a huge gap between those two distros. Is it better to fill that gap by an Arch based distro or would you prefer that all newcomers to Linux stay with the *buntus forever ?

        • Honestly, stay with the beginner oriented distributions. You assume that Arch Linux cares about a large user base. It is a distribution made by developers for the developers, and we mere users are simply lucky that it is an open source project and that we may use it.

          If users want to advance their skills and actually improve, fine. But luring over people who could give two shits about computing better, and then letting them loose in the forums to ask a million of the same questions is ludicrous. You are dooming them to a severe berating at best.

          Also, comparing Arch Linux to Ubuntu, you know you are comparing a corporate sponsored/run distribution to a fully volunteer effort? Mind you, Ubuntu is a distribution that contributes just over nothing to the upstream of the software they use, while Arch functions as one of the primary test beds for new stable software.

          • You´re so leet, i admire you. I´m just wondering wether you started as a genius or if you had to learn something first. Did you ask someone ? Did that someone help you ?

            Arch doesn´t care about its users ? I don´t think so. I believe a lot of Arch users actually care about other Linux users and are willing to help them if they need help. That´s why Arch has the best wiki around. Because they still remember when they needed help. And they know that even Arch-devs don´t fall from the sky. It would be really sad if there never were any new Arch users since that would be the end for Arch itself.

  9. Allan, your posts are as always informative and enlightening.
    The points made about Manjaro are valid and important.
    Keep up the good work.

  10. Allan,

    Well, your response seems to contradict your own team’s “We are not a democracy” statement, and in particular the quote that I provided from it. Plus, I don’t see you having any similar issues with the other 10 derivatives.

    We’ve essentially just added another couple of layers to the repo structure (your stable = our unstable), which also allows us to do our own fixes. This inlcudes properly fixing the i686 toolchain / glibc issue.

    Anyway, I have no desire to go around in circles here. Shame things have turned out the way they have with you, but it’s a free world and it’s your choice. Door’s open with us if you decide that less antagonistic relations would be preferable in future.

  11. Making a fork means taking the source and modifying it not to refer to the project it came from. So that would result in all reference to Arch Linux – either through the packager information or embedded URLs – from your distribution. You are not doing that. There is no contradiction there.

    Also, I am very interested in how the i686 toolchain was “fixed”. I assume your devs reverted the commit identified in our bug tracker. From my analysis, that commit effectively only adds a check for a NULL pointer to avoid memory corruption… So they removed a safety commit to workaround a bug in another piece of software. Also, it is in the __libc_malloc code – very unlikely an actual error in malloc only effects one piece of software. Well done the the Manjaro devs on understanding the issue and “fixing” it! The better workaround would be just to use the vesa driver in VirtualBox i686 until it is sorted – you could even remove the virtualbox driver from the virtualbox-guest-additions package.

      • And… it was fixed by reverting the patch of the issue commit I identified. I assume you can read the email on the manjaro-dev list to see what was asked…

  12. Thanks for the half hour entertainment with childish Linux-politics.

    Imho, Allan is right. Manjaro-devs should take or leave the advice, discussion makes you look weak.

  13. If Archlinux someday slacks, and begins to adopt the practices (that Allan laid out in the two posts) similar to it’s derivates…. That is the day I am gone. So, thanks Allan.

    I personally don’t have a need to compare Arch to the other distros measure for measure. This analysis *should* hold sway with the user who is looking around at comparable others. Summary: They do not compare in any way that matters to me.

  14. (…I smell a tech spirit similar to that of religious fundamentalism, at times in this thread…)

    I have only been using Linux for 2 months & am happily running Manjaro with Cinnamon desktop on my ThinkPad. I run my business using Firefox and have had no problems – not a single one. In Manjaro I have found a fast, light and so far stable system, that is based on the highly respected Arch stream.

    Personally I find your post about Firefox security issues overblown. I run my business in Firefox – with Java Script enabled – to access & use several cloud-based tools. Arch is a fantastic distro for more advanced users, but equally, I would highly recommend Manjaro to newbies like myself who want a light & fast system, or people who just want to get things done & not have to get “under the hood” in ways that you might have to with Arch.

    Manjaro has it’s roots in Arch & I find the vast majority of Manjaro forum users, mature & intelligent enough to understand that historical fact & give Arch it’s due.

    Long live Arch! Long live it’s rapidly growing off-spring, Manjaro!

    22hz.