Manjaro Linux: Ignoring Security For Stability

I feel like having a rant today… so nothing particularly unusual there. But after reading yet another post saying:

I used Arch for two years and it was perfectly fine until one day when I updated and it broke my system. Now I have been using Manjaro for a month and it is completely stable.

I have found what to rant about! Is it just me that notices the issue with that statement?

I have no issue ranting about Manjaro because every time I read their forums I see one of their Core Team being less than congenial regarding Arch – but I suppose they have to be given one of the main selling points of their distribution is they can fix the Arch Linux updating “mess”. Also, the defensiveness of their community to any criticism and the amount of self congratulations for being a Manjaro user astounds me – and I spend a lot of time in the Arch forums and IRC channel where the community are widely considered to be elitist pricks (with me being no exception, as this post will plainly show).

For those who do not know how Manjaro works, I will paraphrase this post. The Arch stable repos are synced into Manjaro Unstable on a roughly daily basis. They sit there for 1-2 weeks before being declared stable and moving to Manjaro Testing. Then their test squad declares that stable enough to move to Manjaro Stable, about 3-4 weeks after the packages arrive in Arch Linux.

And this is the issue. There is four weeks until Manjaro users get package updates. That is still a lot quicker than a non-rolling release distribution I hear you say, but it ignores one of the fundamentals of a rolling release distribution. Security fixes come with a new software release. On a fixed-point release distribution, security fixes are backported into your out-of-date software versions to maintain stability. On a rolling release distribution, you just release the newer version of the software that comes with most security fixes (some backporting from the upstream VCS is required if a release is not made).

That means, Manjaro users are vulnerable to security bugs for around a month after Arch users are safe, unless of course the Manjaro Core Team monitors every package and pushes those with security fixes. How many packages in a distribution? Arch Linux has >6000 in its binary repositories. I suppose it is not impossible to monitor that many packages, unless of course your Core Team consists of three people. And given those three people provide five variants of their installation ISO (net install, XFCE, KDE, Cinnamon, MATE – with OpenBox and E17 on the way…) and provide a series of kernel packages and systemd… Things are looking bleak.

And so, Manjaro users are stuck with packages having security issues for a while. I’d assume the big ones get through quicker. Although their firefox package has not been updated to version 18 yet, which fixes 21 security issues – 12 of which are marked critical. In fact, firefox version 18 has not even made their Unstable repo as I am writing this…

Lets say Manjaro had the man-power to monitor all updates in Arch Linux for security issues. Could they be brought to the Stable repositories more quickly? Maybe… But remember Arch Linux rebuilds against new versions of libraries with soname bumps all the time and our toolchain gets updated very quickly after any upstream release. So any security update built against new libraries or with a new toolchain version require those components moved too. And they are the types of updates that could introduce stability issues.

In the end, I think the idea behind Manjaro – rolling release at a more relaxed pace – can be achieved. I am not entirely familiar with these distributions, but I guess that is exactly what apotsid and LMDE achieve. And they start form Debian Unstable, which is reportedly far more of a minefield than Arch Linux.

38 thoughts on “Manjaro Linux: Ignoring Security For Stability

  1. Allan, I’ve seen better trolls than you and they had Down’s. Keep trying.

  2. Hi Allan,

    Hmm. As far as I am aware, none of the three members of the core Manjaro Team have been anything but cordial about Arch. Maybe you also missed my own post where I described Arch as being “legendary”. Or the posts where our own community defended the Arch system after criticism from new users (blowing off steam due to feeling that they had been treated badly on its forum). Or the posts where we acknowledge fully that we would not even exist without the Arch system.

    I also don’t see any problem with a community that gels well and supports one another. We are a friendly bunch, and you are and will always be more than welcome to talk with us there.

  3. Look, it´s the evil Manjaro again ! Manjaro people have no problem with Arch, they know well that they chose the best base for their distro. But it seems like at least one Arch-guy has severe problems with Manjaro.

    It´s pretty simple: You have enough time and want the best system for you and are willing to reinstall when you break it ? Use Arch, it´s great. You want your system configure your hardware and you want everything more stable and therefore less bleeding edge ? Use Manjaro, it´s great, too.

    • Yay for reactionary moving of packages… Do I really need to point out other security fixes you have not moved?

      • Thanks for the offer, Allan, but perhaps as an Arch dev you could perhaps better spend your time focusing on Arch…

        …well, in-between the time you are obviously taking to regularly scour our forums and to write articles about us, of course!

      • Hi Allan.

        I am new to Linux & after initially settling on Mint, I tried my hand at installing Arch on a 2nd laptop & failed. I then installed Manjaro & am loving it. I feel your piece about Manjaro “ignoring security for stability” misses the wider picture, which is that as a young, upcoming distro, it is fulfilling a need for users who want the benefits of an Arch based system, but in a manner that doesn’t require the same level of technical expertise.

        There’s nothing wrong with that. The wonderful array of alternative operating systems draws many away from Windows and will hopefully continue to do so. So what if the user you quoted at the start of your piece ditched Arch after 2 years and is now happy with Manjaro. No doubt there will be disaffected & disappointed users going the other way.

        That’s the beauty of choice.

        Long live Linux!

        Newbzki.

  4. Oh, the hilarity! “I love linux politics. So much passion for a 2% market!” :ROFL:
    So what serious/critical bug got to afflict Manjaro ‘stable’ users for a whole month? Same for ‘unstable’/’testing’?
    (Why does this remind me of Sid fan rants? )

  5. “Security fixes come with a new software release”
    Also security holes come. I think is better to test a while every new software release before mark it as stable, and ‘a while’ for me isn’t 2-3 hours like Arch do, but almost some days/weeks like Manjaro do 🙂
    .
    However the post seems me trolling. There are lots of discussions on arch forum about “Manjaro is not Arch” (yeah, like Ubuntu is not linux) and similar stuff, this post isn’t too much different.
    Someone prefers Manjaro, another prefers Arch, to each his own.

    • It dos’nt work like that. Most securityfixes comes from the upstreams developer. If you run the latest software you get there fixes for free. If you run old software it up to to you to discover if you have the security holes and how you fix your package so they have all the needed patches.
      Debian, Ubuntu, Fedora etc handle stuff like that. Do Manjoaro that?

  6. Each distribution is different and aims at a different public, Manjaro aims to be user-friendly while Arch aims to be fully controllable for power users. To meet with the requirements of that new public, the Manjaro team had to change some core elements of Arch. They’re not ignoring security for stability, instead they changed their focus a bit more to stability because not all of Manjaro’s users are experienced enough to handle a system break. However Manjaro still offers an unstable repo to those who do have that knowledgle, and it’s just Arch with a day delay. And I can hear you thinking “Why don’t you use Arch then?”. Well, not everybody has the time to install/configure everything manually.

  7. As a longterm solution Manjaro will probably need a security team, that pushes updates of the most security critical packages earlier from Arch repos or even rebuilds them, if the underlying libs of Manjaro are outdated. Browsers and Flash come into my mind, Flash as a binary package beeing less of a problem. For all of the >6000 packages it will be impossible of course.
    Non rolling release distributions are affected as well: my Mageia 2 installation with latest security updates is still sitting on a 3.3.8 kernel without backported security patches, declared EOL on kernel.org sometime last summer…

  8. what’s all this about Arch having a “system break”??? the reason Arch is so cool, is that it /only/ does exactly what I tell it to do, and nothing more… like “system breaking”. sure, maybe Nvidia (the bastards) might -legacy- your hardware and a driver update might brick X, but that’s a 1-2 minute fix and back to business. I’ve even gone months without updating, then slammed it all down in one go without reading the news [systemd, lol], and only lost about 4 minutes of up time. if that is what you call a “broken system”, then maybe you guys should be moving more towards a Ubuntu like distro… where you can remember all the Windows fun of necessary system wipes, defragging NFS, and registry meltdown.

    • What is a two minutes fix for you might be a lot of work for others. You stay with Arch, but let those people look for something else if they want.

  9. Allan did u try get some good sex and relax a bit?. You even can pay for it if not have enought skills to get it free

  10. ogm alan is a troll amirite guise manjaro is teh best lunix 11!!

    Very good points, Allan.

    I read some of their forum and was quite disturbed – the place is a total circlejerk. It’s as if all of the rejected idiots from the Arch community cluster around kludgey derivatives like Manjaro and ArchBang.

    (The fact that Manjaro tries to update config files with a shell script is hilarious, by the way)

    • Since when was this the official Arch Linux blog? Are you saying that because Allan is a developer he can’t share his own opinion? Isn’t that the point of a blog?

      It’s strange that you’d take this stance after complaining about Arch on your own blog.

  11. Well, I run Archbang, I have been for a couple years now. I have learned to check the Arch and Archbang websites for issues before updating and yes have broken a system or two by not paying attention when updating my system. I love Arch and Archbang, the bleeding edge software and kernels it’s just great in my book.

    I do agree that Arch forums have some members with huge ego’s and they can be very rude at times. I personally don’t use the forums as far as asking questions that’s just asking for trouble. I just go to google to find the info I need.

    Have a great day!

  12. hmm really nice discussion about arch system, maybe “ignores one of the fundamentals of a rolling release distribution” that really suit for this case. I have tried both, for me archbang maybe can be great alternative beside arch and manjaro.

  13. My main discriminiator between Linux distros is the package manager. I insist on good reverse dependency handling, particularly when removing packages. I often do temp installs of packages, and when I remove them, I want all deps installed just for the temp package removed. Second discriminator is rolling release, followed by stability.

    I used Arch for years, coming from Gentoo. I got tired of Arch after the multiple massive system breakages last year, and the poor (and forced) transition for systemd was the last straw.

    Currently, I am running OpenSUSE Tumbleweed (rolling) for my workstation, and Frugalware on my server and laptop. So far, I find Frugalware to be a good fork of Arch. Frugalware has its own repositories and the packages are not from Arch. Its pacman-g2 package manager is a fork of Arch pacman, and handles reverse dep removal well. If you check the Frugalware page, there are far fewer “system fixups” required over the last year compared to Arch. There is even a more stable Frugalware repo available, but I prefer current.

    Tumbleweed is OK, except that I had to enable a dozen more repos to get everything I wanted. Refreshing all of the repos does take awhile- I like the single repo in Frugalware. Next time I reinstall my workstation I may go to Frugalware vice Tumbleweed.

    http://www.frugalware.org

  14. Alan Why you try to be troll againt Manjaro is Manjaro users respect Arch?
    And you say that Manjaro isnot Arch because they rebuild 100 Packages diferently from Arch from a universe of 32000 or because that another reazon?
    And if those 31900 packages are the same as Arch building in the same Arch and only cpy-pasted to Manjaro repos, this not make Arch same unestable as Manjaro and you oint unvalid (Talking about those 31900???

    • Did you read the point of the post at all? The point is the packages are copy-pasted with a months delay…

      • are delayed because they test the package and not pull a early version or non tested version
        oryou remmember what happend whit libreoffice months ago??

        • You mean where libreoffice would not start due to needing a rebuild for an updated icu? Which all occurred in the [testing] repo?

          And as I said, have you actually read at what cost waiting to update comes at? They do not have the team to even attempt to review the security implications of all [core] package updates, so important update sit and wait. That is the wrong approach to stability…

          • No
            I talk about the day when Libreoffice release a release only for EARLY ADOPTERS (3.2, 3.3 or 3.4, not remmember exactky) and in place to put on [testing] (for Early Adopters) you (ArchLinux) put this directly on [extra]

            Another example was the ext corruption (a securryty problem that as far I know affect reaaly users), In place of wait for the addresing the problem or watch if a patch exist, you push the kernel whit the problem on [core]

            • Right… You do realize a bleeding edge distro is for early adopters. And I remember that specifically being in [testing] until just before the “production” point release was made, at which point it was clear that only very minor issues were being fixed upstream.

              And your comment about the ext4 issue shows that you really have no idea what it was… and given it affected version 3.4, 3.5 and 3.6 – it was not moved to [core] – it was in [core] for about half a year. (As it was in Manjaro).

              Do your research before responding again…

  15. I am a long time Arch user, and is a shame seeing a developer of my favorite distro trolling against others who think different. The main strength of GNU/Linux and Open Source in general is CHOICE, never forget that. You should focus on what makes you happy and let others be happy on their own way.

    • The Manjaro developers aren’t “thinking differently”, they’re thinking in a dangerously incorrect manner.

      By the way, I doubt that someone with a compromised system caused by Manjaro’s poorly thought out release cycle could be described as “happy”.

  16. Funny how this post could be against any distro with late to update policies, but instead being about an arch clone by an arch user.

    A month? Nah. I’ll leave you to your logs.

  17. Just look at it this way: Either ARCH or Manjaro…It’s far more secure than windows. Even if someone needs to use Manjaro instead of ARCH they are still getting way better security. I’m a newbie to linux so I’m glad Manjaro is there…

    • Hi every posters,

      I read these comments from followers and and criticizers of each distro. The “pros” and “cons” of each brand distro are so strongly but, in fine, the looser is the Linux OS ! Microsoft has then many reasons to show how Linux is less serious system than Windows, and they are right to say !
      I’ve been using FreeBSD and Linux (starting with Yggdrasil in october 1992) for 2 decades now. I’ve been using the different vbariants of Linux includinf : RH—>Fedora, Debian—>Ubuntu, Suse—>OpenSuse and finally keepin using Arch since 4 years now and keep going with it.
      In the sttrugling field of Linux distros, the end user might feel really lost. Why all of these “things” showing “Linux” but not compatible at all ? Why OS X, based on FreeBSD, is not fighting against the latter as Manjaro, Chakra, ArchBang, Bridge …do with Arch?
      I came to try all of the mentioned distros. Ok. They all seem good for the beginners and advanced users as weel. But why not work together to make a Linux OS work better against Windows 7 and 8 ?
      Arch is, by far, the best and better way for Linux to work for the masses but still hard to make it work out of the box. Manjaro has a very good tools to put nvidia work fine, like their mhwd-nvidia. Why not joining Arch and contibute to improve it rather creating one more distro and fragmenting the Arch one more ?
      I understandthat some people leaving Arch community to buikld their own system but, why ? There are many distros around and some dying ater one, two or more/less than that. Maybe manjaro will survive longer or messer, but at the end, it’s Linux that fails in gaining respectability and trustness. The guys from manjaro team are, no dobt, a very good devs, why do they leave a so promizing system as Arch is, to build a new distro that’ll never reach the masses ? What to say about Gentoo/Sabayon and so on ?
      Trying to make my printer working on Manjaro… Leads me to Arch repos to install the drivers…
      It’s a joke. Isn’t it ?

      Thanks for eading. I know. There couldn’t be any asnwer. So, come back here in… 5 years ?
      Good luck for the Manjaro team and hope see you back to the home.