Comparison of Security Issue Handling

More follow-up from the afore mentioned Frostcast featuring Manjaro developer Philip Müller. Just past the 16 minute mark.

We learn and everyone makes mistakes. And the new server change every package is new synced from Arch Linux so there is no security issues. … We sync daily so if there is any problems with our system it’s ninety percent from Arch itself, so I don’t know why they bash us.

I am not going to claim Arch is the bastion of all things security – in fact I know Arch is far from perfect here – but Manjaro claiming that they are on par with Arch is wrong. Saying “we sync daily” is frankly deceptive. The daily syncs are to the Manjaro unstable branch, so packages can take a while to reach the stable branch where the vast majority of users get the package. As I have pointed out previously, Arch does not separate out security updates from plain upstream updates, so when Manjaro holds back updates on the unstable branch in the name of stability, they are also holding back security fixes. The updates need monitored for security fixes and either 1) pushed more quickly to the users, or 2) have the fixes backported to the “stable” packages.

But, lets use an example, because facts are good. Recently there was an privilege escalation issue found in polkit. This was made public on 2013-09-18. And over the next couple of days there were a lot of distribution updates to fix this issue. So, I have not picked an obscure bug given the number of distros dealing with the issue, and it is a privilege escalation one (potentially with proof-of-concept available, although I have not checked that out). Lets compare the Arch and Manjaro response to this issue by monitoring the location of the polkit-0.112 package:

Date Arch Manjaro
2013-09-18 Testing -
2013-09-19 Stable -
2013-09-20 Stable Unstable
2013-09-21 Stable Unstable
2013-09-22 Stable Unstable
2013-09-23 Stable Unstable
2013-09-24 Stable Unstable
2013-09-25 Stable Unstable
2013-09-26 Stable Unstable
2013-09-27 Stable Unstable
2013-09-28 Stable Testing
2013-09-29 Stable Testing
2013-09-30 Stable Testing
2013-10-01 Stable Stable

I will admit that this is actually better than I thought it would be… I thought packages stayed longer in Manjaro’s testing repositories to catch bugs. Then again, I noticed that there are packages that were pulled into Manjaro from Arch and put into their stable repos within ten minutes, including packages in the [core] repo, so I’ll assume that the testing that occurs in the Unstable and Testing branches is rather limited. (Evidence: pool/ directory with timestamp file was synced from Arch, stable/extra/x86_64/ directory with repo database timestamp.)

In summary, the indiscriminate holding back of all updates in the name of testing(?) is why I “bash” Manjaro security. With this system, Manjaro is always running behind Arch, so claiming the Manjaro security issues are “ninety percent from Arch itself” is full of… optimism. And before the “leave Manjaro alone” comments, I will stop posting about it when I have no need to correct such false statements.

41 thoughts on “Comparison of Security Issue Handling

  1. If there is no known vulnerability, what is the basis of calling anything secure or insecure irrespective of when it receives an update?

  2. Hi Allan,

    I myself advertise Archlinux wherever I can in the university. Especially with the NSA events in mind, security is back in peoples head and the topic of many of our discussions. Whenever someone tells me about Manjaro to be the “easier” Arch, I point them to your blog that contains many summaries of their false claims and their ludicrous comparisons with the real thing.
    Thank you for taking the time to post this important clarifications! Cheers from HK ;)

  3. No one would argue that having security patches back ported in Manjaro is not desirable. The project lacks the man power at the moment thats all.

    Otherwise the 2 week delay is important as a buffer against bugs & system borking changes from upstream Arch.

    You seem antagonistic to any derivative distro. Why so bitter? Surely it’s a compliment?

  4. Arch is an important distro. A great distro. But, it still has tremendous untapped potential. Manjaro fills a gap. You complement one another. As one grows, the other prospers. As an upstream distro, the Arch leadership has a responsibility to be as mature as the distro itself. Supporting, enabling and fostering growth of downstream distros grows your community in size but also in respect. Whether you want to admit it or not, Manjaro is good for Arch and represents a path to your future. A place where Arch is considered the preeminent upstream distro in the Linux community, feeding many successful downstream distros.

    Arch has a real opportunity to be more important than Debian or Fedora. But, it will only be able to take advantage of that opportunity if its leadership constructs an infrastructure and culture that positions itself as a mature upstream distro that establishes professional processes with its downstream partners and then treats them with civility and respect.

    You control your destiny. This is the underlying truth of the entire Linux community. The underlying truth of civil liberty. Where we can set aside pettiness and snideness and instead focus on forming strong, healthy relationships, as peers, we will all succeed together.

  5. “Manjaro is good for Arch and represents a path to your future.”

    I really can’t see how. What are the chances that a Manjaro user will become a contributor to Arch? Very low I’d say, considering the pretty much only reason to go with Manjaro over Arch is lack of skills (or lack of applying oneself) to use the Arch install scripts.

    “Arch has a real opportunity to be more important than Debian or Fedora.”

    The common mistake of thinking the Arch devs care about popularity or being “important” or similar. They don’t. Arch has a narrow focus and the devs like it that way.

    “The underlying truth of civil liberty. Where we can set aside pettiness and snideness and instead focus on forming strong, healthy relationships, as peers, we will all succeed together.”

    A bunch of buzzwords that are essentially completely meaningless. Buzzwords don’t change the fact that it took Manjaro almost two weeks to deliver a privilege escalation fix to users. And we’re not talking about some obscure package either, polkit is used by core components of a modern desktop, handling things from power management, to storage devices and more.

    • ““The underlying truth of civil liberty. Where we can set aside pettiness and snideness and instead focus on forming strong, healthy relationships, as peers, we will all succeed together.”

      A bunch of buzzwords that are essentially completely meaningless.”

      Perhaps this was the founding principles of GNU/Linux?
      What it boils down for me is sharing, and working towards a common goal.

      You may probably know RMS :p , but I have read that Linus also states that releasing the Linux kernel under GPL was probably the best thing he ever did…

  6. ”What are the chances that a Manjaro user will become a contributor to Arch? Very low I’d say, considering the pretty much only reason to go with Manjaro over Arch is lack of skills (or lack of applying oneself) to use the Arch install scripts.””

    Where are your facts?

    People could also like Manjaro because its easier to install, not because they dont have the skills.

    And yes I think Arch is a bit difficult for me (a linux newbie), but I try to contribute to Arch as I can.

    • Facts: No one of t’e Manjaro Users or Manjaro dev try to be TU;
      In contrast ot’er Distros like Antergos Have almost a TU in Arch.

      But ’bout Aur users, I not bet any from any side, maybe in t’is point n’one can asumme any cause no statics are taken and one simply can not ask All the Aur user ’bout what distro t’ey use.

  7. Gusar misses the point. I am guessing he is not a community leader. Arch is bigger than itself. If the Arch community wants to be “narrow,” which I don’t believe, then it is its missed opportunity.

    It is not about what Manjaro can do for Arch. It is not about the devs “being” important. It is about what Arch’s responsibility is to the open source movement. It is about the privileged position Arch finds itself in, through its own hard work, which now presents a path for it to mature into a major upstream distro.

    “Civil liberty” is not a buzzword. Those who think it is do not understand the importance of open source to our liberty.

    • Q, doesn’t matter what you believe. What matters is what the devs themselves have said multiple times over the years. “Opportunities” does not enter into it, in fact they wouldn’t mind if Arch had less users than it has today.

      And about “responsibilities”… the Arch devs have them to themselves and only themselves. They don’t make a distro for you. They make a distro for themselves.

      Before you “guess” what I supposedly am or am not, or what the “point” supposedly is, you should really know more about the things you speak of. You seem to believe Arch is/wants to be something it is not.

  8. I don’t believe the Arch community has an interest in being as provincial as you suggest. Perhaps, I’m wrong. If so, then it is understandable why Manjaro is finding so much success and experiencing such rapid growth. You reap what you sow.

  9. Allan, do you think it is good publicity for a ArchLinux developer to bash another distribution?
    There are two reasons why ArchLinux derivatives exist (note that I am allowed to say this because I am a archlinux user since 2006 and not a developer like yourself):
    1) Since Aaron took over from Judd, the overall tone heavily changed. Now most ArchLinux developers are extremely arrogant. The user base is now a group of idiots who think they are gods because they run a minimalist archlinux installallation that hardly requires a Pentium II with no DE on an Intel Core I7 with 8GB ram. They log onto freenode/#archlinux to flame new comers and feel better about themselves. You are not a friendly group of people anymore. And with the addition of optdepends, you cannot claim to be a KISS distribution anymore.
    2) You released your platform under an open source license that allows others to base products on it. It just happened that people who are more friendly and more mature than ArchLinux developers and users are doing so and it is biting you in the backside.

    Have some sense of decency Allan and just delete this blog entry (or my reply if you wish).

    • I will not be deleting this post (or your comment). However, if the quote that I am responding to is retracted, then I will reconsider. Or is making false statements fine and correcting them not?

      Anyway, why I chose to respond to your comment is I am interested on your opinion of optdepends and how they break KISS? I think they are overused and I am not a fan of some uses of them, but there are examples where they seem perfectly fine. E.g. Adding git to an IDE optdepends to use its optional VCS integration.

      Is there a way this could be improved? How about having a pacman.conf flag that causes these to be treated as dependencies and all be installed – we have done the ground work over the last couple of pacman releases to implement such a thing.

  10. It’s funny how some seam to think Arch users are overly elitists.. sure some are that but far from everyone. I would say most are not. Anyone who have been in the Arch community for real know that Archers are really cool for the most time. The Arch user base contains people with a higher experience of Linux than many other distros. Which show I think.

    I frequent the G+ communities most every day and can count on one hand when I have seen an Archer being elitist. Usually a script kiddie..

    Anyway.. this blog post is good. It tells about a problem Manjaro has and one they should try to correct. I don’t see it as a hostile comment but more as positive critique. It also show an important difference between the distros and is also good to highlight for others who might think about making a spin of Arch.

  11. It would be helpful if Arch had formal policies on working with downstream distros that helped avoid senior Arch devs feeling a need to take a downstream distro to task on a blog repeatedly. How is this good process and how does it build a healthy relationship between communities? It only ever reflects poorly on Arch leadership. I am wondering if this simply points to a gap in Arch policy and process (infrastructure) that could easily be resolved.

    I stand by my initial comment: Arch is a great distro that could deeply influence the entire Linux community in its second decade of life.

    • How about telling slackware to work with downstream distros? When did Arch linux become your bitch? Arch is downstream, what more do you want.? Anyone answering these questions proves their stupidity! feel free to reply… anyone…

  12. I, for one, don’t count it as “bashing” when one corrects mistakes made by others, especially when those mistakes are false claims that reflect poorly on oneself.

  13. Oh, dear.

    Allan, the only thing your little table above has proven to me is that you clearly need to find yourself a woman.

    • Seriously? You did not see any issue with the way your distribution handles such things? I really thought someone with an @manjaro email address would at least try countering the point in their reply. But I suppose that would require both me being wrong and some intelligence on your behalf.

      Anyway, I’ll run your idea past my wife and see what she says…

      • Allan,

        We’ve been all through this before. The usual routine on your part is to simply ignore any inconvenient points raised. I am not inclined to ride that merry-go-round again. That is my intelligent response.

        Interesting to learn you are married. I personally found it hard to juggle work, marriage, work on Manjaro, etc., so had the scale back the latter quite dramatically. Inpressive that you can do it!

        • You didn’t raise any points at all, meanwhile his still stands unanswered…

          Pulling off a disgusting ad hominem is absolutely classy as well, bravo.

  14. Why Arch contributiors worried about what derivatives do?
    Does Debian worry about what Ubuntu or Mint does?
    Do Mint issue security updates as soon as ubuntu or Debian releases an update? Not really.

    Allan, you need worry about fixing things in Arch rather than spending your valuable time on things which obviously you can’t control in Manjaro. There is lot of things in Arch which needs to be fixed when one is comparing with Debian or Fedora.

    This blog post will eventually make manjaro better rather than Arch.

    • I’d be worried if my software was being distributed, becoming popular, and was under-maintained/utter shit as well.

  15. Interesting to know too is that MANY software in Manjaro remain branded as Arch like Xfce or KDE, and even Chromium Arch specific codes on build time are present (Exact same code) in Manjaro Chromium for example.
    That isn’t breaking any Arch Trademark??

  16. Hey guys…. Pleeeeeaase…. Stop this endless and useless discussion and dashing. :-)

    To all contributors and developes of Arch AND Manjaro: please continue your great work on BOTH distros. They are both great and I’m using both on different systems and I just WANT to keep both for the future and hope that the day will come when both work together in a bettter and most important friendlier way.

    So this is the wish of some user, who is using both distros for about 10 hours a day. I guess there are some others thinking the same way …

    • Posting 2 years old thing talking about package signing (already implemented) is a bad use of arguments, please improve yours arguments or almost post 2013 links that aren’t copy from olders post, like 2013 mailisting.

  17. I’m running archlinux on virtualbox without DE, after 5 years of using arch as main os on my desktop. Thanks to the lack of documentation of kde sound (posted on the forums by thousands of people)and the overheat of the graphic card(free drivers). You should be more concern about the systemd monopoly rather than Manjaro. Also Manjaro is a nice distro maybe i will install it as my main o.s:).

    • Yes, blame Arch for upstream package bugs… you are smart as a whip, you are.

      • but i only see the bug in arch, not in Fedora, not In OpenSuse, not in Kubuntu… and forget the comment i was mad that day sorry for the lack of respect.

  18. Why do you always have to do this allan? Don’t you have better things to do than pick Manjaro? Besides you didn’t even get all your facts straight.

      • Phil assures me that Manjaro is atleast if not more secure than Arch. I mean after all we can run catalyst and you guys can’t.

        • Seriously? I am unsure whether this is a troll or just complete stupidity…

          • @ Allan: LOL – no that most certainly is not Handy!

            @ All: I have come around to the fact that Allan is fully entitled to air his own opinions, and will respect the fact that he is an Arch Dev.

            In other words, I believe it is better to avoid un-necessary politics and antagonism within our wonderful open-source world ;-)

  19. What does Manjaro provides (IMHO)?

    – A cool installer (when the livecd boot, or when the installed system boot, which is not the case on a T500)
    – Some interesting scripts to manage video drivers and kernel versions (that I don’t use)
    – A graphical Pacman GUI (2 in fact… which is a lot for a distro lacking man power…) that mainly addresses Manjaro specific “Update Pack” mechanism.

    Why do some people use Manjaro and not Arch ? Because Arch still has (IMHO) 1 major lack: installer…

    Well, I first used Slackware in 1993, and Debian from the beginning, and these distros were providing installer.
    I don’t think users of these 2 distros are more stupid/clever than Arch users.

    Don’t get me wrong, I love Arch, but installation is painful, although it is part of the Arch way. It puts off newcomers, clearly.
    Archboot still is FAR from being as usable as the Debian installer (text mode would be really enough, according to Arch audience), or even the previous installer.

    OK, Manjaro devs would rather contribute to Arch, instead of reinventing the wheel on their own.
    But maybe it is time to accept that Arch’s missing features may be the reason behind so many forks…

    It seems to me that the previous Arch installer, which seems to be Manjaro text-mode installer now, could be contributed from Manjaro back to Arch, if they are interested to maintain it.
    A simple installer, with a choice at the end to select a minimum desktop (vanilla), would be so great… Arch hackers could then change DM it they want to !

    I hope Arch devs will accept this comment from a simple Arch user, as all users are not able to contribute…

    Thanks for reading

    • What about Archbang(website currently down)/Antergos?
      If that is what you are seeking i’m sure that would fit the bill pretty well ;-).

  20. Arch will do itself a huge favor by eating humble crow and incorporating the mhwd system as well as the Manjaro installer. It will make Arch very dynamic and fill the gap many would be Arch users have been waiting for. I will agree with Alan though on the security issue. To prevent 0 day, stitch in time saves nine to quote a cliche’ Alan’s stand on timely backport of security patches are quintessential, all the other big distros including Ubuntu, Fedora implement it. Recently Ubuntu dev chastised MINT for the same reason and it was spot on. Arch needs a separate security branch and dev concentrating solely on security patches and they need to port that ASAP.

    • I meant Manjaro and not Arch that should have a separate security team in the above comment. Arch by its very nature of incorporating latest upstream is secure enough and don’t need any backporting like Ubuntu and others.