this post was submitted on 25 Sep 2024
103 points (97.2% liked)
Linux
48436 readers
649 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I wouldn't suggest Manjaro. On a theoretical basis the distro is a good one but in practice, and with the current management of the distro, It's one of few I'd say is a bad choice. They're destructive to the general linux ecosystem, often make incredibly wild and unnecessary errors stemming from the highest level, do not properly maintain their promise of delaying packages until they're fixed, and give bad info which can harm a user. Their devs also help propagate the "toxic linux" stereotype by being just that.
I'm gonna list off a few but manjarno has some more, with context. This will be written by memory too.
Please, skip to the header that's most important to you.
Harming the ecosystem
The first thing you'll likely hear is that they've DDOS'd the AUR twice, the exact same way through their Pamac GUI. Now, to be clear, this was not on purpose. They made a mistake. However, like quite a few other issues, they made this mistake twice showing they did nothing to stop it from happening twice. Something else which will become clear is that they don't do these things due to malice (usually) but shear incompetence.
Next, their lead arm dev, the guy in charge of arm development, changed a version on a library on asahi linux (an arm fork) known to break X11 in a change which had nothing to do with that library. This shows he did not try running his code beforehand. The only reason it wasn't checked by the larger project is due to the trust given to this, supposedly, high end dev. This after the company made a large campaign claiming that "Manjaro runs on the m1 macbook!" months before asahi was ready shipping some random build, not the latest or a set release, which only showed a black screen. To be clear, this could have broken people who tried to run it's hardware. This is in no way a forced error.
Delayed package promise broke
This will be a short header, but it's important. The promise of Manjaro is that they delay their packages two weeks. This, to ensure that any issues which arise can be caught and Manjaro can skip the bad version. However, this is not always the case. Quite often there's an issue in a library or package where they wait the allotted time and still ship. These are CVE's mostly and quite often have a fix out which manjaro won't ship until the two weeks are up.
Delaying packages is another problem in and of itself too if you're using the aur. What is the aur? Well, if you don't know you shouldn't be using it for one. The next header will discuss this issue
The AUR
The aur, the Arch User Repository, is a collection of scripts which install an application in many different ways. To be clear, this script can do anything on your PC as it's just arbitrary code. This is user submitted, meaning essentially anyone can upload a script to the aur including a person names anus kiss. This is a danger in many cases as we've seen before. For a fun example, anuskuss uploaded an update to the most popular wii emulators aur package which included two calls to an IP tracking website and a list of people who can "go fuck themselves" including homophobic comments and, if I remember, incel rage. The aur will also be where any malaware on linux is most likely to come from and to be distributed there first.
Luckily though, if you know how to read these scripts, it's mostly fine. However, manjaro places the button to enable it right next to enabling snaps and flatpaks. Both of which are perfectly safe to install if not safer than average packages. You need to be able to read the AUR package scripts to be safe.
Secondly, the AUR packages assume ARCH Linux. This means, when you install an aur app, it's assuming dependancies which may be up to two weeks out of date. Either that, or it'll install packages up to two weeks early. Now, if the first happens the AUR package risks breaking. Which is mostly fine. The latter though means system packages can fail. This is not good.
Sure, many people never have a problem with it, but that's not an excuse. This should be much more clear.
Bad info
Please don't use sudo pacman -Syyu to install packages. This will put a heavy load on the arch repositories for no benefit. Please, don't randomly install aur packages. The AUR break your system? Yeah, according to them you fucked up and it's all your fault. I'll admit this is all I can remember here.
Random points
Ever find a site and when you try and go to it firefox says a secure connection cannot be established? That's an expired or non existant SSL cert. They've let their SSL certificates run out 5 times. This is something you can update in less than 5 minutes, and can set up to update automatically in less than 10. It should not happen twice let alone 5 times. The first time they gave users a command to run in a terminal which set their time back in order to trick the system into thinking the cert was good.
Imma stop at this point. Way too long man, and it's way too early for me. I should probably save this somewhere to copy paste when someone suggests the distro
The snap store has already been used to distribute malware, one guy lost a lot of money in crypto, and I'm sure it wasn't an isolated incident. I think it would be naive to think flathub isn't being targeted in the same way. Same advice as the aur, be cautious.
Sure, but that wasn't malicious code hacking your device just a simple phishing scheme. The aur runs arbitrary code each time which can do quite alot more on your system than any snap. That snap was just a fake app that sent your login to their server.
The aur is much more dangerous. Of course, when installing anything from anywhere be careful, but with the aur you need to be able to read the pkgbuild.
Thank you though for cautioning the snap store as you're right. Those apps aren't confirmed before they're placed on the store
It was still malicious code. A different attack for sure, but no less devastating for the victims.