ruario Senior Member

Registered: Jan 2011 Location: Oslo, Norway Distribution: Slackware Posts: 2,520

Rep:



Quote: narz Originally Posted by Wow so many Arch votes. Arch has a close design to Slackware, but there's two glaring reasons I wouldn't use it.



1) Their rolling release model is terrible for anyone who wants a reliable desktop. Have fun being an involuntary Linux beta tester and things randomly not working between day to day updates.



Also you should not assume they just dump stuff from upstream straight in the main repositories. It goes in when it is ready. There is a stabilising process, it is just accelerated comparative to most distros. This is why Gnome 3 (despite being released by upstream) is not in the main repositories yet. Instead it is in the testing repository, which is even more bleeding edge. Perhaps things in testing break more often, though I wouldn't really know as I have never used it.



Quote: narz Originally Posted by 2) They don't even sign their packages. Next week's news: Arch mirror gets owned, thousands of users compromised.



You should also consider that just because packages are signed it doesn't mean that everyone checks the signatures. If you simply download the slackware-current tree from your favourite mirror and then follow the instructions in UPGRADE.TXT verbatim (as I believe many people do) you won't be any more secure because you didn't actively check the signatures.



But in summary, you do have a point. The lack of signing is a downside to Arch and an issue to consider. On the other hand I don't think people should dismiss the distro out of hand just because of one issue. No distro is perfect. I have run it as my main desktop OS on my work machine since late 2009. Things don't randomly stop working in the way you imply. It has been very stable for me with only a couple of minor issues. In fact it has been a lot better than many distros I have tried. And on the upside you always have very fresh software, with only a short wait. I have had friends and colleagues talk about new software they are looking forward to that I am already running.Also you should not assume they just dump stuff from upstream straight in the main repositories. It goes in when it is ready. There is a stabilising process, it is just accelerated comparative to most distros. This is why Gnome 3 (despite being released by upstream) is not in the main repositories yet. Instead it is in the testing repository, which is even more bleeding edge. Perhaps things in testing break more often, though I wouldn't really know as I have never used it.I not going to try and say the lack of signing is ideal because it clearly isn't but it is not nearly as bad as some of the scaremongering makes out. You can greatly lessen the possibility of such a scenario by picking your mirrors carefully. Ideally ones run by large well known companies or universities and then trust that they do an adequate job looking after the securing and maintenance of their server. And that is they key issue, at some point your have to trust someone. Even with signing you still have to trust the people who put together the distribution are both honest themselves and do a good job of actively and properly code auditing every package change and improvement. Otherwise, someone inside the distro team or a rogue maintainer working on an upstream package can still bite you. And don't assume this is an easy task, even OpenBSD had a slight scare of late with some wondering if they might have a backdoor. It now seems after further auditing that there was no such issue but the fact that people got spooked and wondered about it says something. That being, that auditing is really hard to do well and it is believable that even the mighty OpenBSD team with their proven track record could have missed something.You should also consider that just because packages are signed it doesn't mean that everyone checks the signatures. If you simply download the slackware-current tree from your favourite mirror and then follow the instructions in UPGRADE.TXT verbatim (as I believe many people do) you won't be any more secure because you didn't actively check the signatures.But in summary, you do have a point. The lack of signing is a downside to Arch and an issue to consider. On the other hand I don't think people should dismiss the distro out of hand just because of one issue. No distro is perfect.