2010/7/4 Rickard Eriksson <rickard.eriksson@gigabit.nu>:
Cut from the forum where my co-admin first put this up, however it got closed with reason "trolling"...
You're *totally* trolling. There are many fallacies in your message. First of all implying that what you're saying is unknown to the community. This is not true. Just read the bazillion of mails in arch-general and pacman-dev about package signing. Heck, there's even a stub of implementation, and this is recent activity. However the main reason there's no package signing in Arch is people simply don't care enough.
This mirror will shut down in the upcoming days.
If it's yours, thank thanks god it is shutting down, I wouldn't want to fetch my packages from someone like you. (Yes, this is trolling too.)
Few funny facts:
* We never got contacted by anyone before we got added in the official mirror list. We just posted this thread and all of the sudden it appeared. No verification of whom we were and what our intension were.
This is a problem and shouldn't have happened. When were you added to the mirror list? As far as I know, in the last few years relations with mirror managers have changed quite a bit.
* ArchLinux is fundamentally unscalable in the package manager aspect.
Please justify this claim. Provide a good case, suggest solution. Otherwise you are just trolling. And you aren't, right? =P
* ArchLinux puts the trust in the hands of every mirror owner and their security. ftp.archlinux.se is the prime example of a machine vulnerable to all sorts of things. This affect YOUR security. This is why it's being put down. If the ArchLinux authors would start signing packages this would not be a risk to you.
Read above about packages signing. And anyway, who are you? What's your business, what can you do other than whining and maintaining insecure servers (your claim)? If you think arch is a bad distro do something about it. And with "do something" I surely don't mean "drive away users from it". In fact this is the best way to ensure the distro will never get better and will never overcome its problems, which undoubtfully exist.
* We posted a suggestion of this in 2006. http://bugs.archlinux.org/task/5331 -- This is 4 years of insecurity.
Even APT hasn't always supported package signing. According to wikipedia, it appeared in version 0.6. Were you there telling users to switch distros back then? Since nobody is paid to develop arch (unlike all the other distros you mention below) you can only expect what the devs can do in their free time and what the community is willing to contribute. Don't like it? Again, make it better or leave, whining doesn't help.
* We recommend all of you to switch to a distribution caring about user security and atleast signs their packages. Most RPM and APT based distros does this (Ubuntu, Debian, RedHat, CentOS, SuSE, OpenSuSE, etc etc etc).
Another implied fallacy: you say that security is *the most* important aspect of all. Ever considered that different users have different needs? Speed, simplicity, ease of use, software updates, structure, level of bureaucracy, community competency... These are many parameters people consider when choosing a distro, and surely there's many more. Security is just one of them, and sometimes isn't even important at all. By the way, the whole thing is just like me suggesting you to change your house for another with a better door lock, because any lockpicker worth his name can open yours in no time. Problem is, there's no lock that can be considered "secure", they all can be opened if there's a reason to. Just remember security is not a product, security is a process. You seem to forget it more than a few times in your message.
Have fun. :-)
I surely did replying to you :) Corrado Primier