[arch-general] Is Voting Effective?
The main mechanism for moving packages from the AUR into the official repositories seems to be the "Vote for this package" mechanism. Ideally, all packages would just be in the official repositories, and there'd be no AUR. Obviously we don't have the resources for that, so there needs to be some mechanism for prioritizing packages. Because you have to register an account to vote (and I didn't even *know* about it until today), the voting mechanism is not effective at filtering out the important packages from the sea of mostly-irrelevant obscure packages, and it's certainly not a good indicator for package quality. This means important packages are getting left behind in the AUR even when all other Linux distributions include them in their official repositories. Ultimately, relying on a vote-based popularity measurement too much is hurting -- or is going to hurt -- Arch Linux. Take for example tahoe-lafs and tripwire, with 32 and 13 votes respectively. https://aur.archlinux.org/packages/tahoe-lafs/ https://aur.archlinux.org/packages/tripwire/ These are extremely important tools. And, while they may not be popular as measured by the voting system, they are widely used, and both are included in Debian's official repositories. Instead of being able to quickly and easily install signed binaries with `pacman -S`, a security-conscious user wanting one of these tools has to manually inspect the PKGBUILDs for the packages themselves and many of their dependencies to make sure that they're not malicious. And after they do all that, they still have to trust insecure connections and MD5 checksums. There needs to be an official channel for hearing reasoned arguments on why a package should or should not be included in the real repositories, and the unscientific vote count should come second. Is there such a thing? Thanks for reading, -- Taylor Hornby
On Fri, Apr 11, 2014 at 2:40 PM, Taylor Hornby <havoc@defuse.ca> wrote:
both are included in Debian's official repositories.
Debian has more packages than another distro that I am aware of. Last I heard, it was around 30,000. That is one thing they do very well. That's very much the polar opposite of arch's mission, interest, or ability. https://wiki.archlinux.org/index.php/The_Arch_Way -- Pete
On 04/11/2014 03:48 PM, Peter Baldridge wrote:
On Fri, Apr 11, 2014 at 2:40 PM, Taylor Hornby <havoc@defuse.ca> wrote:
both are included in Debian's official repositories.
Debian has more packages than another distro that I am aware of. Last I heard, it was around 30,000. That is one thing they do very well. That's very much the polar opposite of arch's mission, interest, or ability.
While I don't see an obvious conflict with The Arch Way, I am definitely not proposing we should "put everything in the official repos" or even "have as many packages as Debian." That would be a big waste of time. I'm only saying that the vote system is probably making us leave some important packages behind, and it would be a lot better to have an official channel for brining forward arguments like, "Package X is really important. It should go in community because reasons A, B, and C." -- Taylor Hornby
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2014 05:40 PM, Taylor Hornby wrote:
The main mechanism for moving packages from the AUR into the official repositories seems to be the "Vote for this package" mechanism. Ideally, all packages would just be in the official repositories, and there'd be no AUR. Obviously we don't have the resources for that, so there needs to be some mechanism for prioritizing packages.
Because you have to register an account to vote (and I didn't even *know* about it until today), the voting mechanism is not effective at filtering out the important packages from the sea of mostly-irrelevant obscure packages, and it's certainly not a good indicator for package quality. This means important packages are getting left behind in the AUR even when all other Linux distributions include them in their official repositories.
Ultimately, relying on a vote-based popularity measurement too much is hurting -- or is going to hurt -- Arch Linux.
Take for example tahoe-lafs and tripwire, with 32 and 13 votes respectively.
https://aur.archlinux.org/packages/tahoe-lafs/
https://aur.archlinux.org/packages/tripwire/
These are extremely important tools. And, while they may not be popular as measured by the voting system, they are widely used, and both are included in Debian's official repositories.
Instead of being able to quickly and easily install signed binaries with `pacman -S`, a security-conscious user wanting one of these tools has to manually inspect the PKGBUILDs for the packages themselves and many of their dependencies to make sure that they're not malicious. And after they do all that, they still have to trust insecure connections and MD5 checksums.
There needs to be an official channel for hearing reasoned arguments on why a package should or should not be included in the real repositories, and the unscientific vote count should come second.
Is there such a thing?
Thanks for reading,
Salutations, Packages don't reach the official repositories until they have enough sponsorship (by voting or devs pushing packages) and have been properly vetted. In addition, a security conscious user should be inspecting PKGBUILDS (via the ABS) instead of just taking packages as is. Compiling the packages via the ABS is further step. Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNIY30ACgkQZ/Z80n6+J/ZiNAD+N+KWUv9oIzn/HBJPIYq2LJ+V Ca0eJ6FbbH9DceXUWiQA/RNsBzO0Aq+MLdoHrcS5oJ7TFv9VQ96/PLzgUGIbQ4Ti =DHkF -----END PGP SIGNATURE-----
Packages are included in the repositories if and only if a developer or trusted user is interested in maintaining the package. In my opinion, it's best for packages to be maintained by people who actually use and care about them even if it means that they're in the AUR instead of the official repositories. These AUR maintainers have the opportunity to apply as a trusted user in the future.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 03:57 PM, Daniel Micay wrote:
Packages are included in the repositories if and only if a developer or trusted user is interested in maintaining the package. In my opinion, it's best for packages to be maintained by people who actually use and care about them even if it means that they're in the AUR instead of the official repositories. These AUR maintainers have the opportunity to apply as a trusted user in the future.
That's a good point point, and I agree. My problem with the AUR is just its lack of security. Even an automatic "build and sign as many AUR packages as possible" kind of repository would be beneficial, since it would at least ensure that every Arch Linux user is getting the same copy of the package, which would make it a lot harder for an attack to go unnoticed. So, I'm really not annoyed that that important packages are in the AUR just for the sake of their being in the AUR. I'm annoyed that their being in the AUR makes it extremely difficult to access them securely. - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSGdwAAoJEN+oIJzpZ41d1kcP/iduFcPrS+sfEMF0iZkCpk36 svscbt9CM6+x92nSLUtdUTbEVIoBSncasVGgm3ktQtZx43+FV6vK2OKozNcC/myX l9C0dv+BHcIKz+irNc9elgNU6w7PcmPaPAOokIvS+VWcge+Wcw6+FJbA3GY4IVUk YU8XwyCLg8sS+gLEKhSdtKiTDFNIcTXmuZyuF5hxWKsroIrLIQPAfqKh3bgCKUW6 j6CYeV6PZ7QKdiky7ANOqQ+k3wfmWfk7LhIG/9A0bvvWkf23+mwB6ah8N6verpm9 TduawhFD7Ns1Wf1n6sJDDlywbq3ZnNvHKVNuz4oKFutgLd9Qh+xtPs1b6cUJ7Par IIvcxT5iKduVwTDydAnJffBu4qIHDTS/GH/PA3mO+8TA1jWDYudgxb5rvIrM7tx5 3wT5Zv4lSoWdZiRyItViJCYiGpBMUmJVmW6g0t+zQRIzcwrxze151XTWwiBru9/4 P4Vp6jlfJuHeGijOsJ87yTs385qEPliyCsiH4R/6sOVF10rN7qlMH4rm3MhGZhWw u7f3mx49CHE+wvMthmYHxzDDVUtNTAHRnHJ69FV4ZM7d3XdFh3Q92EjdiupguKQx hDVCxsa1w2Ayo7l481DY89r+/buWgx/Zya40ZkQPYAGMZQZUNF0R6A2PEMNwLy98 58MIP7AB1tYqCjacFh0A =ifsP -----END PGP SIGNATURE-----
So you're saying... blindly trusting someone else that is unknown to build and blindly sign a package is more secure than you downloading the pkgbuild with cower or something, looking at the PKGBUILD, and then using makepkg... How is that? Second, where do you propose the computing time and the storage space comes from to support this kind of repository? Daniel
Date: Fri, 11 Apr 2014 16:06:40 -0600 From: havoc@defuse.ca To: arch-general@archlinux.org Subject: Re: [arch-general] Is Voting Effective?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/11/2014 03:57 PM, Daniel Micay wrote:
Packages are included in the repositories if and only if a developer or trusted user is interested in maintaining the package. In my opinion, it's best for packages to be maintained by people who actually use and care about them even if it means that they're in the AUR instead of the official repositories. These AUR maintainers have the opportunity to apply as a trusted user in the future.
That's a good point point, and I agree.
My problem with the AUR is just its lack of security. Even an automatic "build and sign as many AUR packages as possible" kind of repository would be beneficial, since it would at least ensure that every Arch Linux user is getting the same copy of the package, which would make it a lot harder for an attack to go unnoticed.
So, I'm really not annoyed that that important packages are in the AUR just for the sake of their being in the AUR. I'm annoyed that their being in the AUR makes it extremely difficult to access them securely.
- -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTSGdwAAoJEN+oIJzpZ41d1kcP/iduFcPrS+sfEMF0iZkCpk36 svscbt9CM6+x92nSLUtdUTbEVIoBSncasVGgm3ktQtZx43+FV6vK2OKozNcC/myX l9C0dv+BHcIKz+irNc9elgNU6w7PcmPaPAOokIvS+VWcge+Wcw6+FJbA3GY4IVUk YU8XwyCLg8sS+gLEKhSdtKiTDFNIcTXmuZyuF5hxWKsroIrLIQPAfqKh3bgCKUW6 j6CYeV6PZ7QKdiky7ANOqQ+k3wfmWfk7LhIG/9A0bvvWkf23+mwB6ah8N6verpm9 TduawhFD7Ns1Wf1n6sJDDlywbq3ZnNvHKVNuz4oKFutgLd9Qh+xtPs1b6cUJ7Par IIvcxT5iKduVwTDydAnJffBu4qIHDTS/GH/PA3mO+8TA1jWDYudgxb5rvIrM7tx5 3wT5Zv4lSoWdZiRyItViJCYiGpBMUmJVmW6g0t+zQRIzcwrxze151XTWwiBru9/4 P4Vp6jlfJuHeGijOsJ87yTs385qEPliyCsiH4R/6sOVF10rN7qlMH4rm3MhGZhWw u7f3mx49CHE+wvMthmYHxzDDVUtNTAHRnHJ69FV4ZM7d3XdFh3Q92EjdiupguKQx hDVCxsa1w2Ayo7l481DY89r+/buWgx/Zya40ZkQPYAGMZQZUNF0R6A2PEMNwLy98 58MIP7AB1tYqCjacFh0A =ifsP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown to build and blindly sign a package is more secure than you downloading the pkgbuild with cower or something, looking at the PKGBUILD, and then using makepkg...
How is that?
No, that person has to be trusted not to actively sign malicious binaries of their own creation and to keep their private key secret. I'm saying: A single trusted person blindly building and singing packages is more secure than everyone blindly building and signing packages. It's a single opportunity for attack on everyone versus an opportunity for an attack each time a user installs a package from the AUR. The former is more detectable after-the-fact (thus much less likely to be done by an intelligence agency like the NSA) and can be done in a safer environment (cable internet connection in the USA vs. a WiFi hotspot in Syria). The process could also involve grabbing the files (or hashes) through different Tor exit nodes and comparing them to make sure they're all the same, and there's no attacker messing with the local Internet connection.
Second, where do you propose the computing time and the storage space comes from to support this kind of repository?
Would it really be that much? How do other distributions manage it? - -Taylor - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSH6qAAoJEN+oIJzpZ41dEiEP/i2/galkxDm6TLC4PZW+E8Qd vPmnZ4hfgLbeK7Xwj6Wj7mS23T+RmydQTkLjaxJtsnmTF4zU5JNaHhz/bKyp1OKf eoWQeCJWQqEEDnLhN0M1jYif85VT14ZEVLcuTsRmG8+AM6rJQ75kM9KiSN8GzXr4 yzlsxiHIWj6i8s/myl2zOj+WVmat18Ia/6971Jf0kWKKXn1gKz69EtJpvQPpQMas DmQqlgVVpNtrOUwmai0JcJbgDe5CMUCKhtHfcWASaGlGFbx4epe49YRdOTupj3BZ e7Xt31Dd6f5Pbb3uMFaYv1CnTtysjWvDJMMa0jt/izHggmOsaDTf7cEDAOu5tDmO nGC3L5InWIIHMeH/EA+ct29OaXmIqLZg/pvlOgL/vhSNLhFVbNaeZhSeiuWuAccK ktT4I/z5n+FuDpi8iIJbdBgAevSDpW5e5iWh9T4vzXtddWXrJQlbvOiYAM5FmTgN Hyz0VKQD2ge7gIA0rXRdLCOoHX11mO0K6KKgDj8t/Ty6FR2wr4WF6cn7rZUsen4s Cl0Hdaz06wx9fF6S3Vae4bpZxAIDvz/bfaOSxDWlDCdgryx++aKIQwW3tHtn1+zu Ux7Urd9ccTOFMwStMPOLQnpfoo1f1MlDPtFvvbA3klCFMDTkCHBTFv9yofr16FtW VU48Tf5CZaUzggKll0x6 =/UiM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2014 07:45 PM, Taylor Hornby wrote:
On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown to build and blindly sign a package is more secure than you downloading the pkgbuild with cower or something, looking at the PKGBUILD, and then using makepkg...
How is that?
No, that person has to be trusted not to actively sign malicious binaries of their own creation and to keep their private key secret.
I'm saying: A single trusted person blindly building and singing packages is more secure than everyone blindly building and signing packages.
It's a single opportunity for attack on everyone versus an opportunity for an attack each time a user installs a package from the AUR. The former is more detectable after-the-fact (thus much less likely to be done by an intelligence agency like the NSA) and can be done in a safer environment (cable internet connection in the USA vs. a WiFi hotspot in Syria).
The process could also involve grabbing the files (or hashes) through different Tor exit nodes and comparing them to make sure they're all the same, and there's no attacker messing with the local Internet connection.
Second, where do you propose the computing time and the storage space comes from to support this kind of repository?
Would it really be that much? How do other distributions manage it?
-Taylor
Salutations, The point of Arch is that security is mainly a user concern. Arch doesn't target users who would just blindly install packages from the AUR without reading the PKGBUILD first, or reading the source code as another step. If one doesn't know how to compile and/or modify the code they are using, they really shouldn't be using the code. While other distributions do this, I strongly disagree with it. Arch users should read the wiki on how to compile with makepkg before attempting to install packages from the AUR. By the way, installing a package can be as simple as "$ makepkg -s -r -i" or more complicated if further dependencies must be compiled. Security through a messiah is as useful as security through obscurity. Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNIhgUACgkQZ/Z80n6+J/ZudAD/QSrAwDUtelbUV9MKB6m51tSi j/8orGFQE4uaUPb6hwwA/Alcgy8mLCTExbbVPDy7TPwYHW5tp9+moDs+enMHA4sv =ES3a -----END PGP SIGNATURE-----
Hi guys, I really enjoy our status quo with AUR. This is the first user-repo in the Linux world that is easy to talk to. Just compare to these Ubuntu's PPAs that you first need to find and trust. I really prefer to run yaourt -Ss package-i-am-looking-for, and not to Google for "arch linux package-i-am-looking-for", then call repo-add, etc. Staying in the console is a very big plus for me. I am also satisfied with how AUR users keep it clean. Delete requests (including binaries directly in the PKGBUILD!), merge requests, disown requests... While there could be more automation involved, I do believe AUR is the best user-repo I have ever used. Lastly, I am OK to build the packages myself. After all, I see the PKGBUILD, which is just simple code. Or even alternatively I see where the binaries are downloaded from. If they are downloaded from the upstream I am totally OK with that. Binaries built by AUR wouldn't be nice.
The process could also involve grabbing the files (or hashes) through different Tor exit nodes and comparing them to make sure they're all the same, and there's no attacker messing with the local Internet connection.
This is the *only* improvement I could see for AUR. Not only trust sha256sums provided by the maintainer, but also have a guarantee that these sha256sums are validated by AUR. If they don't match - the package is not available for download. Anything else like binaries built by AUR itself, trusting the users, finding their private repos etc. I do oppose. Regarding the subject (Is Voting Effective?). Theoretically, packages are picked from AUR to [community] according to the number of votes. However, I have never seen anything like that. Any time a new Trusted User candidate asks to join the team, they list packages that they want to move from AUR to [community]. It's totally arbitrary. If there's no one to be interested in maintaining the package, it remains in AUR. Fine by me. -- Kind regards, Damian Nowak StratusHost www.AtlasHost.eu
On Saturday, April 12, 2014 02:28:55 Nowaker wrote:
Regarding the subject (Is Voting Effective?). Theoretically, packages are picked from AUR to [community] according to the number of votes. However, I have never seen anything like that. Any time a new Trusted User candidate asks to join the team, they list packages that they want to move from AUR to [community]. It's totally arbitrary. If there's no one to be interested in maintaining the package, it remains in AUR. Fine by me.
Actually I think the voting system works as an indicator of eligible or not, but not at all for priority. For example, community/aurphan is a helper tool in the official repos. The "- e" option will give a list of installed AUR packages that having at least 10 votes. An Arch Linux Developer or Trusted User can occasionally query the AUR (or use some tool like aurphan) looking for those he/she want to move. Take myself as an example, I have used aurphan to find dozens of python packages to move to [community]. Regards, Felix Yan
I'm saying: A single trusted person blindly building and singing packages is more secure than everyone blindly building and signing packages. As others have said: users should not be blindly building and installing
Would it really be that much? How do other distributions manage it? Yes, it would be that much. Other distributions manage it by either having much, much larger communities than us (e.g. Debian), and thus much more
On Apr 11, 2014 4:45 PM, "Taylor Hornby" <havoc@defuse.ca> wrote: packages. Friendly reminder that install scriptlets run as root with no restrictions. potential donators, or by having corporate backing (e.g. Ubuntu, Fedora).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown to build and blindly sign a package is more secure than you downloading the pkgbuild with cower or something, looking at the PKGBUILD, and then using makepkg...
I'd also argue that not all users know how to do that, and the process is time consuming (especially when there are dozens of dependencies), so it's effectively impossible for a subset of users. I realize that contradicts the "user-centric not user-friendly" section of The Arch Way, but if there's any reason something should be allowed to violate that rule, it's security. - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSIGKAAoJEN+oIJzpZ41dolcQAJp7fWsCQoXCviRj5zvFJbRw fFxpOfV6La58qSMO7GeKR1kYxnQWCjwiV+4SkqO8WJ5hnBFEE8EYLdAoW62PB8yK oDZICgd1B7Ut84j5UfmbNdNQ63pU9YY7cas/iNaqDbe/DR2q0tgcbRFC/oQRNchF h5M6yX8IsId0qUT9Omo+gsmpW+uUEhj99o0Hormu2Vrv5P9jIZHqN3fD9+w5NNrZ BM+cU23P01H+oSU2kUsoiv2Hh+X2p4TZJdVeBhnsKbuvSoKHdTf5aC87SgS0UdF0 1p1G+gNSlWLhPsmMAd9ranydH2AC2xupHAc4fPGVIGU2SygpKN9qgBZmgnqMnR+3 1cPmz5/94L+Rl+J2kv79vgLzDphILwSNN+69DRuXbMv3lmzYwdYLZ1nz5YT7NPP7 N798pzsIsKvLc4Nklbl2xUKYSSByX7eymVuPMxqP8DI329mXf0fJFeAg1NrZaJ8U phbHJN7AN5Uz1WQhOvI5bh7mCecTyDCtdppAVMjcVBmfgKE1cvcWdqeo/KpqEF3b 8KX2zD0mDBsQ4Ww2XqlPiev7u6XJMqUY9Vi8R+wY2wfSz7acVux497ZIMfWixfNq Sl0bfEvdYOhAhWq1+jk/G4MDds5nptLj7CZq2FUhBIDmMdn35nJ7mHebPZ8RtVsX ANNCsGQLwqvAHdm7Fo4H =PTfZ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On , Taylor Hornby wrote:
I'd also argue that not all users know how to do that, and the process is time consuming (especially when there are dozens of dependencies), so it's effectively impossible for a subset of users.
There are tools which (somewhat) simplifies that. E.g. yaourt. P. - -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJTSOljAAoJEID0iULc54suX80P/0zeQgyw/hc9H615C1mPdD/i 8E0TZap+9CDLoKBxeCXQWcbrtf1fUwA4zeWKtDLtL/r8bN9foYgp4UCBgRxb6JKV RPDuMEtAMQDNi/vTgMCIVUmPeZ7h05jEXo+BLpZJAXCkdeDFANyNd9d5gIiGCfqM jLfzZLf2kY3QGBzB5GcEa84vRxsrUOu3GdB3qpd1XXZtqkZuucpvIqBSEphBcbdt r17HkIDYGGySSEgqJWaz2r6daDGnCqIdEtMdeq1sn040Nec83RRIsxyKKd++VScp dQItgOmsWTmxxgBbbgJIACNx7ROSWxiUtVjZdPzzZyQgFz9etpA5xOkUdgylC+m0 mVeaJXDG+OQiF9PyhWjgD82/IbJT6PHHEOLhFnw1f6RPZgB3X1yCLfOKUAtnLiBq GONIcyhHLVLbTp8jg8qiCnPG0osVzdPACt3SLI1NYAnZcWB1InVKYhfohaXcBiJN kxSKR3AhUaAhWI6LrvRFWxngnf+8AmTQ3TOK9fF9q/BtLwCxf+InxYXEtyH08LCM jgOGzfXioWfd1Ec6/o9PA/94l8K9sbY+DfLHFwJ+o/sFsuwIyQvllzsGKePQC+AL YRaYNLa/dP9KVjX37xc85zUUKuM/vhVkCLxDNy2IXd9faxdExdbsj0ZeVV6TU8uy 1pSlIgfn1zw+q8odw5h6 =mF5K -----END PGP SIGNATURE-----
participants (9)
-
Alex Jordan
-
Daniel Micay
-
Daniel Wallace
-
Felix Yan
-
Mark Lee
-
Nowaker
-
Paladin
-
Peter Baldridge
-
Taylor Hornby