[arch-general] /etc/os-release: Suggestions for improvements
Hi, I've just recently learned about the relatively new file "/etc/os-release" and have to say that I quite like it. The previous situation was a mess at best, so this is a great way for unifying. systemd is really great in that regard. To my great astonishment it was already included into Arch about a month ago, see [1]. After looking at the file I have questions about some parameters. I know this might seem to be very petty-minded, but somehow its important to me. Maybe I'm just too perfectionistic about this. First of all I'm wondering why HOME_URL is set to the plain HTTP version of archlinux.org, whereas the other two links are set to the secure HTTPS version. This doesn't seem to be consequent. The example shows that Fedora is using the HTTPS version for both the HOME_URL as well as the BUG_REPORT_URL. After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support. Personally I don't use the forums very often, but do make use of the mailing lists and the *really* great wiki much more heavily. Furthermore there are the various IRC channels, which probably are used by some of you. Unfortunately there doesn't seem to be some sort of a landing page, summarizing all the different ways you can ask/look for help, e.g. something like "https://www.archlinux.org/support/". Probably this would be the best solution. It looks like Fedora isn't mentioning a support URL at all, so maybe this would also be an option for us also? Furthermore I'm wondering whether we should look into the Common Platform Enumeration (CPE) specification (see [3]) in order to apply for an entry. From what I can tell it doesn't cost anything, but you have to contact the NVD CPE team, see [4]. Obviously this should be done by someone officially connected to Arch Linux. I don't want to leave behind any wrong impressions. I really appreciate how fast Arch Linux is following along with the proposals from upstream, but I do think we could be more consequent in this case. I couldn't find any sort of discussions about this, so before submitting any "patches" and/or reporting "bugs", I would like to ask you what you think about all of this? Best regards, Karol Babioch [1] https://projects.archlinux.org/svntogit/packages.git/commit/trunk/os-release?h=packages/filesystem&id=91796a8c7e996bca5f55caee499075beefdecf99 [2] http://www.freedesktop.org/software/systemd/man/os-release.html [3] http://cpe.mitre.org/specification/ [4] http://nvd.nist.gov/cpe.cfm
Am 03.07.2012 01:16, schrieb Karol Babioch:
First of all I'm wondering why HOME_URL is set to the plain HTTP version of archlinux.org, whereas the other two links are set to the secure HTTPS version. This doesn't seem to be consequent. The example shows that Fedora is using the HTTPS version for both the HOME_URL as well as the BUG_REPORT_URL.
The bbs and bug tracker are https-only. If you would go to the http link, you would be redirected to https. A user cannot login on the main website or send any sensitive information to it, so there is no need to force it to https.
After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support.
Arch Linux is a community-supported OS, and the bbs is appropriate as a support URL.
Personally I don't use the forums very often, but do make use of the mailing lists and the *really* great wiki much more heavily. Furthermore there are the various IRC channels, which probably are used by some of you.
Unfortunately there doesn't seem to be some sort of a landing page, summarizing all the different ways you can ask/look for help, e.g. something like "https://www.archlinux.org/support/". Probably this would be the best solution.
Not a bad idea at all. As always, you can send a patch against https://projects.archlinux.org/archweb.git/ to include that landing page or submit a bug to the "Web Sites" category via https://bugs.archlinux.org/newtask/proj1.
On 3 July 2012 09:28, Thomas Bächler <thomas@archlinux.org> wrote:
Am 03.07.2012 01:16, schrieb Karol Babioch:
After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support.
Arch Linux is a community-supported OS, and the bbs is appropriate as a support URL.
Arch Linux is a community-supported OS, and the mailing lists server is appropriate as a support URL. https://mailman.archlinux.org/mailman/listinfo/ Best regards, -- Mateusz Loskot, http://mateusz.loskot.net
Hi, Am 03.07.2012 10:28, schrieb Thomas Bächler:
The bbs and bug tracker are https-only. If you would go to the http link, you would be redirected to https. A user cannot login on the main website or send any sensitive information to it, so there is no need to force it to https.
Personally, I'm a big fan of HTTPS, even for seemingly uncritical things. Remember: HTTPS not only makes sure the channel is encrypted, but a key point of the whole PKI infrastructure is to make sure it is the right person/site/party to whom you are talking to. Otherwise you wouldn't need a certificate signed by a known CA. Furthermore it is always conceivable that some man-in-the-middle replaces the download links (along with the hashes) and/or something like that. As you've got a valid certificate obviously, I don't see a reason why not make use of it. Taking Fedora as an example they have their HOME_URL set to the HTTPS version here. When you got HTTPS Everywhere [1] installed, you only get to see the HTTPS version of fedoraproject.org. For Arch Linux, although part of the database of HTTPS Everywhere, this isn't the case. I can't see any disadvantage to propose the use of HTTPS strongly, especially because you've already got valid certificates.
Arch Linux is a community-supported OS, and the bbs is appropriate as a support URL.
By now means I wanted to depreciate the forums. I just wanted to make the point that there are more ways to ask for help and that we should advertise them also.
Not a bad idea at all. As always, you can send a patch against https://projects.archlinux.org/archweb.git/ to include that landing page or submit a bug to the "Web Sites" category via https://bugs.archlinux.org/newtask/proj1. I've filed a feature request (#30518). Unfortunately I'm not familiar with Django, so there is no way I could add this in a reasonable amount of time. However it shouldn't take too long for someone who knows what he is doing.
Best regards, Karol Babioch [1] https://www.eff.org/https-everywhere/
Am 03.07.2012 12:51, schrieb Karol Babioch:
Hi,
Am 03.07.2012 10:28, schrieb Thomas Bächler:
The bbs and bug tracker are https-only. If you would go to the http link, you would be redirected to https. A user cannot login on the main website or send any sensitive information to it, so there is no need to force it to https.
Personally, I'm a big fan of HTTPS, even for seemingly uncritical things. Remember: HTTPS not only makes sure the channel is encrypted, but a key point of the whole PKI infrastructure is to make sure it is the right person/site/party to whom you are talking to. Otherwise you wouldn't need a certificate signed by a known CA. Furthermore it is always conceivable that some man-in-the-middle replaces the download links (along with the hashes) and/or something like that. As you've got a valid certificate obviously, I don't see a reason why not make use of it.
Those are all valid concerns. I don't know why this particular URL was chosen. I guess nobody has put nearly as much thought into this as you did.
Taking Fedora as an example they have their HOME_URL set to the HTTPS version here. When you got HTTPS Everywhere [1] installed, you only get to see the HTTPS version of fedoraproject.org. For Arch Linux, although part of the database of HTTPS Everywhere, this isn't the case. I can't see any disadvantage to propose the use of HTTPS strongly, especially because you've already got valid certificates.
<ruleset name="Arch Linux"> <target host="archlinux.org"/> <target host="*.archlinux.org"/> <rule from="^http://archlinux\.org/" to="https://www.archlinux.org/"/> <rule from="^http://([^/:@\.]+)\.archlinux\.org/" to="https://$1.archlinux.org/"/> </ruleset> I always get https by default here.
Not a bad idea at all. As always, you can send a patch against https://projects.archlinux.org/archweb.git/ to include that landing page or submit a bug to the "Web Sites" category via https://bugs.archlinux.org/newtask/proj1. I've filed a feature request (#30518). Unfortunately I'm not familiar with Django, so there is no way I could add this in a reasonable amount of time. However it shouldn't take too long for someone who knows what he is doing.
Thanks.
Hi, Am 03.07.2012 13:08, schrieb Thomas Bächler:
Those are all valid concerns. I don't know why this particular URL was chosen.
I guess nobody has put nearly as much thought into this as you did.
So you would appreciate it? I certainly can submit a patch for this one ;).
<ruleset name="Arch Linux"> <target host="archlinux.org"/> <target host="*.archlinux.org"/> <rule from="^http://archlinux\.org/" to="https://www.archlinux.org/"/> <rule from="^http://([^/:@\.]+)\.archlinux\.org/" to="https://$1.archlinux.org/"/> </ruleset>
I always get https by default here.
Yeah, you are right. Seems that I have mixed up something here. I was playing around with HTTPS Everywhere and had it disabled for testing purposes. Totally my fault, I'm sorry. What about the CPE entry? Any interest in that? As said, this obviously has to be done by someone officially connected to Arch Linux, but from my understanding it shouldn't cost anything. Best regards, Karol Babioch
Hi Karol, Thanks for your input. I'm answering to your original email, but I read the whole discussion... On Tue, Jul 3, 2012 at 1:16 AM, Karol Babioch <karol@babioch.de> wrote:
First of all I'm wondering why HOME_URL is set to the plain HTTP version of archlinux.org, whereas the other two links are set to the secure HTTPS version. This doesn't seem to be consequent. The example shows that Fedora is using the HTTPS version for both the HOME_URL as well as the BUG_REPORT_URL.
I changed this in svn, will be included in the next filesystem release.
After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support. Personally I don't use the forums very often, but do make use of the mailing lists and the *really* great wiki much more heavily. Furthermore there are the various IRC channels, which probably are used by some of you.
Unfortunately there doesn't seem to be some sort of a landing page, summarizing all the different ways you can ask/look for help, e.g. something like "https://www.archlinux.org/support/". Probably this would be the best solution. It looks like Fedora isn't mentioning a support URL at all, so maybe this would also be an option for us also?
If and when such a page is created, I'll be happy to change the url to point to it.
Furthermore I'm wondering whether we should look into the Common Platform Enumeration (CPE) specification (see [3]) in order to apply for an entry. From what I can tell it doesn't cost anything, but you have to contact the NVD CPE team, see [4]. Obviously this should be done by someone officially connected to Arch Linux.
Why would we want this? I don't know much about it, so if there are good reasons I'm interested to learn. -t
Hi, Am 03.07.2012 13:35, schrieb Tom Gundersen:
Why would we want this? I don't know much about it, so if there are good reasons I'm interested to learn.
I don't know much about it either, just stumbled upon it by reading the man page of "/etc/os-release". Looking at the database (see [1]), I realized that the "big" distributions like Fedora, Debian, Ubuntu and OpenSUSE are in the database, so my line of argumentation was something like "Why not?" ;). Basically it makes it look more professional as it could be used as a reference for entries within CVE and things like that. But I have to admit that this was just something I wanted to mention. I by no means insist on that. Best regards, Karol Babioch [1] http://web.nvd.nist.gov/view/cpe/search
On Jul 3, 2012 7:16 AM, "Karol Babioch" <karol@babioch.de> wrote:
After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support. Personally I don't use the forums very often, but do make use of the mailing lists and the *really* great wiki much more heavily. Furthermore there are the various IRC channels, which probably are used by some of you.
I believe we had a discussion here about this a while back. The forums are generally more accessible and "easier" to use. Also moderated unlike the mailing list. As such it would always be appropriate for new users to be sent there first, if for nothing else then simply to filter the trolls and vampires out.
how about linking to a wiki page that lists and briefly explains each support option, putting the forums first on the list? I'd do that myself, but I'm still new to the Arch community and don't want to break all sorts of rules without meaning to. On Tue, Jul 3, 2012 at 5:33 PM, Oon-Ee Ng <ngoonee.talk@gmail.com> wrote:
On Jul 3, 2012 7:16 AM, "Karol Babioch" <karol@babioch.de> wrote:
After reading the appropriate man page (see [2]), I think the parameter SUPPORT_URL is not appropriate. It is set to "https://bbs.archlinux.org/". Personally I have some sort of a problem with the fact that only the forums get mentioned as a source for support. Personally I don't use the forums very often, but do make use of the mailing lists and the *really* great wiki much more heavily. Furthermore there are the various IRC channels, which probably are used by some of you.
I believe we had a discussion here about this a while back. The forums are generally more accessible and "easier" to use. Also moderated unlike the mailing list. As such it would always be appropriate for new users to be sent there first, if for nothing else then simply to filter the trolls and vampires out.
participants (6)
-
Devon Sawatzky
-
Karol Babioch
-
Mateusz Loskot
-
Oon-Ee Ng
-
Thomas Bächler
-
Tom Gundersen