[arch-general] ftp.gigabit.nu / ftp.archlinux.se shutting down

bardo ilbardo at gmail.com
Sun Jul 4 17:47:40 EDT 2010


2010/7/4 Rickard Eriksson <rickard.eriksson at gigabit.nu>:
> Cut from the forum where my co-admin first put this up, however it got
> closed with reason "trolling"...

You're *totally* trolling. There are many fallacies in your message.
First of all implying that what you're saying is unknown to the
community. This is not true. Just read the bazillion of mails in
arch-general and pacman-dev about package signing. Heck, there's even
a stub of implementation, and this is recent activity. However the
main reason there's no package signing in Arch is people simply don't
care enough.

> This mirror will shut down in the upcoming days.

If it's yours, thank thanks god it is shutting down, I wouldn't want
to fetch my packages from someone like you.
(Yes, this is trolling too.)

> Few funny facts:
>
> * We never got contacted by anyone before we got added in the official
> mirror list. We just posted this thread and all of the sudden it appeared.
> No verification of whom we were and what our intension were.

This is a problem and shouldn't have happened. When were you added to
the mirror list? As far as I know, in the last few years relations
with mirror managers have changed quite a bit.

> * ArchLinux is fundamentally unscalable in the package manager aspect.

Please justify this claim. Provide a good case, suggest solution.
Otherwise you are just trolling. And you aren't, right? =P

> * ArchLinux puts the trust in the hands of every mirror owner and their
> security. ftp.archlinux.se is the prime example of a machine vulnerable to
> all sorts of things. This affect YOUR security. This is why it's being put
> down. If the ArchLinux authors would start signing packages this would not
> be a risk to you.

Read above about packages signing. And anyway, who are you? What's
your business, what can you do other than whining and maintaining
insecure servers (your claim)? If you think arch is a bad distro do
something about it. And with "do something" I surely don't mean "drive
away users from it". In fact this is the best way to ensure the distro
will never get better and will never overcome its problems, which
undoubtfully exist.

> * We posted a suggestion of this in 2006.
> http://bugs.archlinux.org/task/5331 -- This is 4 years of insecurity.

Even APT hasn't always supported package signing. According to
wikipedia, it appeared in version 0.6. Were you there telling users to
switch distros back then?
Since nobody is paid to develop arch (unlike all the other distros you
mention below) you can only expect what the devs can do in their free
time and what the community is willing to contribute. Don't like it?
Again, make it better or leave, whining doesn't help.

> * We recommend all of you to switch to a distribution caring about user
> security and atleast signs their packages. Most RPM and APT based distros
> does this (Ubuntu, Debian, RedHat, CentOS, SuSE, OpenSuSE, etc etc etc).

Another implied fallacy: you say that security is *the most* important
aspect of all. Ever considered that different users have different
needs? Speed, simplicity, ease of use, software updates, structure,
level of bureaucracy, community competency... These are many
parameters people consider when choosing a distro, and surely there's
many more. Security is just one of them, and sometimes isn't even
important at all.

By the way, the whole thing is just like me suggesting you to change
your house for another with a better door lock, because any lockpicker
worth his name can open yours in no time. Problem is, there's no lock
that can be considered "secure", they all can be opened if there's a
reason to.

Just remember security is not a product, security is a process. You
seem to forget it more than a few times in your message.

> Have fun. :-)

I surely did replying to you :)

Corrado Primier


More information about the arch-general mailing list