[arch-general] Arch Linux security is still poor....

Allan McRae allan at archlinux.org
Mon Mar 15 22:59:56 CET 2010

On 16/03/10 07:43, Ananda Samaddar wrote:
> On Tue, 16 Mar 2010 07:29:45 +1000
> Allan McRae<allan at archlinux.org>  wrote:
>> As an aside, I would like to see some numbers on where we could
>> improve in this area.  I have been following the CVE announcements
>> and several other distros security releases for the past few months
>> and from what I see, I believe Arch is mostly ahead of the game.
>> Following the latest upstream releases has its advantages.
>> Allan
> This may be true in the sense that by using the latest packages we are
> incorporating security fixes as they are released by default.  I take
> issue with the fact that there's no dedicated team and nothing in place
> to deal with security alerts.

There is no dedicated team, but as I said, we appear to be mostly ahead 
of the game in this respect.  I would be interested to see how many 
packages suffer from security issues that we miss.

> The other issue being the lack of signed packages.

Providing code is the way to fix this.  There is a good start that has 
been made and it mostly needs someone dedicated to finish it off.

> I don't know how much of a problem this is for other Arch
> users.
> Would there be any enthusiasm for a dedicated security team?  I feel
> strongly enough about it that if something can't be done then I'm
> switching to another distro. Despite the fact that I really like Arch,
> it's one deficiency is a pretty glaring one in my opinion.  I hope this
> doesn't turn into a flamefest and my opinions are by no means meant to
> be a slight on the Arch devs or community.

Sure there is enthusiasm for such a venture, at least judging by how 
many times this has been bought up in the past.  I think one or two of 
those times an actual project started up but then died.  So it appears 
enthusiasm yes, continual motivation no (at least up until now...).

And, this is a great candidate for a community project.  A group could 
monitor security issues and file bugs to get the devs to fix them. This 
is the way all Arch projects start and if they are useful, they may get 
taken on board and made official.


More information about the arch-general mailing list