Package Signing Comes To Pacman and Arch Linux 103
fwarren writes "One of the main complaints heard around here on why some Slashdotters don't run Arch Linux is that the packages are not signed. Fear no more: Arch Linux and Pacman now allow for package signing."
Late to the party... (Score:1, Insightful)
Re:FRIST (Score:5, Funny)
Arch (Score:2)
Moreover, I haven't really heard of too many people complaining about the lack of Package Signing when it comes to Arch Linux, usually it's the fact that after you install, you are pretty much presented with BASH, and that's it!
Re: (Score:1)
Re: (Score:2)
How do you know that package signing has never been an issue for you? You could be using a rooted 'login' and never know. Unless you have a checksum, you can't be sure the packages you fetch from arch haven't been tampered with.
Re: (Score:2, Funny)
This post is unsigned and may have been forged.
Re: (Score:3)
checksum != digital signature
Arch already provides checksums for source to be downloaded for AUR packages. I'm not sure about binary packages. In any case, that's not the same as digital signing which is what is being implemented here. I highly recommend Applied Cryptography (ISBN 0-471-59756-2) if it's is not clear to you.
Re: (Score:2)
You are of course correct. Checksums can be forged, digital signatures cannot. I'm quite aware of the difference, but did not write precisely.
Re: (Score:1)
Yeah... I love Arch, and I hate it.
However, I have to say that the documentation is quite excellent (with some reservations {wireless is a bit messy}) and the forum and IRC support is very helpful. Which is inconsistent across the distros (Gentoo and Sabayon tend to either be really helpful or real hardcore jerks). The Arch guys are always cordial and helpful which encouraged me to hang out there more often...
Pacman is slick and fast. The query feature could be more robust before it reaches Debian lovelines
Arch Linux: what's the differentiating factor? (Score:4, Interesting)
What does Arch bring to the table?
Debian has a minimal install option, is committed to freedom, has an awesome package manager, has tons of packages available, and has multiple release tracks that allow one to stay cutting edge should one wish.
RedHat is commercially supported.
CentOS is the free version of RedHat.
SLES is commercially supported, with a deal with Microsoft to interoperate.
Ubuntu is Debian made easier.
Gentoo is for people who like to recompile software for their hardware.
I get all of the above distros. I don't run them all myself -- especially not gentoo -- but I understand why some people do.
What's the point of Arch? I poked at the website and wikipedia pages, but don't see an explanation of what it gives you over, say, a base Debian install.
Note: this is not intended as a troll. I'm curious as to what Arch brought to the table. Why was it introduced? I'm sure there's an answer, just curious what.
Re: (Score:2)
I agree.
I tried arch and wasn't impressed.. it didn't seem to do anything better than any of the other distros, and had some measure of .. unusualness. I also found the install process fairly unwieldy (especially package selection).
Personally I'm a Gentoo user. Not really for the recompiling for hardware thing .. I just prefer the way they handle certain things in contrast to say, Debian.
Re: (Score:1)
package selection should be used to select additional packages you really need (like wifi drivers).
You setup your system **after** installing a base system.
This is a case #200394934908 of not following the beginners' guide.
Re: (Score:2)
Fair enough., I will say that while you expect to have to read through some documentation the first time installing something like Gentoo, something that provides an installation utility I'd expect not to need to.
I went the "install only basic packages" route anyway as it's what I tend to do on any distro, but if this is the actual intended method, putting a note to that effect in the installer itself might be a good idea (if not already done). I can't be the only one who doesn't see "step by step install u
Re: (Score:2)
I'm not exactly sure I'd call what arch has an "installation utility". It's more of a bootstrap utility.
Comment removed (Score:5, Informative)
Comment removed (Score:4, Informative)
Re: (Score:1)
The Gentoo wiki used to be very very very good, until it died a couple of years ago - and it never regained it's glory
Aw, that's too bad. I didn't know that it went away; I haven't used Linux at home for a few years. I've said a few times in "what distro should I use" conversations that if you have a few rare qualities (the time and will to tinker, some knowledge about computers even if it's not about Linux specifically, and aren't afraid to play around and try things), Gentoo is actually a decent choice to
Re: (Score:1)
If I recall correctly, because everything, including the package build system, is based off of PKGBUILD's. I've never really worked at making packages for RPM or DEB, but PKGBUILD's are supposed to be simpler. (Though it may be compromise of simplicity for robustness of features.)
Re: (Score:2)
Debian, Ubuntu and the like all have an amd64 version as well.
There is no reason to use a i386/i686 version instead of amd64. The latter will be faster and be able to use more memory.
Re: (Score:2)
Re: (Score:2)
It's not really a differentiating factor since every other distribution has amd64, and given that i686 is useless when you have amd64.
Re: (Score:2)
Re: (Score:2)
The reason to use an i686 version is if you have a CPU that doesn't support x86_64, such as the first few models of Atoms or older CPUs that predate AMD64's introduction.
Re:Arch Linux: what's the differentiating factor? (Score:5, Insightful)
That to me has been the most important feature for me as I found it would get old to have to reinstall Fedora every 6 to 12 months to get access to the latest bleeding edge software.
As one reviewer said, this OS is always fresh.
Re: (Score:2)
Re: (Score:2)
Debian unstable/sid is a rolling release distro too.
Re: (Score:1)
Re: (Score:1)
As both a Arch and Gentoo user, I also like the fact that both don't have version. The update of a specific package is done when the package is ready upstream, not when a new version of the distro comes out.
Basically the way it feels is that the both are versionless distros with a package management system. In Gentoo the default format for a package is source, but you CAN create binary packages yourself if you want. In Arch it's the other way around, the packages are binary by default, but you CAN use sour
Re:Arch Linux: what's the differentiating factor? (Score:5, Informative)
My favourite Arch feature is the AUR [archlinux.org] (Arch User Repository) where anyone can submit their own packages which other uses can then install.
Because of the AUR, Arch is more likely to have a package for some given obscure application that Debian would be missing. Also, these packages are kept up to date to a greater extent than you'll see on Debian. Finally they're all in one place where as you don't have to constantly add repositories to your package manager's repo list.
Re: (Score:1)
Because of the AUR, Arch is more likely to have a package for some given obscure application that Debian would be missing. Also, these packages are kept up to date to a greater extent than you'll see on Debian. Finally they're all in one place where as you don't have to constantly add repositories to your package manager's repo list.
What you're mentioning are some of the main reasons why I am running Arch. But there's also the wiki, the community and the feeling of having a system which is very simple and clean. I tried it a few months ago and just loved it.
Re: (Score:2)
I find the simplicity of it to be just amazing. Everything is where I'd expect, nearly everything is done the way that makes sense, and it doesn't get in my way.
When I have run into problems, I've had a surprising amount of help without the "Why are you running Linux if you don't understand /that/?" arrogance that is so common in certain Linux areas.
Re: (Score:2)
My favourite Arch feature is the AUR [archlinux.org] (Arch User Repository) where anyone can submit their own packages which other uses can then install.
Cool, thanks. That's a good differentiator. Most other distros have mechanisms to add unofficial repositories. But that's a lot of bother for the packager.
Next question: why did Arch need to reinvent the package management wheel? deb and rpm already existed. What does the Arch package format (format, not the pacman front-end) give you that other formats could not have?
- OP
Re: (Score:3)
Next question: why did Arch need to reinvent the package management wheel? deb and rpm already existed. What does the Arch package format (format, not the pacman front-end) give you that other formats could not have?
- OP
Arch packages are much easier to build. This was the thing for me. You basically write a file containing the package name, version number, where to get the sources (and their checksums), and then a bash script of how to install it. Most Arch packages can be written in minutes -- which I think is why the AUR is so popular.
For example, this is the entire source for a pylibmc package:
http://aur.archlinux.org/packages/py/python2-pylibmc/PKGBUILD [archlinux.org]
Notice how simple the build() section is in comparison to Debian pa
Re: (Score:2)
Re:Arch Linux: what's the differentiating factor? (Score:4, Interesting)
What does Arch bring to the table?
Re: (Score:3, Insightful)
Read: https://wiki.archlinux.org/index.php/Arch_Compared_to_Other_Distributions [archlinux.org]
I don't think you have a clue tbh. I've tried most well known Linuxes (all that you mentioned and a few others), and I can tell you that there are two major differences that distros have, as far as users are concerned: 1) GUI/CLI based (which is also complex/minimalistic), 2) Regular/rolling release based.
1) Ubuntu, Fedora, OpenSUSE and so on are GUI based systems, coming with fully installed DEs and offering people little choice
Re: (Score:1)
It's my understanding that debian testing still breaks fairly regularly, and when that happens, you can't always get a fixed package very soon, because sometimes the fix can be stuck in unstable until it's confirmed not to break anything worse, I guess. Or something -- a debian guy explained this as why I'd probably be better off running unstable than testing, given that I was able to fix occasional apt problems (learned on Maemo, where breaking apt was a way of life for a while), and I didn't quite 100% ge
Re: (Score:2)
Anyway, I don't get what the big deal is about duplication of effort -- if it makes people happier to reinvent the wheel than to copy someone else's wheel -- let 'em; it doesn't hurt you.
New distros and package formats hurt everyone:
1. The "Linux" community only has so many knowledgeable volunteers and developers at any one time. Maintaining a general-purpose distribution takes a whole fleet of people, each of whom understands the intricacies of one or more subsystems. When you create another distro, you are implicitly hoping that you can get a whole bunch of people to stop contributing to some other project and instead contribute to yours; and/or you are hoping to divert new volunteers f
Re: (Score:1)
Regarding package management, as far as the users are concerned I'd say Arch has the best possible thing. I've tested portage(Gentoo), apt-get/aptitude (Debian&Ubuntu), fedora's rpm installs (can't remember the apps name).
Speed: Package manager (pacman) is probably the fastest one there is, when testing repository querying, installs, local queries and so on. Some operations got even faster with the new install.
Packages: A lot of packages are available on core/extra/community repositories, most of what a
Re: (Score:1)
Re:Arch Linux: what's the differentiating factor? (Score:5, Informative)
Great documentation and vanilla packages. That about sums it up. It's like Slackware with improved package management.
I've been running systems built from Debian base for about a decade. Recently I kept running into the Arch wiki when I wanted to solve a problem. e.g. if I want to reenable ctrl-alt-backspace in Xorg. If I google that, I get a page full of shitty Ubuntu related solutions that depend on extra packages or gui configuration tools.
But there's one result that sticks out. The Arch wiki [archlinux.org] provides a nicely organized richly linked list of things you might want to configure, and how to configure them. This is how you collect and present useful information. I figured, if I find myself consistantly using the documentation for a distro, maybe I should check out the actual distro.
So I still use Debian on most of my systems, but have thrown Arch on a couple for fun. It's easy, it works, and it doesn't feel as crufty as Debian does. Package signing will make it a contender for real work. Yay Arch!
Re: (Score:2)
So I still use Debian on most of my systems, but have thrown Arch on a couple for fun. It's easy, it works, and it doesn't feel as crufty as Debian does. Package signing will make it a contender for real work. Yay Arch!
Can you describe it without the weasel words?
What do you mean when you describe Debian as "crufty"? What do you mean when you say Arch is "fun"?
I could use those words to describe just about any distro, but they don't really communicate anything other than that you prefer Arch over Debian for some unspecified reason(s) -- which we could easily guess from the rest of your post.
I'm not saying it is or is not a good distro -- I just don't think that "crufty" and "fun" mean much of anything. As The Dude says:
Re: (Score:2)
I didn't say Arch was fun, I said fun was my motivation for putting it on a couple computers. I could have had the same fun with any distro, but Arch seemed to be a good choice for the reasons I described in my earlier post.
I did say Debian was crufty. And yes, that's probably subjective. Just the sheer number of packages makes it harder to figure out what the best way to do something is. It's not a major criticism and I don't dislike Debian for it. I still use it on anything important.
Re: (Score:1)
For starters? The init system.
Otherwise? The packages in general. It takes something so long to make it through the repo approval system that it's obsolete by the time it hits mainline. For some that is probably a bonus, but for me that's just a pain in the arse, cuz then I have to go and find either a repo that bolts on or a deb and the appropriate dependencies. For those that argue that AptoSid, or unstable/testing etc are the answer... well my forays into AptoSid and unstable/testing were less stable tha
Re: (Score:2)
That's what happens to me a lot, too, lately. Previously it used to be the Ubuntu Forums where you could find a lot of useful information, but nowadays
Re: (Score:2)
This shouldn't have been modded down. It's a good question, well stated, that provoked a number of thoughtful responses.
Re: (Score:2)
Floating point texture support in mesa? AFAIK they are the only binary distro to enable that flag because of patent concerns.
Re: (Score:1)
1) It's a rolling-release distribution.
2) It's bleeding edge (so no point comparing it to debian).
3) It follows the KISS principle.
Re: (Score:3)
Arch is a rolling release distribution that tries to keep its packages as close to vanilla as possible.
While I wouldn't recommend Arch in a production environment (the bleeding edge can be slippery) it works great for my personal server/media center and my netbook. Rolling release means you get to try out those great new features the day after you hear about them instead of six months later.
Granularity (Score:2)
I've tried maybe 15-20 distributions in the past 15 years, and finally settled on Arch. I like it for its minimalist base installation that lets ME choose the desktop environment without installing a bunch of crap I don't need; I also like its granularity that installs ONLY the packages I choose and their dependencies without a lot of additional crap I don't need.
So, you might say, use Linux From Scratch or Gentoo instead. I did! I used LFS for five years, but once I had learned enough from it in terms o
Re: (Score:2)
Debian has granularity too. You don't need to install a desktop environment, but Debian provides a default install in case you want to. Debian has worked out all the dependencies for you, too, and provides binaries for many architectures. You can also easily build a package from source if you want to tweak it.
Also, it provides different levels of dependencies, from required, to recommended, to suggested, and you can specify what the default is, as well as override the default when installing any package.
It
Re: (Score:1)
This allows greater control for those who obsess over what they do and don't want on their system.
It also helps with learning a lot about what each component does and why it's there. When I've tried minimalistic Debian installations in the past, I quickly get overwhelmed by the amount of things each package brings with it.
I probably would not install Arch again, but setting up my
Re: (Score:1)
I wish I had modpoints... It seems that the Debian peeps think that I have infinite diskspace, so when I want to install something to test it... It MUST come with 80 bajillion other packages... and deinstalling those may traverse back up the tree and break something that I want. Hence my hate for *untu as well.
Re: (Score:2)
Arch Linux brings a lot to the table but in areas you wouldn't expect. If you just "try" Arch Linux you probably miss the good points. I guess you could say that it grows on you. Or maybe that it grows with you.
The biggest, most obvious thing that Arch does that differentiates it from other distributions is that it is a rolling release. When an upstream project releases a new version and calls it stable, it works its way into Arch. How does this differ from other distributions which can get newer pac
I tried, did I miss something? (Score:2)
I'd read a lot of good things about Arch, so I decided to give it a go a few months ago. I wanted to like it, I really did, but my experience over 3 ~ 4 hours was reminiscent of installing Slackware circa 2002. I don't want to have to know how to configure every package on my system from scratch, I want them to mostly work, and then be able to tweak them. I simply don't have the time for anything else. Maybe this just means Arch isn't for me, but it seemed that the install process was going out of it's way
Re: (Score:1)
naturally, the more you know before installing makes it easier, so I wouldn't say you missed anything. I use Arch and I love it, but I also don't mind having struggled with it for hours. Sounds to me like it's just not for you. The only things that make it easier are the great wiki and the forums.
Re: (Score:2)
Re: (Score:2)
No, you didn't miss anything. Arch is for people who believe (correctly or incorrectly) that setting things up yourself so you know exactly how they work is less work in the long run than taking someone elses setup that "mostly works" and tweaking it.
Re: (Score:2)
Over the course of about 3 installs, the process gets a lot faster. The Beginner's Guide on the wiki takes you along the scenic route to get you acclimated to the system.
Personally, of all the Linux distributions I've worked with, I like Arch as a server. This is simply because I find the configuration from the command line to be far simpler than Debian based distributions. Comparing to RedHat/CentOS, for me, lands in the middle of Arch and Debian in complexity. However, if you have some fairly complex
Yes. You missed Archbang (Score:3)
Setting up Arch Linux is not hard. The article at http://lifehacker.com/5680453/build-a-killer-customized-arch-linux-installation-and-learn-all-about-linux-in-the-process [lifehacker.com] is particularly useful. I did not even need to refer to the guide. Just followed the instructions at LifeHacker and then used the Arch Wiki to configure and fine tune things from there. So yeah, I can do it. But I found a better way.
I now do my Arch setups by installing ArchBang. ArchBang is a riff on CrunchBang. As a live CD, it is Arch L
Re: (Score:2)
I use Arch on my laptop, EEE and torrent server.
Modern software on rolling release, most files where you expect them to be and no bloat (strigi, nepomuk, akonadi
Just for giggles I will point out that my desktop machine runs on Gentoo, so obviously I'm a masochist =)
Whew.... (Score:5, Funny)
I've been using Arch for years, and the constant flow of virii and rootkits that were deluging me might finally go away!
With all the recent news of linux package repositories being the main vector of all these advanced persistent threats my CPO (Chief Pentest Officer) has been telling me about, I can now breath a sigh of relief.
Re: (Score:1)
Re: (Score:2)
I just live on the edge (Score:5, Funny)
Re: (Score:1)
I love Arch, but... (Score:1)
vanilla doesn't suit everyone. I've used Fedora, Debian, Ubuntu and Arch (and several of their derivatives) full-time. From that experience I've learned two things:
* Arch is my favourite distro.
* My life is better when I use Ubuntu full time.
Arch has a simpler init, a better config structure, a better filesystem layout, a simpler packaging format that's easy to create build scripts for and amazingly good documentation. Also, all the points people make about AUR are valid, its marvellous. Much to love
May be a little off-topic... (Score:1)
The ultimate Linux distro for the semi-poweruser. Its more bleeding edge then Fedora, more solid/stable then Ubuntu (not Debian level, no sir, but close enough for desktop use), with AUR - giant software repositories (stuff Fedora didn't hear of, one click away... or command) and last, but not least, best community anywhere
signing packages is bad (Score:2)
I thought most people had realized by now that signing packages is far from being a useful security feature, unless you have some way of revoking the signature on a package-by-package basis. What you want is a signature on the repo (preferably with an expiry date, so a malicious mirror can't just keep a vulnerable repo state around forever).
A package signature protects against trojans, but gives false credibility to official packages with vulnerabilities. A hostile mirror (possibly using a MITM attack) ca
Re: (Score:2)
I understand how package signing works--I was a Debian developer for many years, and have also built a lot of RPMs.
You obviously didn't read the paper I linked to. Having the uploader sign is good because it gives you accountability, but beyond that, per-package signatures are not only useless, but can actually be counter-productive! Because software has bugs! Which is why Debian doesn't attach the uploader's signature to the packages in its repo, even though it requires each upload to have one. That way
I'm frankly disappointed (Score:2)
Re:Now how about getting Linux users basic hygine (Score:4, Funny)
Which is surprising because SOAP is a patent free industry standard.
Re: (Score:1)
Dude, don't feed the goddamned trolls! Especially since that lame pun is way too old to even start to begin to attempt to try to be funny.
Re: (Score:2)
Which is surprising because SOAP is a patent free industry standard.
Yes, but being public domain does not make it truly 'Free', therefore Stallman refuses to use it.