

The real story behind Arch Linux package signing - For_Iconoclasm
http://www.toofishes.net/blog/real-story-behind-arch-linux-package-signing/

======
cakeface
Arch is an amazing distro and every one of my experiences with the community
have so far been positive. Kind of a bummer to see people dumping on it in the
mailing lists and LWN.

~~~
tygorius
Agreed on the thumbs up for Arch; I'm not thrilled with the direction Ubuntu
has been taking recently (at least in the desktop version) and so have been
migrating my non-server Linux boxes to Arch.

Sad to see LWN publish an attack without making an effort to get the other
side of the story first. If the complainer had made the patch submissions he
claimed and that the Arch maintainers deny ever seeing, well it should be
pretty easy to sort out before publishing the article -- if you're really
interested in journalism, that is.

~~~
wladimir
What's wrong with Ubuntu's direction, according to you?

To me, it seems they are fighting really hard to make Linux a user friendly
desktop platform. Even if it leaves behind some ways of working that us older
Linux users are accustomed to, I think this is a worthy cause.

~~~
pyre
Part of the beauty of Linux is that people that don't like the direction of a
particular distro can jump ship to another one. Does it really matter why? If
enough people are jumping ship, then it's probably time to question your
roadmap, but a few people here or there (especially if they are not your
target audience) aren't an issue.

~~~
wladimir
I'm simply interested in what his reason is, not trying to question the
wiseness of his decision :) I agree that there is nothing wrong with switching
to a different distribution if it suits you better.

~~~
tygorius
Yes, FWIW I took it as a request for information, not as an invitation to a
Klingon death match because I'd insulted your family's honor. I celebrate
diversity! ... even as I remember Philip K. Dick's liberal translation of de
gustibus non est disputandum as "those people can have bad taste and I don't
care."

------
jarin
People want a feature, but nobody wants to code it. It's obviously either: a)
not that important, or b) people don't want it that badly.

~~~
roryokane
Or c) those who want it don’t have enough skill to code it, and those who have
the skill aren’t interested.

That’s the generalized response to the flawed argument “if you want it, why
don’t _you_ make it?” in open source. People specialize at tasks to hopefully
increase the total effectiveness of a system to more than it would be if
everyone did everything. However, this means that if the only people who have
the power to do something unionize, other people can’t get that thing without
agreeing to their demands.

You could say in this situation, the core devs of Arch “unionized” to demand
either coding help or patience from those who want the feature. I’m not
interested enough in this situation to be bothered to research whether this is
a reasonable demand. If it is unreasonable, c) is the case, and if it is
reasonable, a) or b) is, but that’s as far as I care to investigate.

~~~
pyre

      > Or c) those who want it don’t have
      > enough skill to code it, and those who
      > have the skill aren’t interested.
    

As others have pointed out, this would be more correctly stated as:

    
    
      Those who want it, but don't have the skill
      to code ti, want to demand that someone that
      has the skills, spends their leisure time
      creating it for free because they don't want
      to pay for it.
    

Aka

    
    
      If it is really that important to you, and
      you don't have the skills to do it, you always
      have the option of paying someone that *does*
      have the skills to do it for you.
    

Apparently in most cases it's just more fun to fire up the email client and
rant and rave about how it's 'unfair' that the feature isn't being
implemented. And in the more interesting examples claim that the developers
are 'Nazis' because they won't heed your bid and call.

~~~
crocowhile
What about hashing? Even if hashing is not the best solution, a not-so-good
solution is preferable over 7 years of a hole. This is the attitude that make
users mad.

edit: I am talking sha256sum to compare with master repo. see:
<https://bugs.archlinux.org/task/23101#comment73640>

------
illumen
This happens from time to time in OSS projects. Some users kick up a big
stink. Often times their issues get fixed.

However, it's a shit way to do it and tramples on a lot of people... and in
the mid to long run can damage a project greatly.

A more constructive way for a user to get a feature in is to either pay for
it, or code it. Setting up a 'bounty', or helping to get funding is a better
way to try and get these novel writers to help with the project.

Get these passionate writers working for the project by directing their
energies towards getting funding. Telling them to shut up and submit a patch
won't work... since they are not capable of writing code sometimes. However
they do care greatly about the issue, and have time to send off emails and
write blog posts.

~~~
pyre
In this case, it seems like the user is more interested in trolling than
anything else. He claimed that one of the features was 'easy' to implement and
that he would submit a patch, but then never did. Presumably because it was
too busy writing a blog post about how the developer was being 'difficult'
because they asked him to write a patch for such an 'easy' feature (e.g.
"encryption is easy, right? you just take a piece of information and then you
encrypt it! Pow! It's done! Easy as pie! What's so hard?").

------
syaz1
tl;dr anyone? Arch is the only distro I use but never heard of this before.

~~~
mycroftiv
Many distributions try to provide some security assurance to users by having
packages in the repo cryptographically signed. This makes it harder for
naughty people to trick users into installing malicious software. As a
relatively small, non-"enterprise" distribution, Arch has not implemented such
a system. Some people believe this is a Bad Thing, and recently there has been
some controversy about it on mailing lists, which eventually bubbled up into
an article on Linux Weekly News. Some Arch developers believe the issue has
been portrayed inaccurately, and that a hostile individual has framed the
issue unfairly.

~~~
trotsky
As someone who hasn't ever used arch, I am surprised to find out that they
don't sign. The distros I use, RHEL, fedora and openSUSE have pushed all
signed packages for quite some time. Clearly debian/ubuntu do as well. FBSD
and OBSD also. Even gentoo supports signing of portage source packages, though
apparently there is no policy that requires package builders to sign. This
would seem to be an argument against rolling your own package manager, at
least if you lack the resources to bring it up to industry standards.

Does anyone know of other distros that don't sign their packages?

~~~
cakeface
RHEL, fedora (RH again) and openSUSE all have paid programmers working on
their distro at various companies. Arch does not. I will agree that not having
signing is an argument against using pacman the Arch package manager. There
are, however, plenty of positive arguments for using pacman. Its a great,
reliable, package manager and I'm more comfortable with it than apt-get and
yum for sure. If you're interested there are plenty more details in the Arch
Wiki.

