Slashdot Mirror

← Back to Stories (view on slashdot.org)

Package Signing Comes To Pacman and Arch Linux

Posted by timothy on from the ok-but-who-are-you-really dept.

fwarren writes "One of the main complaints heard around here on why some Slashdotters don't run Arch Linux is that the packages are not signed. Fear no more: Arch Linux and Pacman now allow for package signing."

22 of 103 comments (clear)

  1. Arch by jampola · · Score: 2

    It's the Linux man's Linux. I have so much love for Arch and to be honest, the lack of package signing has never been an issue. But nonetheless, a welcomed addition!

    Moreover, I haven't really heard of too many people complaining about the lack of Package Signing when it comes to Arch Linux, usually it's the fact that after you install, you are pretty much presented with BASH, and that's it!

    1. Re:Arch by Anonymous Coward · · Score: 2, Funny

      This post is unsigned and may have been forged.

    2. Re:Arch by Tim4444 · · Score: 2

      checksum != digital signature

      Arch already provides checksums for source to be downloaded for AUR packages. I'm not sure about binary packages. In any case, that's not the same as digital signing which is what is being implemented here. I highly recommend Applied Cryptography (ISBN 0-471-59756-2) if it's is not clear to you.

  2. Re:Now how about getting Linux users basic hygine by RyuuzakiTetsuya · · Score: 3, Funny

    Which is surprising because SOAP is a patent free industry standard.

    --
    Non impediti ratione cogitationus.
  3. Arch Linux: what's the differentiating factor? by Anonymous Coward · · Score: 4, Interesting

    What does Arch bring to the table?

    Debian has a minimal install option, is committed to freedom, has an awesome package manager, has tons of packages available, and has multiple release tracks that allow one to stay cutting edge should one wish.

    RedHat is commercially supported.

    CentOS is the free version of RedHat.

    SLES is commercially supported, with a deal with Microsoft to interoperate.

    Ubuntu is Debian made easier.

    Gentoo is for people who like to recompile software for their hardware.

    I get all of the above distros. I don't run them all myself -- especially not gentoo -- but I understand why some people do.

    What's the point of Arch? I poked at the website and wikipedia pages, but don't see an explanation of what it gives you over, say, a base Debian install.

    Note: this is not intended as a troll. I'm curious as to what Arch brought to the table. Why was it introduced? I'm sure there's an answer, just curious what.

    1. Re:Arch Linux: what's the differentiating factor? by some_guy_88 · · Score: 4, Informative

      My favourite Arch feature is the AUR (Arch User Repository) where anyone can submit their own packages which other uses can then install.

      Because of the AUR, Arch is more likely to have a package for some given obscure application that Debian would be missing. Also, these packages are kept up to date to a greater extent than you'll see on Debian. Finally they're all in one place where as you don't have to constantly add repositories to your package manager's repo list.

    2. Re:Arch Linux: what's the differentiating factor? by dejanc · · Score: 3, Interesting

      What does Arch bring to the table?

      1. It's a rolling release distribution, which many people like.
      2. Package manager is very easy to use
      3. Making new packages and modifying existing ones is extremely easy. Not only is the syntax of package definition very simple, but all package sources are easily available with the ABS (Arch Build System, something like ports).
      4. The previous point is the reason that AUR (centralized repository of user-submitted packages) is very popular and generally of acceptable quality.
    3. Re:Arch Linux: what's the differentiating factor? by gajop · · Score: 3, Insightful

      Read: https://wiki.archlinux.org/index.php/Arch_Compared_to_Other_Distributions
      I don't think you have a clue tbh. I've tried most well known Linuxes (all that you mentioned and a few others), and I can tell you that there are two major differences that distros have, as far as users are concerned: 1) GUI/CLI based (which is also complex/minimalistic), 2) Regular/rolling release based.

      1) Ubuntu, Fedora, OpenSUSE and so on are GUI based systems, coming with fully installed DEs and offering people little choice on the initial install. Sure you can remove stuff and install simple WMs, but that just makes it harder to configure than Arch/Gentoo and even Slackware, who are made for ground-up installation. The reason I use Arch regularly is because I can configure it to do pretty much exactly what I want.

      2) Ubuntu, Fedora, Debian, OpenSUSE, Slackware, and a whole lot of others are using the regular (once, twice a year) release cycle. It's fine if you're using it in the office/classroom/servers, or you just don't use computers much. But often, software updates come a lot more regularly than that (Windows _software_ is rolling release!, the OS itself isn't of course), and it's always good to in the bleeding edge - unless it's you who's bleeding, and that's a potential problem (much like this update required some meddling before it would just work). And even if you do get problems every once in a while when you do rolling release updates, the huge amount of problems whenever I do a full update every 6 month on Ubuntu makes me want to do a clean install (I'm using an uptodate Arch from 2008~, did some experimenting with other linuxes). In the rolling release field it's quite similar to Gentoo (that's another power of Gentoo, it isn't just people compiling stuff for the laughs).

    4. Re:Arch Linux: what's the differentiating factor? by Hatta · · Score: 4, Informative

      Great documentation and vanilla packages. That about sums it up. It's like Slackware with improved package management.

      I've been running systems built from Debian base for about a decade. Recently I kept running into the Arch wiki when I wanted to solve a problem. e.g. if I want to reenable ctrl-alt-backspace in Xorg. If I google that, I get a page full of shitty Ubuntu related solutions that depend on extra packages or gui configuration tools.

      But there's one result that sticks out. The Arch wiki provides a nicely organized richly linked list of things you might want to configure, and how to configure them. This is how you collect and present useful information. I figured, if I find myself consistantly using the documentation for a distro, maybe I should check out the actual distro.

      So I still use Debian on most of my systems, but have thrown Arch on a couple for fun. It's easy, it works, and it doesn't feel as crufty as Debian does. Package signing will make it a contender for real work. Yay Arch!

      --
      Give me Classic Slashdot or give me death!
    5. Re:Arch Linux: what's the differentiating factor? by substance2003 · · Score: 5, Insightful

      I think the only thing you missed was that it's a rolling release OS meaning that unlike other distros. You never need to reinstall it unless you mess up.
      That to me has been the most important feature for me as I found it would get old to have to reinstall Fedora every 6 to 12 months to get access to the latest bleeding edge software.

      As one reviewer said, this OS is always fresh.

    6. Re:Arch Linux: what's the differentiating factor? by Korin43 · · Score: 2

      Next question: why did Arch need to reinvent the package management wheel? deb and rpm already existed. What does the Arch package format (format, not the pacman front-end) give you that other formats could not have?

      - OP

      Arch packages are much easier to build. This was the thing for me. You basically write a file containing the package name, version number, where to get the sources (and their checksums), and then a bash script of how to install it. Most Arch packages can be written in minutes -- which I think is why the AUR is so popular.

      For example, this is the entire source for a pylibmc package:

      http://aur.archlinux.org/packages/py/python2-pylibmc/PKGBUILD

      Notice how simple the build() section is in comparison to Debian packaging.

    7. Re:Arch Linux: what's the differentiating factor? by Edwin_OS · · Score: 2

      Finally somebody said it, and no, setting testing repos in debian is not as close as using a good rolling release.

    8. Re:Arch Linux: what's the differentiating factor? by Spykk · · Score: 2

      A description of Arch in the format you used to describe the other distributions might be:

      Arch is a rolling release distribution that tries to keep its packages as close to vanilla as possible.

      While I wouldn't recommend Arch in a production environment (the bleeding edge can be slippery) it works great for my personal server/media center and my netbook. Rolling release means you get to try out those great new features the day after you hear about them instead of six months later.

  4. I tried, did I miss something? by doob · · Score: 2

    I'd read a lot of good things about Arch, so I decided to give it a go a few months ago. I wanted to like it, I really did, but my experience over 3 ~ 4 hours was reminiscent of installing Slackware circa 2002. I don't want to have to know how to configure every package on my system from scratch, I want them to mostly work, and then be able to tweak them. I simply don't have the time for anything else. Maybe this just means Arch isn't for me, but it seemed that the install process was going out of it's way to make things as complicated as possible, a particular example was wpa_supplicant being selected for install by default, but not wireless-tools!

    Did I miss something obvious that makes the whole process a lot easier, or is Arch just "like that"?

    --
    In the spoon, there is no Soviet Russia!
    1. Re:I tried, did I miss something? by krinderlin · · Score: 2

      Over the course of about 3 installs, the process gets a lot faster. The Beginner's Guide on the wiki takes you along the scenic route to get you acclimated to the system.

      Personally, of all the Linux distributions I've worked with, I like Arch as a server. This is simply because I find the configuration from the command line to be far simpler than Debian based distributions. Comparing to RedHat/CentOS, for me, lands in the middle of Arch and Debian in complexity. However, if you have some fairly complex requirements for a server, I find that Arch has traded robustness for simplicity, so you may find that a RedHat based distribution is better suited.

      The AUR provides a Gentoo style system where a fairly standard script will download the source from upstream and compile it into a package you can then install. There are "AUR Helpers", a favorite is yaourt, which will manage dependencies that are both within the AUR and the standard repositories. I see this as a major benefit because people are far more inclined to simply write a PKGBUILD instead of creating their own repository. (I just recall Fedora requiring 2 "unofficial" repositories to run properly.

      Arch also makes a big deal out of being as close to upstream releases as possible. For instance, /usr/bin/python points to /usr/bin/python3 instead of python2, simply because Python people said at some point they'd like distributions to move to a default of python3. Unfortunately, doing so causes all sorts of breakage and screaming developers, so Arch is still one of the few that do it.

      I've not had too many support questions for Arch because the Wiki is usually all I need. On occasion, I'll dig through the BB's, but I've yet to need to ask a question about setting up nearly anything.

      To me, Arch just brings into focus a very straightforward ideal to distribution management. If upstream makes a release, build a new package, test, put it in core/extra/community. Keep patching to a minimum to reduce the work required to get from upstream code to binary package.

      So I guess good docs, decent package system, short time-to-package for upstream release, and the AUR removing the incentive for unofficial repositories are what Arch brings to the table.

      The main thing that makes most people leave is they don't subscribe to the arch-general and arch-announce mailing lists. If an upgrade to a core package ever fails with a weird message, the reason and how to fix it has generally been discussed in depth on the general list for a few weeks. Even then, there's almost always an announcement and a post to the front page of the website.

      If they do subscribe to the mailing lists, a lot of Ubuntu users come to Arch for some strange reason and get offended when they're handed a RTFW on the mailing list in response to a basic question. The boards are a bit more tame, but there is the same tendency to say, "Did you read this [link] on the wiki? Because it clearly states you're doing it wrong." Also, there's this strange obsession with bottom-posting that will completely derail a thread due to one person putting their reply at the top of the thread.

      So yeah, asking questions covered in the Wiki will get you some flack. Which I guess is a big turn off for people. God forbid you actually try to search in the wiki or forums first. (Those last few sentences are probably why I fit in with Arch. :-D)

  5. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  6. Re:FRIST by K.+S.+Kyosuke · · Score: 4, Funny

    Warning. The parent post in unsigned and may have been forged.

    --
    Ezekiel 23:20
  7. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  8. Whew.... by liquidweaver · · Score: 4, Funny

    I've been using Arch for years, and the constant flow of virii and rootkits that were deluging me might finally go away!
    With all the recent news of linux package repositories being the main vector of all these advanced persistent threats my CPO (Chief Pentest Officer) has been telling me about, I can now breath a sigh of relief.

    --
    mov ah, 4ch
    int 21h
    1. Re:Whew.... by krinderlin · · Score: 2

      Not quite. *twitch* You have to enable it manually right now and the completion of the package signing work is only fully complete on [core]. [extra] is about halfway there and [community] is...well....NOT. :-/

  9. I just live on the edge by mshenrick · · Score: 5, Funny

    I feel like such a fearless badman for running arch linux before the packages were signed

  10. Yes. You missed Archbang by fwarren · · Score: 2

    Setting up Arch Linux is not hard. The article at http://lifehacker.com/5680453/build-a-killer-customized-arch-linux-installation-and-learn-all-about-linux-in-the-process is particularly useful. I did not even need to refer to the guide. Just followed the instructions at LifeHacker and then used the Arch Wiki to configure and fine tune things from there. So yeah, I can do it. But I found a better way.

    I now do my Arch setups by installing ArchBang. ArchBang is a riff on CrunchBang. As a live CD, it is Arch Linux with an OpenBox GUI, a Tint2 panel, system info shown in conky and some slick CrunchBang style GUI configuration tools for OpenBox. Now setting up an Arch Linux system takes about 15 minutes. That is all the time it takes run the installer. As part of the install you need to edit two files. In rc.conf you set your hostname. In pacman.d/mirrorlist, you need to move the mirrors in your country to the top of the file. That is it.

    After 15 minutes of work, you have a completely working Arch Linux system with sound, X and a Window Manager with font smoothing all set up for you.

    In addition to pacman they also include packer. Which is able to install all the standard packages that pacman does but is also able to perform installs from AUR using the same syntax as pacman.

    Arch + Openbox + Packer = ArchBang

    --
    vi + /etc over regedit any day of the week.