You Are My New Daily Driver, But I'm A Little Worried About Security

First of all AMAZING JOB WITH THIS OS. The defaults are FINALLY sensible in a flavor of Linux after decades of people with agendas trying and failing to build something truly great. WELL DONE.

You've made it to my desktop as I can finally do what I want and need with this system without having to spend needless time in configuration and maintenance. I've been running it for a few months now and I'm satisfied to leave it as my home base.

That said, I'd like to very respectfully bring up a subject that is concerning to me as a user, and that's how packages are handled. If you have a look at:

arch-audit

You will find that we end up with a lot of vulnerabilities (as any system will, and as you say, without vulnerabilities listed, we would be in of course worse trouble) but some of them are already solved, but because of the way you handle packages, I feel unsafe.

I am writing to put forth the idea that perhaps there could at some point be a way to bring in directly a fix for a package without the normal method (even fast-tracking is leaving me exposed and vulnerable unfortunately). Perhaps there is already a method for doing this and I have simply missed it.

Regardless, thank you again for your great work.

The current output of unstable branch is this:

phil@development ~ $ arch-audit
Package inetutils is affected by CVE-2019-0053. High risk!
Package openjpeg2 is affected by CVE-2019-6988. Low risk!
Package qemu is affected by CVE-2019-20382. Low risk!
Package unzip is affected by CVE-2018-1000035. Low risk!

Stable might have more results, as it might have older packages.

If you look at our mailing list you will see that we are really active in packaging our own overlay packages and try to push a working set of packages to our Testing branch. We have almost daily updates on Testing. However, major updates to Gnome, Plasma or systemd and co might give us more work to get stabilized.

On our security mailing list you will find updates on what might be needed to be updated to have your system secure.

Our way we handle packages we do since 9 years now. It is currently the best way we can do. To improve it, it would be great more people switching to testing and report issues so we can update Stable faster.

Only with dedicated community members we can work and focus also on security issues.

4 Likes

webkit2gtk is the one that was bothering me recently, it's a dep for Lutris, a gaming platform, which has really no current good alternative.

Anyway thank you for the explanation.

We can't do anything about webkit as it is mostly a dead project.

1 Like

It looks like they have an update available, if you get time to push it, it's registering as a critical remote arbitrary code execution vulnerability upstream: https://security.archlinux.org/ASA-202003-9

I realize there are a lot of packages to keep track of, and I don't want to sound ungrateful or like I'm trying to burden you, which is why I suggested the ability to manually patch things above.

What about inetutils - doesn't show any available upgrade

Take a look a the vulnerability listed:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053
https://security.archlinux.org/CVE-2019-0053
telnet is affected - if you don't use it, you're not vulnerable.
Upstream has provided no patch - the latest version is packaged.

1 Like

You could just delete /usr/bin/telnet

That protocol is pretty cancer anyway :slight_smile:

Also appears to be required by zenity which is required by steam-manjaro, at least on my stable KDE laptop, with a fresh, pretty much default install with from less than a year ago.

You can switch to testing if you want updated packages sooner. Then you can downgrade to stable if you ever experience problems on testing. In years of using Manjaro testing across 2 laptops, I've only experienced minor bugs, but your results may vary depending on your hardware.

I believe this already covers the most relevant issues, and this topic comes up every few months when people don't wait long enough to see how Manjaro works before asking questions about how it works.

4 Likes

Forum kindly sponsored by