Arch development in detail and user privacy

pepper · 2017-12-09 09:18:31

Hi, I hope to be in the correct forum section. I would like to know how arch linux developers decide about the evolution of this distro.

1) Is the process of tasks divisions transparent? Is it performed also on this forum? Exactly where is performed?
(I do not want to know where the project updates are shown but where the developer "x" tells the developer "y": "you do this", "I take care of this", "no, it's better that he does" or understand however, how it works and if it is transparent.)
2) Is there a boss? are there equal decision-making powers ?
3) Is there an official "sort of warranty" that spying softwares (of every kind, like ubuntu's amazon search bar) aren't shipped with the distro regardless of the license type? Is there a checking process about this "problem" (main and also AUR repos)?

Thank you.

Last edited by pepper (2017-12-09 09:28:48)

Allan · 2017-12-09 09:28:52

1) Developers do what they want.
2) Developers do what they want.
3) Developers do what they want.

pepper · 2017-12-09 09:55:55

Does arch linux express itself regarding probable espionage software in the distribution (as debian,fedora or mint do) or again "Developers do what they want" ?

heisenberg · 2017-12-09 10:31:21

pepper wrote:

Does arch linux express itself regarding probable espionage software in the distribution (as debian,fedora or mint do) or again "Developers do what they want" ?

I guess they do what they want (Allan is a dev, iirc). However, take a look here https://wiki.archlinux.org/index.php/Arch_Linux

Alad · 2017-12-09 17:28:48

As the link above says, Arch will ship whatever upstream ships with a minimum of required changes. If upstream happens to make questionable decisions about "probably espionage software" (e.g. atom, smtube), then so be it and we'll tell people to complain to upstream instead of us. After all, patching something in Arch implies the change will be in Arch only, and not in any other distributions.

If you don't agree with this logic, it's as simple as not installing the packages in question, or using some distribution with strict adherence to the GNU free software guidelines.

Last edited by Alad (2017-12-09 17:34:45)

Trilby · 2017-12-09 17:48:12

pepper wrote:

1) ... where the developer "x" tells the developer "y": "you do this"...

https://lists.archlinux.org/listinfo/

pepper wrote:

2) Is there a boss?

You. You decide what to install and what not to install. You can decide to build a package with different options, patches, or configure flags. You are responsible for your system; no one else is.

pepper wrote:

3) Is there an official "sort of warranty"

Definitely not. But there is a security team. Feel free to contribute to it.

loqs · 2017-12-09 18:45:46

Alad wrote:

As the link above says, Arch will ship whatever upstream ships with a minimum of required changes.

However what constitutes necessary changes is solely at the discretion of the packager.
For instance https://git.archlinux.org/svntogit/comm … ibvirt#n92

Trilby wrote:

But there is a security team. Feel free to contribute to it.

A pity that team seems only reachable via IRC.

It does seem there are more rules of formal governance for TU's and for maintainers of AUR packages than for developers.

Alad · 2017-12-09 23:35:31

However what constitutes necessary changes is solely at the discretion of the packager.

Yes, that's mentioned in the same wiki article. "The principles here are only useful guidelines. Ultimately, design decisions are made on a case-by-case basis through developer consensus."

In any case, I would say that the "limited patching" idea prevails in most of our repo packages. Compare any random sampling of packages in Arch with say, Debian.

Allan · 2017-12-10 06:11:15

loqs wrote:

A pity that team seems only reachable via IRC.

Or the bug tracker, or the security email address, or ...

loqs · 2017-12-10 10:35:43

Allan wrote:

loqs wrote:
A pity that team seems only reachable via IRC.
Or the bug tracker, or the security email address, or ...

The first point I agree would usually be the best option but please see https://bugs.archlinux.org/task/56647.
security email address I do not see such an address listed on https://wiki.archlinux.org/index.php/Arch_Security_Team and a search engine query of "arch linux security email address"
only returned references to the arch-security mailing list which as I understand it is only used to post security announcements.
Eli Schwartz has been working towards a solution in this case and I should thank him for his efforts.

Allan · 2017-12-10 10:47:49

loqs wrote:

security email address I do not see such an address listed on https://wiki.archlinux.org/index.php/Arch_Security_Team and a search engine query of "arch linux security email address"

security@...

Alad · 2017-12-10 14:54:32

loqs wrote:

security email address I do not see such an address listed on https://wiki.archlinux.org/index.php/Arch_Security_Team and a search engine query of "arch linux security email address"

???

If you have a private bug to report, contact security@archlinux.org. Please note that the address for private bug reporting is security, not arch-security. A private bug is one that is too sensitive to post where anyone can read and exploit it, e.g. vulnerabilities in the Arch Linux infrastructure.

I guess it puts some emphasis on "private bugs"...

loqs · 2017-12-10 18:01:31

Alad wrote:

loqs wrote:
security email address I do not see such an address listed on https://wiki.archlinux.org/index.php/Arch_Security_Team and a search engine query of "arch linux security email address"
???
If you have a private bug to report, contact security@archlinux.org. Please note that the address for private bug reporting is security, not arch-security. A private bug is one that is too sensitive to post where anyone can read and exploit it, e.g. vulnerabilities in the Arch Linux infrastructure.
I guess it puts some emphasis on "private bugs"...

Thank you the pointing that out do not know how I missed it.

Arch Linux

#1 2017-12-09 09:18:31

Arch development in detail and user privacy

#2 2017-12-09 09:28:52

Re: Arch development in detail and user privacy

#3 2017-12-09 09:55:55

Re: Arch development in detail and user privacy

#4 2017-12-09 10:31:21

Re: Arch development in detail and user privacy

#5 2017-12-09 17:28:48

Re: Arch development in detail and user privacy

#6 2017-12-09 17:48:12

Re: Arch development in detail and user privacy

#7 2017-12-09 18:45:46

Re: Arch development in detail and user privacy

#8 2017-12-09 23:35:31

Re: Arch development in detail and user privacy

#9 2017-12-10 06:11:15

Re: Arch development in detail and user privacy

#10 2017-12-10 10:35:43

Re: Arch development in detail and user privacy

#11 2017-12-10 10:47:49

Re: Arch development in detail and user privacy

#12 2017-12-10 14:54:32

Re: Arch development in detail and user privacy

#13 2017-12-10 18:01:31

Re: Arch development in detail and user privacy

Board footer