You are not logged in.
(i'm new to arch (in fact, i just downloaded the iso - i havent installed it yet!!!), so pardon me if the answer is obvious)
I just had a look at the main page (www.archlinux.org), but see that there seems to be only 1 general mailing list. Where do the advisories go to? To this forum only? is it possible to set up a separate security advisory (or security discussion, depending on the goals of the admins and stuff) mailing list for this?
Offline
AFAIK there's only one maillist, and its general, you can post whatever you want about AL. but it would be a nice ideia to have separate maillists.
______
"Ignorance, the root and the stem of every evil." - Plato
Offline
well thanks for the reply. So where do i go for the all-important security alerts? do i check this forum? or do i wade through the posts in the mailing list?
Offline
Hehehe... I think you want a word that's more like "not notice" than "wade"... the mailing list is notoriously empty... I'd say 25% of it's traffic is just namcap announcement emails ;o)
We don't release a lot of security alerts... we just release a new version and keep going...
I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal
Offline
hm ok, thanks. So i take it then that there's no "one stop shop" for "security-updates stuff only" then... That's no problem by me if the list is as you say, "notoriously empty." I just hope that this will only be temporary for now - and that a security-advisory/discussion list will be set up eventually...
Offline
Well the thing is that with Arch, there's something better than security advisories(for just about every situation). You'll understand once you install it and start using pacman.
See, every day or few days, or whatever, all you need to do is type "pacman -Syu" which checks for updates on every package you have installed. If there are ever any security issues, there are new packages created ASAP, and they will be automatically updated with the above command. No need to read any mailing list or anything.
Hapy.
Offline
hm yeah, ok. I suppose i could do that. I'll have to install and then play around with pacman (i just did an "auto partition and prepare hard drive" - but i'm not satisfied with that).
Offline
Pacman is a great tool, but an advisory list (read only) / or one stop security notification system of some type would be really nice... IMHO, this sort of structure is necessary when dealing with linux in a production environment no matter what the distro in use might be.
This sort of thing doesn't need to be overly complicated either,,, arch is simple,, and should most definitely stay that way ;-)
I'm willing to give up some time to this task if need be... For me, personally, this type of advisory system would help a lot, and would save me some unnecessary worries.
Take care,
ns
Offline
We don't release a lot of security alerts... we just release a new version and keep going...
Doesn't this mean if you want to set up a secure server, Arch is a no go? I've been wondering about this for quite a while, because I was trying to make up my mind whether I should convert my FreeBSD server to Arch.
But now I know I'm not going to (yet), for the follwoing reasons:
- Arch doesn't really seem to care about security vulnerabilities, which is, to a centain extend, acceptable on a desktop, but not on a server.
- Arch doesn't pay much attention to stable releases. As Judd has said before, Arch doesn't focus on perfect releases, but on a perfect (-current)tree. This means no real bèta/RC testing, which makes even the 0.x releases unsuitable for server use, imho.
I think Arch should pay more attention to stable/server releases and security issues in general.
Offline
When I said release a new version, I meant of the package. If there's a security alert, there's usually a bug-fix release upstream that we release as quickly as possible. There has been talk of a stable repo, but currently there aren't enough developers to keep something really going.
If there is a vulnerability with no upstream release, we will almost always patch, but only the version in current (ie. we won't touch the release repo).
An Arch release is just a snapshot of all the packages in current when we decided to make the release. In that way there is no back-porting of security patches to the release repo (see the mention of a possible stable repo above). Sometimes we release beta cds, but those are mostly to test the install procedure, as opposed to the packages. The packages should have had lots of testing while in current.
I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal
Offline
Hey...look at Xentacs avatar..there is no virus out there who dares to mess with him.
My point here is that Arch(and linux in general) is under development. It was in a swedish forum I heard about Arch and there was one guy(a windows proffesional) who thought it was great and a few others who didn't. He ran it on desktop only but his intention was to go for servers also both privat and proffesionally. I have not tried freebsd myself but it seems like it is very popular on servers. So my bet here must be that if you like freebsd so stick with it, at least until linux has stabilised.
My own experience before with linux on the server are very good though, but at the moment it seems like Arch is focusing on the desktop,which I think is great because there are a lot of crappy distros out there.
Be safe!
x
arch + gentoo + initng + python = enlisy
Offline