[Question] Manjaro, out of curiosity question, does the image on boot has any security implication regarding logoFAIL?

sorrybookbroke , 11 days ago

Manjaro damaging it’s image wouldn’t be a new thing. That’s mostly dust at this point. No though, as others have explained this isn’t an issue, currently

N0x0n OP , 10 days ago

Manjaro damaging it’s image wouldn’t be a new thing.

Could you elaborate? :)

MyNameIsRichard , 10 days ago

They’ve let their site certificates expire a few times and told their users to set their clocks back to get around the issueand they’ve accidentally ddosed the aur a couple of times with their package management tools.

possiblylinux127 , 10 days ago

“Just set your clock back”

My brother in Christ, you just need to renew the cert. If anything tell users to hit ignore.

(This is the though that went though my head when it happened)

sorrybookbroke , 10 days ago (edited 10 days ago)

absolutely, thank you for asking

Manjaro has been continuously destructivte to the open source ecosystem it utilizes and it’s users through continual incompetence.

Manjaro and it’s staff often suggested to users that they use “pacman -Syyu” by default to update, which ignores caching to get a reloaded database. This puts a heavier load on the volunteers hosting the repos.

Manjaro made a campaign stating that “Manjaro works on the m1 apple macbook!” Shipping a random kernal from asahi linux which did not work at all. The project was nowhere near ready at the time and could never boot. This wasn’t the latest build either, just some random build. This build could have easily broken users macbooks.

Back to the asahi, when it did work they pushed an update to the kernal that broke half the users gui. This by updating a library which was documented to break in this manner. It broke all x11 instances showing they didn’t even run it to ensure it worked. No benefit existed from updating either more was it stated to be the goal of their patch. The reason it wasn’t checked by the devs is due to the fact the patch came from the lead arm dev of manjaro. This man should know better.

On the funding of manjaro, a company, things have been a little funky. After a spat between their treasurer and leader of the project the treasurer either left or was removed. Now, what happened is blurry, but now the sole person in charge of money is that leader who has never appointed a new treasurer as they stated they would. Atleast since last I checked. If the previous treasurer is right this person was utilizing development funds to acquire a powerful gaming laptop. Something which is directly against the stated purposes this company may use money, and the responsibility of a treasurer to deny.

They let their ssl run out 5 times. 5 times. I am a web dev, this shouldn’t happen once. One can automatically renew it. This shows their continual incompetence. The first time, they suggested users set back their clocks so it would stop complaining.

Manjaro ddosed the aur twice using their tool pamac. Both in the same manner showing once it had happened nothing changed to ensure it couldn’t twice. This was not malice of course, just an mistake twice made.

Back to the aur, though many will never have an issue as they only use it for general programs they don’t hold it back that two week period so version mismatches can break that which is installed from the aur.

Still on the aur, the ability to enable it is right next to flat packs and snaps in pamac. Both are relatively safe, unlike the aur. They do not properly warn users about the aur. I’ll admit this to be a lesser thing, but anyone using the aur should know it’s faults. It’s just a list of scripts which your pc will run to install a package that’ll auto update to the next version of a script when updating. This means, basically anything can be put inside there. By design too this is rarely maintained by the devs of a project. One issue which came up, the cemu emulator a very commonly used package had to calls to an IP logger alongside a list of people who can “go fuck themselves”. If you let this update without reading it you can recieve malicious updates. When malware exists and propagates on linux the aur is the first place it’ll go. You need to be able to read the scripts and do so each update . The air is a very useful tool but a dangerous one.

There’s more out there but I’m going to leave it here. Sorry for the rambling nature, but I’ a bit tired right now

possiblylinux127 , 10 days ago

The ddos thing could happen from an actual attack. Arch should really look into building up better defenses against attack. It is dumb that it came from an actual distro but technically it could come from anywhere.

sorrybookbroke , 10 days ago

deleted_by_author

possiblylinux127 , 9 days ago

Manjaro is run by people who know enough to be dangerous

N0x0n OP , 10 days ago

Thank you very much for your throughout and explanatory response !!! <3 I also read all the comments and I know what I will be doing !

While I did like the well build defaults, I didn’t liked how they added their logo on boot up, even if it has nothing to do with logoFAIL exploit, It felt wrong (or does every distro does that?). Also the fact they added their own bookmarks in my freshly installed Firefox left me a bit skeptical… :/

There’s probably nothing to be alarmed off but That doesn’t feel right… If they do that, what else could they add hidden in the distro normal people can’t see ?

If I may ask, do you have any good distro you would recommend? Something as bare bone as possible, as good as debian but a bit more up to date. I do not fear some tinkering with a new distro but Arch is a bit to much of a hassle right now… That’s why I chose Manjaro.

My second pick was EndeavourOS as daily drive, but the community is small compared to manjaro and it’s relatively new in the game. Any thoughts?

Thank you !!

sorrybookbroke , 9 days ago

Sorry I’m a bit late, and it seems you’ve chosen endeavor (good choice), but I’ll still give you some suggestions.

First off on endeavor, it’s essentially just a graphical, easier arch installer so if you’re having issues and can’t find anything endeavour specific anything arch linux will work the same. The arch wiki os a great resource for anything.

Secondarily, I can suggest opensuse tumbleweed, or fedora. Both are more stable while being very up to date. Arch, and endeavor, will usually be the first distro to see an issue that misses testing. These two distros are just a bit behind arch but still very quick to update. Tumbleweed is also pretty bare bones too, after I installed everything I needed for a normal work instal it was about 6.7gb. Great distro, terrible logo.

To finish off I am sorry about manjaro. It does look great, it’s got a nice color scheme, and plasma by default is wonderful to see. That can be gotten pretty easily on any distro though. When you install endeavour you can select kde plasma. It’s also default on tumbleweed, and you can get a plasma spin for fedora.

Wish you the best in your journey, I’m sorry it’s off to a bit of a rough start

lemmyvore , 10 days ago

There’s a small but vocal minority that absolutely hates the idea of “Arch made easy”. They think you should work hard to be worthy of using Arch. Manjaro is their anti-Christ. They show up in every conversation about Manjaro. I call them the “Manjaro sucks btw” people. 😆

They usually mention some irrelevant shit that happened years ago. Sometimes they can’t be bothered to type it out and only link to a page that one of them put up. Or literally just say “Manjaro sucks”. Sadly, the irony of being lazy when smearing a distro they consider lazy is lost on them.

sorrybookbroke , 10 days ago (edited 10 days ago)

I would absolutely love it if manjaro was a reasonable choice. It was my first pick too. Their continual incompetence is what makes me wary of the company. I doubt you want a conversation as you’re quick to paint me in this light but I do expand here on my major reasons:

sh.itjust.works/comment/12137275

Some of this stuff happened only a few years ago. The same people are still running this company. I have no reason to think they’ve changed.

If you just want “arch made easy” I would suggest endeavorOs (best wallpapers hands down) or arco linux.

I love the idea of manjaro and sincerely hope that either a, they get their shit together (which is preffered), or b, a new manjaro like distro comes into existance.

The two week delay along with the calamari installer, and default plasma desktop give me a half chub already thinking about it. I’d be full send for it if the devs were competent

lemmyvore , 10 days ago

And here’s some of mine: lemmy.world/comment/10439242

I grow weary of Manjaro detractors because the malice is always there. You can’t make up your mind whether you hate the developers or what they do. You hate episodes like the “AUR DDoS” without knowing all the facts, or considering how shitty AUR infrastructure is that if a pigeon landed on the roof it would go down, so in the same breath you condemn Manjaro for “AUR incompatibility” and for promoting AUR and for “DDoS”-ing it. I mean pick a lane.

But mostly it’s just the hate that always seeps through that bothers me, not the content (which is the same inane stuff on manjarno over and over). What kind of person defines themselves by hate for something they don’t even use? There’s a million distros out there, there’s something for everybody. You’re not Inigo Montoya, get over it, Jesus. There was a root exploit unfixed in Debian for a while, do you hate them too? Can you imagine the reactions if there were a root exploit in Manjaro? Is any of this irony getting through?

sorrybookbroke , 10 days ago (edited 10 days ago)

You are misrepresenting my points, and the anger you ascribe to me is odd, as the only person representing this behavior is you. You insult me, you misrepresent my points, you say I’m defined by my aparent hatred. This is strange behavior only suited to getting your “enemy” to shut up and in no way constructive nor condusive to a reasonable conversation.

Firstly, my issue is that they don’t warn about the dangers of the aur properly. Not that they promote it at all. If you read my statement I am clear. The aur is very useful, though dangerous. Also, on manjaro, version mismatch is likely to happen as the aur is built for arch and arch is two weeks ahead. You however pretend my point to be some entirely different thing in order to get you epic own.

Next, on the aur ‘ddosing’, what do I not understand? The first time, ok, that’s reasonable we all make mistakes. They did it again though in the same way. Nothing was done on their end to stop this from happening. Something we will see continually as they just don’t stop making weird, unnecessary mistakes.

As for me being Inigo Montoya, I actually am for your information. Manjaro killed my daddy-dom while I was sucking him off and for that I cannot forgive the company.

This hatred you fantasize about does not come from me. Calm down and maybe try actually talking to people instead of trying to “own” them, or to simply “destroy the anti-manjarites”

Edit: I see in the other post you did the same. Ignore what people kindly talking about their issues with manjaro say responding with hateful comments pretending they were the real issue. This is a continual issue with you

possiblylinux127 , 10 days ago

They don’t accept there own mistakes even. They do things like ship a broken kernel and then blame the upstream development.

Why even use it? There are much better options.

lemmyvore , 10 days ago

Which kernel was that? Manjaro recommends using LTS kernels.

possiblylinux127 , 9 days ago

M1 Mac kernel from upstream. They didn’t bother to tell anyone and just pulled from master.

lemmyvore , 9 days ago

Yeah you can do that, it’s in the license. You don’t have to “tell someone”, you just have to publish the source.

possiblylinux127 , 9 days ago

Can is not the same as should

N0x0n OP , 10 days ago

Thank you :) EndeavourOS was my second pick !

I picked manjaro because their user base is bigger and Manjaro is older. I will probably switch to EndeavourOS for all the reasons mentionted here and there in the comments. There seems to be a common strange atmosphere arround manjaro.

Also, because that logo thing on boot made me this post, this means I already felt something is odd with Manjaro. Always follow your guts !

Ps: Didn’t though it’s that much of a heated subject. It’s a bit sad, I really liked manjaro’s default and looks amazing.

possiblylinux127 , 10 days ago

If it was some minor thing I wouldn’t care much. I am not a Arch user and I probably will never be.

The problem with Manjaro is the leadership is questionable. It isn’t just a few blunders. It is repeated mistakes that have caused real harm. They write themselves off as user friendly but they can’t seem to figure out how to manage it properly. I am not against user friendly Arch. However, the nature of Arch means it is very very hard.

Linux Mint and Fedora are much better and don’t have the same history of dumb mistakes.

lemmyvore , 10 days ago

You must’ve not been around when Mint and Fedora were new.

They’ve been around for about twice as long as Manjaro. They made plenty of blunders.

caused real harm

Lol.

possiblylinux127 , 9 days ago

This isn’t a lol moment. They have repeatedly screwed over people.

lemmyvore , 9 days ago

Do tell, how did Manjaro hurt you?

possiblylinux127 , 9 days ago

It stole away my radishes

possiblylinux127 , 10 days ago

Manjaro is run by people who don’t know what they are doing. They make huge mistakes frequently and don’t really understand Linux, the internet or project management.

kylian0087 , 8 days ago

Like letting keys expire and ddos the aur to name some.

Max_P , 11 days ago

No. This gets painted on the framebuffer when the OS boots up, it’s after firmware is done with it. It’s barely any different than when full graphics mode load up.

LogoFAIL is based on replacing the BIOS logo with one that will trigger the exploit in firmware code, before the OS even starts.

b166erdk , 11 days ago

This is a bios problem. So just update your bios.