Hi everyone :).

Just getting started with Manjaro as daily drive to get some easier arched based distro. Except for the LVM bug with calamares everything is pretty smooth :).

But at first boot, I saw they have added their personal Manjaro logo on boot and I directly though of the bug exploit logoFAIL I heard a few month ago and It made me curious if this is something that could be exploitable by Manjaro.

Probably not, this would harm their image and hard worked system, but I’m still curious… If someone smarter/more knowledgeable than me could chime in and give some valuable information on this topic regarding Manjaro, I would really appreciate it !

Thank you !

  • sorrybookbroke
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    6 months ago

    absolutely, thank you for asking

    Manjaro has been continuously destructivte to the open source ecosystem it utilizes and it’s users through continual incompetence.

    Manjaro and it’s staff often suggested to users that they use “pacman -Syyu” by default to update, which ignores caching to get a reloaded database. This puts a heavier load on the volunteers hosting the repos.

    Manjaro made a campaign stating that “Manjaro works on the m1 apple macbook!” Shipping a random kernal from asahi linux which did not work at all. The project was nowhere near ready at the time and could never boot. This wasn’t the latest build either, just some random build. This build could have easily broken users macbooks.

    Back to the asahi, when it did work they pushed an update to the kernal that broke half the users gui. This by updating a library which was documented to break in this manner. It broke all x11 instances showing they didn’t even run it to ensure it worked. No benefit existed from updating either more was it stated to be the goal of their patch. The reason it wasn’t checked by the devs is due to the fact the patch came from the lead arm dev of manjaro. This man should know better.

    On the funding of manjaro, a company, things have been a little funky. After a spat between their treasurer and leader of the project the treasurer either left or was removed. Now, what happened is blurry, but now the sole person in charge of money is that leader who has never appointed a new treasurer as they stated they would. Atleast since last I checked. If the previous treasurer is right this person was utilizing development funds to acquire a powerful gaming laptop. Something which is directly against the stated purposes this company may use money, and the responsibility of a treasurer to deny.

    They let their ssl run out 5 times. 5 times. I am a web dev, this shouldn’t happen once. One can automatically renew it. This shows their continual incompetence. The first time, they suggested users set back their clocks so it would stop complaining.

    Manjaro ddosed the aur twice using their tool pamac. Both in the same manner showing once it had happened nothing changed to ensure it couldn’t twice. This was not malice of course, just an mistake twice made.

    Back to the aur, though many will never have an issue as they only use it for general programs they don’t hold it back that two week period so version mismatches can break that which is installed from the aur.

    Still on the aur, the ability to enable it is right next to flat packs and snaps in pamac. Both are relatively safe, unlike the aur. They do not properly warn users about the aur. I’ll admit this to be a lesser thing, but anyone using the aur should know it’s faults. It’s just a list of scripts which your pc will run to install a package that’ll auto update to the next version of a script when updating. This means, basically anything can be put inside there. By design too this is rarely maintained by the devs of a project. One issue which came up, the cemu emulator a very commonly used package had to calls to an IP logger alongside a list of people who can “go fuck themselves”. If you let this update without reading it you can recieve malicious updates. When malware exists and propagates on linux the aur is the first place it’ll go. You need to be able to read the scripts and do so each update . The air is a very useful tool but a dangerous one.

    There’s more out there but I’m going to leave it here. Sorry for the rambling nature, but I’ a bit tired right now

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      The ddos thing could happen from an actual attack. Arch should really look into building up better defenses against attack. It is dumb that it came from an actual distro but technically it could come from anywhere.

      • sorrybookbroke
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        No argument from me there, the aur is not very well made. On arch I do have some issues with how the aur is operated along with the behavior of arch maintainers. Not to the point I’d state using the distro is a bad choice though, as quite a few are minor, disagreements on tech philosophy, or currently being addressed.

        My issue with manjaro is their continual incompetence while most of the time doing nothing to stop the issue from recurring. Most of the problems I have seen manjaro go through are repeated. They don’t learn. Their issues aren’t just structural but a culture the company holds onto.

    • N0x0n@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      Thank you very much for your throughout and explanatory response !!! <3 I also read all the comments and I know what I will be doing !

      While I did like the well build defaults, I didn’t liked how they added their logo on boot up, even if it has nothing to do with logoFAIL exploit, It felt wrong (or does every distro does that?). Also the fact they added their own bookmarks in my freshly installed Firefox left me a bit skeptical… :/

      There’s probably nothing to be alarmed off but That doesn’t feel right… If they do that, what else could they add hidden in the distro normal people can’t see ?

      If I may ask, do you have any good distro you would recommend? Something as bare bone as possible, as good as debian but a bit more up to date. I do not fear some tinkering with a new distro but Arch is a bit to much of a hassle right now… That’s why I chose Manjaro.

      My second pick was EndeavourOS as daily drive, but the community is small compared to manjaro and it’s relatively new in the game. Any thoughts?

      Thank you !!

      • sorrybookbroke
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        6 months ago

        Sorry I’m a bit late, and it seems you’ve chosen endeavor (good choice), but I’ll still give you some suggestions.

        First off on endeavor, it’s essentially just a graphical, easier arch installer so if you’re having issues and can’t find anything endeavour specific anything arch linux will work the same. The arch wiki os a great resource for anything.

        Secondarily, I can suggest opensuse tumbleweed, or fedora. Both are more stable while being very up to date. Arch, and endeavor, will usually be the first distro to see an issue that misses testing. These two distros are just a bit behind arch but still very quick to update. Tumbleweed is also pretty bare bones too, after I installed everything I needed for a normal work instal it was about 6.7gb. Great distro, terrible logo.

        To finish off I am sorry about manjaro. It does look great, it’s got a nice color scheme, and plasma by default is wonderful to see. That can be gotten pretty easily on any distro though. When you install endeavour you can select kde plasma. It’s also default on tumbleweed, and you can get a plasma spin for fedora.

        Wish you the best in your journey, I’m sorry it’s off to a bit of a rough start