The Arch security team is more or less dead since some months ago (with few exceptions like announcing the big wifi bug recently).
the LTS Linux kernel doesn’t receive all the security fixes that the mainline one does. Greg KH has written about this pretty extensively.
The arch security team is active, but still understaffed. Public (non embargoed) activity may be viewed here: https://security.archlinux.org/log
To rephrase what I said, the upstream LTS kernels (not specifically Arch’s) have a lot of security fixes backported to them, but not all. In many cases the fixes are applied automatically based on tags in the commit. If they don’t apply cleanly, usually they don’t get manually merged back. It’s simply too much work and too many security bugs to handle. There have also been a lot of cases where fixes were only half-backported or backported incorrectly. The grsecurity guy, as much as I loathe him, has many examples of this on his Twitter.
For these reasons I recommend people avoid the LTS kernels and stick with the newest one.
the security team in Arch does not actually improve its security at all. Their “main” role, according to the wiki, is to fill out CVE forms and publish email announcements. This is a near-useless task in my personal opinion, so it doesn’t matter if they’re active or inactive. What matters is that packages actually get security updates in a timely manner. I can say that Arch struggles with this a little bit sometimes, but is generally fine.
So…what are your thoughts on all this mess?
My initial thoughts:
As i’ve publicly stated before i do NOT trust Arch…at all, despite it being my distro of choice
I’ve remembered forum user writing in bad translated english something that became a meme:
I’m not super concerned. Being that the risk of each of the security situations has to be considered. There are security issues that are very hard to exploit, which may not warrant a fix given the effort.
A payload is going to have to get onto your computer to exploit most of these issues. How would that happen?
someone walks up to your computer with a USB stick, mounts and runs something
a computer attached to a mounted file system that you are also connected to has an app with a payload put on it. And you run the app on your other computers
a package you have installed has an issue
media content downloaded has a payload (OGG, MP3, video, etc)
web browser pulls a web page that has some payload
… etc. Protect the perimeter. That is likely your biggest risk.
Not every security issue is equal. Of course every little thing is not going to get patched, that’s a lot of work. It’s also a lot of work to exploit these less severe vulnerabilities. At least the ones I sometime look into, most of the time they need a constellation of things to be able to exploit them.
Yeah, I just hope when they decide what to backport, they prioritize vulnerabilities exploitable over the network or stuff that’s stupidly easy to execute. I saw one like two years ago, where you copied a short command and you had root access.
This one is interesting, some chinese account snuck in some test files that somehow compromised the builds, if I read it right. He’s been a maintainer since 2022.
it is fascinating, in a morbid way when you read " Then last week, Trend Micro detailed a threat activity cluster it tracks as Earth Krahang and which has shifted to using DinodasRAT since 2023 in its attacks aimed at several government entities worldwide." and you think “geeez the games we play.”
So many bad actors, acting in bad faith.
Donodas the most interesting to me. It took a while to read all 3. I didn’t come out walking on sunshine, oh yeah.
Guyana?? And dinodas is "It’s mainly designed to target Red Hat-based distributions and Ubuntu Linux. ".
Or at least world .govs with linux. When Linux found me about a decade ago these exploits were so rare. News of one linux exploit was pinned to the top of forums…now you can’t keep up. my biggest fear when I joined the community and left Win behind was “I wonder how long til the bad guys make lots of malware/exploits for Linux?” Didn’t take long.
thanks for publishing these security posts. It’s like a Clown PSA
I think it was always the case, it’s just detection methods and availability of serious tools became more widespread…as well as AI for both white and black hats around the world…
Also, if i’d have to guess we see much more of it right now due to:
Wars, espionage related to it
Election season
Crypto on the rise, which means there’s a lot of incentives to hijack some of that for h4xXx0rz
You could use Ubuntu. Then security issues are actually considered “features” like snaps. Then you don’t even need to worry if there’s a problem - you already know there’s one so then you can stop wondering.
No thx, i trust them Red Hat (IBM) beta testers even less
Debian it the only one of core distros teams professional & paranoid enough in my view, so you can trust them more or less, but stable release model has it’s downsides either…
I have been using Linux for a short time. I used Ubuntu and Fedora for a short time, the remaining 80% of the time I have been using Arch-EOS (although it is still a short time).
Why don’t you trust ARCH? And when you refer to “ARCH”, do you mean the repository, or something else?
I have been watching videos about this vulnerability, and although I am a very new Linux user, I have come to understand that it was a serious vulnerability.
So, is it possible that just as this vulnerability has been detected thanks to a random user, because it had a difference of 5 milliseconds (or something like that), it could mean that there are other users who have created other backdoors and are already on our Linux ?
That scares me. Of course I don’t plan to go back to Windows but I want to be as safe as possible.
Also, imagine if this backdoor was completed and then people found out about it, it would have been a big negative blow for Linux.
Even Microsoft has been speaking badly about the security of Linux regarding this backdoor (as I have read on reddit).
Although imagine Microsoft giving security/privacy lessons…
It’s pretty clear that as a smart i don’t trust anyone, including myself…let alone distro maintainers.
Weird question, because what you’re really asking - is it possible to have a undiscovered backdoor or vulnerability in OS (in that case Linux) - answer is obviously yes.
i don’t trust anyone, including myself…let alone distro maintainers.