@404zzz@stereophonic.space The GTK theme does look pretty cool though.
They have allowed their TLS certificates to expire multiple times (at least 2) and told their users to change their clocks back to bypass the security issue (which also bypasses security for every other website on the planet and makes TLS useless).
They have unintentionally DDoSed Arch Linux's servers because they were too incompetent to do package management properly.
@inference @404zzz @thebiologist1117 Can you tell me a bit more about the update thing, I'm thinking its probably some kinda usability feature since they also supports Flatpacks and AURs in their package manager. But I've never heard about this before, weird.
And the TLS thing, I don't know how easy it is to renew the the certificates, but considering they have a big team working behind this distro, maybe they could've better handled the situation. But this still wouldn't make them evil/bad IMO
TLS certificates can be renewed automatically, and take even just seconds manually. There is zero reason why any professional organisation would allow TLS certs to expire. None.
Telling people to roll clocks back *is* the definition of an evil security sin. Not only is it incompetent, it is downright dangerous and malicious. TLS encryption relies on date and time being correct. Changing this to make expired certificates unexpired is putting the user at extreme risk and is worse than using unencrypted HTTP.
@inference @404zzz @thebiologist1117 @futureisfoss Wow, that’s beyond bad. I remember hearing about this back in the day but didn’t know the whole story behind it.
If I was going to use Linux now, it would hands down be Fedora.
@pete
I don't think its as bad as it seems. The scanner script is probably a usability/functionality thing, I don't think manjaro is trying to spy on people, lol. The TLS one I understand why some people has a problem with that, they probably fucked up something on their servers, I don't know what but it should be bad enough to ask people to change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these days 🤔
@inference @404zzz @thebiologist1117
> change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these days
No, this is feeding the ridiculously bad and naive security practices seen here. I'm not trying to infer that you're stupid here, but you clearly don't understand the risks of TLS certificates and bypassing clocks, and how time sensitivity plays an enormous role in security as a whole.
This should never have happened. No excuses. None. This is careless, reckless behaviour, which could get every one of their users middlemanned and backdoored in seconds.
@inference @404zzz @pete @thebiologist1117 I don't know that much about TLS so maybe you're right, its a bigger threat than I assumed. When manjaro asked users to change their clocks, it was only a temporary thing, right ? Because it'd be a 100 times worse if it was permanent.
Maliciously and/or incompetently telling users to roll back clocks is *literally* breaking 80+% of the security on their system, even offline. They should have renewed their cert, or taken their website offline if that wasn't possible for some reason. What they did (multiple times!) was put their users in extreme danger. Even passwords are effectively useless in some situations where time is used as a base.
@inference @404zzz @pete @thebiologist1117
I understand what you're saying, but I wouldn't say whether temporary or not is completely irrelevant. Every time a software vulnerability is found and an update is released to fix it, we tell everyone to quickly update to the latest version, why is that ? Because the longer they wait before updating, the more time they're vulnerable, and that increases their chance of being exploited. So a permanent vulnerability is 100 times worse than a temporary one
@inference @404zzz @pete @thebiologist1117 I'm not trying to defend manjaro here, I know they fucked up and I agree what they did was wrong. You have every right to call them incompetent for that. But I wouldn't say they're malicious or evil though.
If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.
@inference @404zzz @pete @thebiologist1117
> If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.
In my personal opinion I think malice is worse. I have worked on some projects and I know mistakes happen sometimes, we're all humans. But when we realize our mistake we should accept it and try to correct it, this is the important thing for me.
@futureisfoss @inference @404zzz @thebiologist1117 I’m not a cybersecurity expert, but I know enough that doing something like this may as well be malicious; the result is the same. Our work server had an issue with the clock sync getting disabled, and it broke a key part of functionality and verification. Internal only, but still a huge impact.
You just don’t mess around with clock settings for any reason, ever.
@pete @futureisfoss @inference @404zzz @thebiologist1117 That brings back memories of Windows Vista refusing to update because it put itself in the wrong time zone.
@AmpBenzScientist @futureisfoss @inference @404zzz @thebiologist1117 😂 Ah, Vista. They still haven’t lived that OS down after all these years. I’ll just leave this here:
Vista was the first release of Windows to include any useful security, and is the basis of every version of Windows since. Even Windows 11 is heavily based on Vista.
@inference @pete @404zzz @thebiologist1117 @futureisfoss Yes it was the first to have a MAC system. It wasn't that bad. Most people have never heard of Microsoft Unix so it could have been that bad.
