├── README.md
└── old.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Manjaro is not ARCH!
  2 | A lot of Manjaro users I have talked to say that Manjaro is just Arch
  3 | with an installer. However, this is fundamentally wrong!
  4 | 
  5 | Manjaro maintains a separate repository [1] which is not in sync with Arch's
  6 | main repositories which means Manjaro is not *just* Arch. To add to that,
  7 | even Manjaro wiki states that it is not Arch [1]! To quote the wiki,
  8 | 
  9 | > In fact, the differences between Manjaro and Arch are far greater than
 10 | > the differences between the popular Ubuntu distribution and its many
 11 | > derivatives, including Mint and Zorin.
 12 | 
 13 | # Own repository
 14 | Manjaro claims to be stable just by delaying packages for two week [1]. This
 15 | is not an approach a stable distribution would take at all!
 16 | 
 17 | ## The problems introduced
 18 | If Manjaro had to be actually stable, it needs to hold back the AUR packages
 19 | as well. It has to maintain its AUR that is in sync with the Manjaro repos.
 20 | 
 21 | Say that a package in the AUR depends on a library, say libxyz. And libxyz is
 22 | in the main repos, not in the AUR. The package is updated so that it relies
 23 | on the new features introduced in libxyz's version 1.1 however Manjaro delays
 24 | packages so libxyz is still on 1.0 in Manjaro. If you update the package in
 25 | Manjaro, it will break because Manjaro holds back packages. So the only
 26 | way Manjaro can be stable is by literally forking all the Arch related
 27 | repositories including the AUR and keeping them in sync.
 28 | 
 29 | # Security
 30 | Manjaro is not really a secure distro.
 31 | 
 32 | Their own updater had a security vulnerability which wasn't fixed
 33 | until recently [2]. This is actually a core package, not an extra or
 34 | community package. To quote the list,
 35 | 
 36 | > I have discovered an issue with one of your core Manjaro packages,
 37 | > `manjaro-system` 20180716-1 and earlier.
 38 | > The issue allows a local attacker to execute a Denial of Service,
 39 | > Arbitrary Code Execution, and Privilege Escalation attack.
 40 | 
 41 | The amount of attacks that can be done due to the vulnerability is a
 42 | lot!
 43 | 
 44 | The Manjaro updater [3] does all the bad practices that one could do in
 45 | a general Linux system and Arch Linux system specifically. Each time
 46 | the system updates, they reinstall some packages to "fix" issues and
 47 | they use the `--no-confirm` flag (force) everytime they do so and
 48 | various other odd sequence of commands which are just as bad, if not
 49 | more [3].
 50 | 
 51 | In an update, password less updates in pamac (Manjaro's AUR helper)
 52 | were sneaked in and from the look in the issue [4] made concerning this,
 53 | the change was made to look like a "feature". This is a major security
 54 | issue considering that packages in AUR are not checked by Arch Linux
 55 | maintainers (and Manjaro does not maintain its own either). Some AUR
 56 | packages were found to be malware in the past [19]. So think about a casual
 57 | user (Manjaro's target demographic are not really power users) installing
 58 | a harmless-looking AUR package that could potentially mess their system!
 59 | 
 60 | # SSL Certificates
 61 | Manjaro let their SSL certificates expire not once but twice [5]!
 62 | The first time, they asked the users to use a private window and/or change
 63 | the system time [6].
 64 | The second time when the SSL certificates expired, they did the same [7].
 65 | It happened again, now at three times and counting. [16]
 66 | Fourth time is the charm! [17]
 67 | Fifth time the certificate has been allowed to expire. [18]
 68 | On 2022-11-05 the SSL certificate expired and instead of resolving the issue, they decided to delete the archives. [20]
 69 | 
 70 | # DDoS'ing the AUR
 71 | 
 72 | On 2021-04-26, the AUR (Arch User Repository) was DDoS'd by a bad version
 73 | of pamac, which is the default Graphical Package Manager for Manjaro [8].
 74 | 
 75 | On 2021-10-14, Pamac was once again blocked by the AUR for shipping 
 76 | another bad version that flooded the AUR with requests [14] [15].
 77 | 
 78 | # Fishy Finances
 79 | 
 80 | It appears that, in September of 2019, Manjaro switched from holding community donations in Philip Müller's personal bank account to accounts being held by OpenCollective and CommunityBridge [9]. This change also brought on Jonathon Fernyhough as treasurer. There is also a policy in place that requires all expenses to be discussed on approved channels and nominally approved prior to any purchases [10]. On (or around) July 24th of 2020, a request for a \$2,000 laptop was made by Philip for developer Helmut Stult [11].  Johnathon rejected this expense due to lack of prior discussion and questioned the expense [13]. The role of treasurer is now back fully in Philip's hands, and has approved the \$2,000 laptop.  This draws questions on the integrity of Philip's leadership.
 81 | 
 82 | Further discussions and sources:
 83 | 
 84 | - https://linuxreviews.org/Manjaro_Linux_Lead_Developer_In_Hot_Waters_Over_Donation_Slush_Fund_For_Laptop_And_Personal_Items
 85 | - https://www.reddit.com/r/ManjaroLinux/comments/hwo33h/change_of_treasurer_for_manjaro_community_funds/
 86 | - https://www.reddit.com/r/linux/comments/hwoev3/change_of_treasurer_for_manjaro_community_funds/
 87 | - https://web.archive.org/web/20200807042341/https://forum.manjaro.org/t/change-of-treasurer-for-manjaro-community-funds/154888
 88 | 
 89 | # Links
 90 | [1] https://wiki.manjaro.org/index.php?title=Manjaro:_A_Different_Kind_of_Beast
 91 | 
 92 | [2] https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html
 93 | 
 94 | [3] https://gitlab.manjaro.org/packages/core/manjaro-system/blob/master/manjaro-update-system.sh#L34
 95 | 
 96 | [4] https://gitlab.manjaro.org/applications/pamac/issues/719
 97 | 
 98 | [5] https://www.reddit.com/r/linux/comments/4inrut/manjaros_ssl_certificate_expired_again/
 99 | 
100 | [6] https://web.archive.org/web/20150409112614/https://manjaro.github.io/
101 | 
102 | [7] https://web.archive.org/web/20160512210401/https://manjaro.github.io/
103 | 
104 | [8] https://gitlab.manjaro.org/applications/pamac/-/issues/1017
105 | 
106 | [9] https://archived.forum.manjaro.org/t/manjaro-is-taking-the-next-step/102105
107 | 
108 | [10] https://opencollective.com/manjaro/expenses/new (Will show a login prompt, policy can be seen on the right side of the page without logging in)
109 | 
110 | [12] https://opencollective.com/manjaro/expenses/22477
111 | 
112 | [13] https://web.archive.org/web/20200807042341/https://forum.manjaro.org/t/change-of-treasurer-for-manjaro-community-funds/154888
113 | 
114 | [14] https://www.reddit.com/comments/q85t8n/
115 | 
116 | [15] https://gitlab.manjaro.org/applications/pamac/-/issues/1135
117 | 
118 | [16] https://forum.manjaro.org/t/expired-certificate-for-iso-download-on-download-manjaro-org/96441
119 | 
120 | [17] https://forum.manjaro.org/t/mirrors-download-aur-manjaro-org-ssl-certificate-expired/115074
121 | 
122 | [18] https://www.reddit.com/r/linux/comments/wr2dps/manjaro_let_their_ssl_cert_expire_again/
123 | 
124 | [19] https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
125 | 
126 | [20] https://forum.manjaro.org/t/am-i-the-only-one-getting-expired-certificate-warning-on-archived-forum-manjaro-org/126049/8


--------------------------------------------------------------------------------
/old.md:
--------------------------------------------------------------------------------
 1 | Reminder:
 2 | manjaro bad :rage:
 3 | 
 4 | To get started,
 5 | 
 6 | - It's a clusterfuck full of security issues, broken packages among other shit.
 7 | - They delay packages which breaks a lot of shit, the AUR seems to not be delayed and therefore isn't in-sync with the main packages. So the main reason most of manjaro users are using Manjaro might break unnecessarily, because the AUR(ARCH user repository) is expecting package versions from the ARCH repositories.
 8 | - Their own updater had a security vulnerability which was fixed recently. [1]
 9 | - When the SSL certs of manjaro's website expired, the devs asked the users to change the date and visit. [2]
10 | - If you just want a GUI installer for Arch, then use Acro Linux, Antergos. They are much better and don't do
11 |   retarded things like Manjaro. If you're comfortable with a TUI installer, then use Anarchy.
12 | - Installing Arch is easy. If you're here, it means you can read. And if you can read, the Arch wiki is just a click away. If you think reading the Arch wiki is hard, you don't want to be using an Arch derivative anyways. Understand what's going on, instead of being a help vampire on a random forum. Arch users aren't being elitist, they're expecting you to do the minimum research you skipped out on by installing it a different way.
13 | - Arch is more stable than you think. The main reason being that you've built your own system. You know what's on it. You know how it works. If something breaks, which is unlikely you'll be able to fix it. If it's gonna break on Manjaro, what are you going to do? You have no idea how your system works, and will find it very difficult to fix. Delaying packages for 2 weeks on its own doesn't really do much for stability.
14 | - Alternatives, that are easy to install aren't that bad. Ubuntu and Debian get a bad rep in the hobbyist communities for no reason. Although they have issues, they're very good distributions. And guess what, they're easy to install too, and will teach you a lot. OpenSUSE is another one of these, easy to install, easy to use distros. Learn Linux by using Linux, not by installing some arbitrary distribution like that's gonna teach you anything useful.
15 | - Last but not least, the Manjaro Wiki [3] itself (!) stated that Manjaro is NOT Arch. Quoting from the Wiki:
16 | 
17 | > In fact, the differences between Manjaro and Arch are far greater than the differences between the popular Ubuntu distribution and its many derivatives, including Mint and Zorin.
18 | 
19 | 
20 | [1] - https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html
21 | 
22 | [2] - https://www.reddit.com/r/linux/comments/31yayt/manjaro_forgot_to_upgrade_their_ssl_certificate/
23 | 
24 | [3] - https://wiki.manjaro.org/index.php?title=Manjaro:_A_Different_Kind_of_Beast
25 | 
26 | https://www.reddit.com/r/linux/comments/4inrut/manjaros_ssl_certificate_expired_again/
27 | 


--------------------------------------------------------------------------------