Arch has made a lot of mistakes, and their most recent one where they bricked everyone's GRUB loader is the one that caused me to stop using it as a general recommendation. This sort of thing would never happen in Debian, and pretending that "every distro makes massive mistakes!" is disrespectful to distros that actually put a ton of effort into making sure these things don't happen. Sweeping those mistakes under the rug is harmful to new users who don't know what they're signing up for when they download the distro that you are sugarcoating, and that is the primary reason to make sure that anyone considering Manjaro is aware of its past so they can make their own decisions.
Security updates aren’t delayed in Manjaro, they’re pushed through out of band.
Manually. Also read as: delayed. The comment from Arch's security team that you are minimizing is part of the reason why this is a bad idea: "They just forward our security advisories without reading them. Leaving critical security issues to rot in their "stable" repositories while only pushing forward issues that are publicized or users telling them about". Once again, why would I trust the Manjaro team to be on top of security when they can't figure out how to keep an SSL cert alive? Their security mailing list hasn't even been updated in a year.
Once you’ve compiled an AUR package it will remain compatible with the system you compiled it on until you update and introduce an incompatibility.
You are dodging the real dependency problem by focusing on this half. The real dependency problem is that when an AUR package updates and Manjaro's packages are not new enough for the update, it will cause breakage. AUR packages are built with Arch Linux's repos in mind and no care whatsoever for the versions of packages that Manjaro holds. Updating your AUR packages frequently will all but guarantee that you will eventually run an AUR update that requires a dependency with a newer version than Manjaro provides, and that app will break (or worse, the AUR package is a dependency for other apps which will cause further breakage). Even Manjaro knows this: "Using AUR also implies Arch stable branch - which is only achievable by using Manjaro unstable or testing branch.". Also take it from their team: "The AUR is neither officially supported by Arch nor Manjaro. If you do use the AUR on Manjaro, use our unstable branch. Problem solved."
That’s not the “Arch’s security team”, it’s one person on a 3rd party forum, with a history of issuing personal statements reeking of personal grudge. Yeah I know that comment unfortunately. It’s a singular, isolated piece of flamebait and it makes me sad to see it’s still being bookmarked and passed around 5 years later.
Yes very sad that a member of Arch's security team made a warning about Manjaro's security 5 years ago and still we have people pretending that it's "flamebait" because that's a convenient excuse to dismiss it.
The real dependency problem is that when an AUR package updates and Manjaro’s packages are not new enough for the update, it will cause breakage.
How many AUR packages do you use? I have about 70 installed right now. Never had a source-level incompatibility happen. You'd have to let system updates lapse for years to lose source compatibility with a current AUR package.
I no longer use Arch, but this wouldn't have happened to me because I used vanilla Arch. On Manjaro it can happen at any moment that an AUR package silently depends on a new part of a dependency not implemented in the older versions. The AUR does not care to figure out which exact version dependencies are needed for a program, because you are expected to always have an up-to-date Arch system before installing. If the AUR cared about Manjaro compatibility they would need to mark every dependency with a minimum version number, but that's a lot of effort and the AUR understandably doesn't care about supporting Manjaro's repos. If Manjaro stood up its own AUR this would no longer be a problem.
(Personally, I don't think AUR packages are a good idea for system stability/security even on vanilla Arch, but it is understandable that people like them for their convenience.)
Arch has made a lot of mistakes, and their most recent one where they bricked everyone's GRUB loader is the one that caused me to stop using it as a general recommendation. This sort of thing would never happen in Debian, and pretending that "every distro makes massive mistakes!" is disrespectful to distros that actually put a ton of effort into making sure these things don't happen. Sweeping those mistakes under the rug is harmful to new users who don't know what they're signing up for when they download the distro that you are sugarcoating, and that is the primary reason to make sure that anyone considering Manjaro is aware of its past so they can make their own decisions.
Manually. Also read as: delayed. The comment from Arch's security team that you are minimizing is part of the reason why this is a bad idea: "They just forward our security advisories without reading them. Leaving critical security issues to rot in their "stable" repositories while only pushing forward issues that are publicized or users telling them about". Once again, why would I trust the Manjaro team to be on top of security when they can't figure out how to keep an SSL cert alive? Their security mailing list hasn't even been updated in a year.
You are dodging the real dependency problem by focusing on this half. The real dependency problem is that when an AUR package updates and Manjaro's packages are not new enough for the update, it will cause breakage. AUR packages are built with Arch Linux's repos in mind and no care whatsoever for the versions of packages that Manjaro holds. Updating your AUR packages frequently will all but guarantee that you will eventually run an AUR update that requires a dependency with a newer version than Manjaro provides, and that app will break (or worse, the AUR package is a dependency for other apps which will cause further breakage). Even Manjaro knows this: "Using AUR also implies Arch stable branch - which is only achievable by using Manjaro unstable or testing branch.". Also take it from their team: "The AUR is neither officially supported by Arch nor Manjaro. If you do use the AUR on Manjaro, use our unstable branch. Problem solved."
Yes very sad that a member of Arch's security team made a warning about Manjaro's security 5 years ago and still we have people pretending that it's "flamebait" because that's a convenient excuse to dismiss it.
How many AUR packages do you use? I have about 70 installed right now. Never had a source-level incompatibility happen. You'd have to let system updates lapse for years to lose source compatibility with a current AUR package.
I no longer use Arch, but this wouldn't have happened to me because I used vanilla Arch. On Manjaro it can happen at any moment that an AUR package silently depends on a new part of a dependency not implemented in the older versions. The AUR does not care to figure out which exact version dependencies are needed for a program, because you are expected to always have an up-to-date Arch system before installing. If the AUR cared about Manjaro compatibility they would need to mark every dependency with a minimum version number, but that's a lot of effort and the AUR understandably doesn't care about supporting Manjaro's repos. If Manjaro stood up its own AUR this would no longer be a problem.
(Personally, I don't think AUR packages are a good idea for system stability/security even on vanilla Arch, but it is understandable that people like them for their convenience.)