Skip to main content
Topic: Man, am I glad I left Manjaro... (Read 1686 times) previous topic - next topic
0 Members and 5 Guests are viewing this topic.

Man, am I glad I left Manjaro...

Looks like they've forgotten to update their SSL certificates... again.

https://forum.manjaro.org/t/mirrors-download-aur-manjaro-org-ssl-certificate-expired/115074

Manjaro was my first distribution before moving over to Artix about 9 months ago (had been on Manjaro for a little over a year at that point).

I honestly had no issue with Manjaro, as I didn't encounter any of the issues some people in the Linux community had warned about. That said, this doesn't seem to be acceptable as renewing SSL should be something automated and isn't that difficult. I know it should just be chalked up to poor management, but I can't help but feel relieved I didn't stick around there long enough to encounter this frustrating issue...

Anyways, just thought I'd bring this up as it is somewhat interesting.

Re: Man, am I glad I left Manjaro...

Reply #1
Maybe a lot of serious developers have gone to Artix?  :)

Manjaro was my previous distro before fleeing to Artix in 2018 because of that kind of hassle and systemd of course. :(
 

Re: Man, am I glad I left Manjaro...

Reply #2
You might be happy to be off of Manjaro but this is irrelevant and the ssl certificate changing every month is BS.  To change it monthly with cron is a security issue.  the security model is designed broken, much like systemd.  I don't even know what this ssl certificate is for, and who cares.   Focus on something that matters.

 

Re: Man, am I glad I left Manjaro...

Reply #3
Quote from: mrbrklyn – on
You might be happy to be off of Manjaro but this is irrelevant and the ssl certificate changing every month is BS.  To change it monthly with cron is a security issue.  the security model is designed broken, much like systemd.  I don't even know what this ssl certificate is for, and who cares.   Focus on something that matters.

I simply am pointing out my relief that I wasn't utilizing Manjaro when this issue occurred is all.

Simply out of curiosity, why is changing ssl certification with cron a security issue? That seems to be the simple concept behind applications like certbot, which is widely used.

Re: Man, am I glad I left Manjaro...

Reply #4
Quote from: z3rOR0ne – on
I simply am pointing out my relief that I wasn't utilizing Manjaro when this issue occurred is all.

Simply out of curiosity, why is changing ssl certification with cron a security issue? That seems to be the simple concept behind applications like certbot, which is widely used.

And it is not secure.    Obviously a cron process that runs as root and allows you to pick up important security updates as root from a foreign system is inherently ***not secure*** and has a huge attack profile.

Re: Man, am I glad I left Manjaro...

Reply #5
Quote from: mrbrklyn – on
And it is not secure.    Obviously a cron process that runs as root and allows you to pick up important security updates as root from a foreign system is inherently ***not secure*** and has a huge attack profile.

I don't see why running 'certbot renew' from a root cronjob would be any more or less secure than doing the same from a root terminal?
Lots of cron jobs run as root. If there's an obvious issue with this I'm being dense as it's not obvious to me.
If there is a 'huge attack profile' could you explain it briefly please ?

I do have certbot cron jobs updating the ssl certs on a couple of vps's. If I delete them I just need to log in and do it manually. Still failing to see the difference ?

A search for "certbot cron job insecure" hasn't thrown up anything after a quick look.

Re: Man, am I glad I left Manjaro...

Reply #6
Quote from: gripped – on
I don't see why running 'certbot renew' from a root cronjob would be any more or less secure than doing the same from a root terminal?

then you need to take a class on security.  I'm not opening this up for a discussion.  I've already spent my decades arguing on the internet basic and fundamental things like this, and my experience is that it is worthless endeavor.  I already told you the facts.  You want to argue with facts and I am not interested.

And FWIW, ssl certificates aren't equivalent to good security.  It is useless to have a ssl certificate every month for most cases, and even less so than to do so by creating an exploitable  root access attack front.

Re: Man, am I glad I left Manjaro...

Reply #8
Quote from: mrbrklyn – on
then you need to take a class on security.  I'm not opening this up for a discussion.  I've already spent my decades arguing on the internet basic and fundamental things like this, and my experience is that it is worthless endeavor.  I already told you the facts.  You want to argue with facts and I am not interested.

And FWIW, ssl certificates aren't equivalent to good security.  It is useless to have a ssl certificate every month for most cases, and even less so than to do so by creating an exploitable  root access attack front.
It seems you've stated your opinion with no evidence or examples to back it up. I fail to see any 'facts'

SSL certificates are useful to me for my web server and email server. I used to have to pay for them, and they'd last quite a while. Now I get them for free from Letsencrypt but they are only valid for 90 days. So without the cron jobs I'd have to log in every 90 days and manually generate new certificates.
I believe the above are facts.

My opinion is that there is no security risk having a cron job do this. At least none that I am aware of.
Why would I want to take a security class ?

"exploitable  root access attack front"
How exactly ?

It's a bit lame to make claims but then refuse to give any explanation whatsoever.
There's around 220 million Letsencrypt SSL certificates in the wild. Many of those certs will be created by the certbot cron job.
You claim to know it's exploitable but won't explain how.

How very community spirited off you.

If I'm being honest I'd guess you can't say how it can be exploited, because you don't know how and there isn't a known exploit..

Re: Man, am I glad I left Manjaro...

Reply #10
Quote from: mrbrklyn – on
You shouldn't.  It wouldn't help.

You are right as the one simple question I want an answer to:
How is running
Code: [Select]
certbot renew -q
from an root cron job exploitable, would not be answered by a security course so I'd be wasting my money.

I suspect you were attempting to be rude though ?
Wasting your time as it's like water off a ducks back. I don't care.

What is telling is you still give nothing to back up your claim.
So I suspect you know far less about the subject than you claim ?
Or maybe you're just a knob ?
IDK  ;)

Re: Man, am I glad I left Manjaro...

Reply #11
Quote from: gripped – on
You are right ...

You are trolling the wrong guy.   Your missing the basic Dech Eretz needed to conduct a conversation.  I don't like you.  You're a child and I won't give you any more of my time because I've determined it is not productive. 

Re: Man, am I glad I left Manjaro...

Reply #12
No I stated facts, and you failed to listen.  Repeating the facts don't make you listen better.

Re: Man, am I glad I left Manjaro...

Reply #13
@mrbrklyn please help yourself and stop being a joke. You provided no fact and you are just showing that no matter the amount of experience you claim to have you are just lacking a lot of basic knowledge yourself.

You brought a stupid conversation and are being out of the scope of the main topic, I am closing it.

Also it would be cool if you don't necrobump 10 topics when you come back from holidays, no one cares.