I have been playing with Arch and some their variants (like arcolinux) since like a year, And here is what i have seen:
What arch solve:
Continues upgrades to the packages which solve debian issues:
- Solve outdated packages which effect new features,non-security fixes
- Solve some packages security issues were they are not listed as CVE
- Minor to non-breakable system even when using upgraded packages to upstream level
- Ease to switch and choose different kernels
- Ease to push new added packages compared to debian
Arch issues:
- Arch is based mainly on systemd, Doesnt give the option to have non-systemd from upstream similarly/easy as to debian which gave devuan and its fully functional. (There are projects who build archlinux without systemd like Atrix, But its faraway to fill all essential user needs)
- Arch doesnt come with any easy way to install it, Its fully manual/cli installation which is not easy at all for new comers. (There is a project which give arch+calamares installation called Alci)
- Arch doesnt support by default any architecture except 86x_64x. (And there is only unofficial ARM support, NO IBM-Power CPUs/ppc64)
- User need to refresh keys before upgrading otherwise gonna see messages like:(safe to proceed but annoying, not happening on debian side)
- Multiple warnings user going to see but its not clear on why or what should be done…etc
- Asking questions which are not really easy to answer nor what are the consequences behind the answer going to be by just performing normal upgrade:
-
Arch package manager pacman doesnt come with easy to use commands like install,remove,upgrade… instead it comes with only letters S,y,Rdd,…etc (user need to see and learn the manual of pacman in order to use it properly)
-
Arch is not free software distro by default similar to debian
Security Concerns:
- Arch doesnt come with any MAC by default not apparmor nor selinux or any other (need to be manually activated). (Debian and Fedora comes with one)
- Arch ignored for a long time signing their packages and handled the full trust to the third-party mirrors check here (2008) and here. To the level it considered one of the “Package Managers Without Security” according to TUF in 2008.
- Arch still using outdated checksum md5 and sha1: (from their download page)
Checksums
File integrity checksums for the latest releases can be found below:
PGP signature PGP fingerprint: 0x9741E8AC WKD Lookup: gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.de SHA1: 3f3ba996e7d8e0b15d911180682093cd8fe6b805 MD5: 8731d4beaf66c4a280d3246b807beb33
- Lack onion mirrors (Looks like lack of interest)
- AUR packages lack signing or any mean to trust.
- As of today date archlinux still using iptables by default and not nftables, Ironically they note that iptables is the legacy firewall here: (Debian deprecate it by default and replaced it with nftables since more than one year)
Note: iptables is a legacy framework, nftables aims to provide a modern replacement including a compatibility layer.
Conclusion
- Since it lack many features by default like user friendly installation and some essential packages, The work on devs who gonna fork it will be heavier than if it forked from debian.
- Arch devs seems that the security is their last concern, Although the distro continuously upgradable and has good documentation their distro is behind the line when its compared with debian or fedora.
- The only useful way i can see it for whonix if we do all these fixes from our side properly, If it considered easy/under the hand tasks then yeah arch might sound useful to have, otherwise difficult task.