Want to switch to Arch Linux. But what about Security Fixes in it?

s.verma · 12-24-2013, 11:23 PM

I am using Debian nowadays.

It happens in Debian that they release security advisory and security fixed packages are available for download/updating.

Now in Arch linux, latest version of packages are available.

So I want to know that if a security vulnerability is found in some package/software, how it is handled in Arch linux.

Whether new version of that software from its developer contains security fix.

In general I want to know who is responsible for security fixes, distro maintainer or software developer.

snowday · 12-25-2013, 03:46 PM

Generally speaking, it is not necessary for Arch developers to "backport" security fixes like Debian does, because they simply update the package. "Who is responsible?" would be the user in my opinion.

s.verma · 12-26-2013, 06:49 AM

My motive of asking was more of general nature.

I want to know how security fixes are handled in open source world.
Does having latest version from software develper (via distro package or source) gives protection from vulnerabilities, or security is largely work of distro developers/maintainers.

I mean who shares security related work most, distro developer/maintainer or software creater?
OR
Am I going to lose a part of security when transiting from debian to arch linux, even if I would keep arch linux up to date?

snowday · 12-26-2013, 08:43 AM

You are deluded if you think security is not YOUR responsibility.

One thing you should know about Arch is that the wiki is not optional; it is must-read! So I will assume you have read and understood this extremely relevant and detailed document: https://wiki.archlinux.org/index.php/Security

I see no reason why a properly-administered Arch system should be considered "insecure."