It has been 732d 23h since Manjaro !$%&?*# up. On 2022-11-04 , they forgot to renew their archived forums' SSL cert

Manjarno

Manjaro is just Arch with an installer

Surely, right?

Foreword

It’s impossible to not make mistakes, especially with software. While it’s tempting to mock every single mistake, that isn’t really the point of this page. Most things documented here showcase a pattern of mistakes, with the events that are one-offs being things that I (subjectively) feel are egregious enough to warrant showing up here. If you have any feedback or questions, shoot me an email.

Security

Manjaro has a track record of pretty poor security.

SSL Certificates

Manjaro has let their SSL certificates expire twice!

No wait, thrice, and counting.

Four times! This one is a little better, as at least they’ve set HSTS, but still, come on man.

Five.. This time it was their archived forum. In fairness, they’re keeping up the trend of at least having HSTS on. According to this thread, it seems like the server was abandoned.

The first time their certificate expired, they told their users to roll their clocks back as a fix:

https://web.archive.org/web/20150409040851/https://manjaro.github.io/expired_SSL_certificate/

Seems we forgot to update our SSL certificate in time. […] In time, please use followed workaround:

open a terminal

enter followed line: sudo date -s 2015-04-06 +09

This will set back your system time to Mo. 6. Apr 00:00:03 CEST 2015.

Holding packages back

Holding packages back for two weeks can also cause security issues, but this issue is probably better addressed in the stability section.

Stability

I have used both Manjaro and Arch for a while, and have ironically had fewer problems with the stability of Arch than Manjaro. Manjaro would often require coaxing to get packages to install, which seems to defeat the purpose of using Manjaro, a supposedly more user-friendly alternative to Arch.

You’ve probably seen across their resources that Manjaro holds Arch packages behind for two weeks. Stability is stated as the reason for this, but that doesn’t make much sense.

In practice, what this means is that software upgrades reach you later for seemingly no reason. This means getting updates – new features, security patches, bug fixes – two whole weeks late. Aside from the obvious downside this brings, it also causes a more insidious issue.

The AUR

I’m sure one of the reasons you’re gravitating towards Manjaro is the AUR. Being able to run install scripts for anything sure sounds neat, right? Well, you need to be aware that you shouldn’t trust the AUR in the same way you trust your distro’s repos, as the scripts are user submitted. You should skim these scripts before running them to avoid running something malicious.

Also, most of these scripts are written with the assumption that you aren’t running a system that’s effectively two weeks out of date. This causes partial upgrades. At best, that program won’t install or work correctly and at worst can cause all kinds of issues on your system with no obvious way to fix it.

That, and Manjaro doesn’t actually support the AUR. Despite their contradictory messages, Manjaro hides behind blaming the users of pamac. They provide insufficient warnings about the AUR and the potential risks, while providing a simplified interface for installing AUR packages via pamac. This is akin to letting someone with no briefing into a construction site. Sure, the heavy machinery might be quicker than using a shovel, but they are ultimately putting themselves in danger due to not being made aware of the consequences.

To be clear, I’m not inherently against Manjaro using the AUR. However, it should be something to think about carefully. The AUR requires at least some level of awareness, especially on a distro that likes to hold its packages back and make arbitrary changes. If you can reconcile this contradictory ideology, then at the very least pamac should be more careful in how it presents the AUR.

pamac, and by extension Manjaro, also isn’t very polite to the AUR. But you can read about their DDoSes below…

Rushing Asahi out the door

In their attempt to get Asahi Linux out (and support Apple Silicon) as soon as possible, they ended up pulling the latest PKGBUILD without talking to the devs. This has resulted in them shipping potentially broken kernels to end users.

Still though, that’s besides the main problem. It was only about 3 days ago that this video came out, in which a DE is working for the first time. Not only is it in a state far from prime-time, but compounded with the above tweet, they didn’t even bother to speak with the devs of the project about its current state.

Management

Funding

Manjaro has had a controversy with their treasurer. Phillip Muller (Manjaro team lead) had purchased a laptop for €2000, and the treasurer asked to clarify this purchase. This ultimately led to the treasurer being removed. Isn’t the whole point of a treasurer to ensure fair and efficient use of donation funds?

Poor QA

DDoSing the AUR

Manjaro’s AUR helper, pamac, shipped a version with a bug on 2020-04-26 that accidentally sent thousands of requests to the AUR per user. This rendered the AUR offline for all users across every Arch-based distro for a few hours.

and again…

On 2021-10-14, Manjaro once again shipped a bad version of pamac, resulting in pamac being blocked again. This may have been the cause for the day’s earlier outage.

While these incidents were in no way intentional, it highlights the poor QA testing that Manjaro performs. This has happened on two separate occasions in less than two years.

Miscellaneous

Their system update script used to run rm on the lockfile mid-transaction.. The lockfile is in place to prevent multiple instances of pacman from trying to alter the package database at the same time. Sometimes, when pacman is interrupted, the stale lockfile can remain. In these cases, removing the lockfile is a common troubleshooting step. However, you should only do so when you are absolutely certain there are no other pacman instances running. Manjaro’s script used to do this silently without checking for other instances.


Quick things

I know what I’ve written here can be seen as inflammatory, but that’s not really what this page is for. This resource is to quickly have something to point to the next time someone says “should i use manjaro??” in a chat room.

Maintaining a distro is commendable, and that alone takes credit. However, I’d rather not have your time (and others, when Manjaro inevitably breaks, and you need to ask for help) wasted, trying to figure out the odd quirks and issues that Manjaro causes.