manjarno

Repository which documents some reasons for not using Manjaro.

Disclaimer: I don't hate Manjaro. These are some reasons which made me consider shifting to a different distro. However, I still believe that Manjaro is a good starting point for beginners who want to explore an Arch ~~based~~ like distro.

Note: To clarify my stance, I should state what I use personally. I use Endeavour OS, which uses Arch repositories directly. They maintain a separate repository for distributing packages for theming, some small utilities and drivers - none of which override any packages in Arch mainline repositories.

Package Repository issues

Manjaro maintains a separate repository that is not in sync with Arch's main repositories which means Manjaro is not just Arch. To add to that, even Manjaro wiki states that it is not Arch [1]! To quote the wiki,

In fact, the differences between Manjaro and Arch are far greater than the differences between the popular Ubuntu distribution and its many derivatives, including Mint and Zorin.

(Yes, Manjaro isn't Arch and Manjaro users shouldn't use the "btw" line. However, I don't really care.)

Own repository

Manjaro claims to be stable just by delaying packages for a week. This is not an approach a stable distribution would take at all!

The problems introduced

If Manjaro had to be actually stable, it needs to hold back the AUR packages as well. It has to maintain its AUR that is in sync with the Manjaro repos.

Say that a package in the AUR depends on a library, say libxyz. And libxyz is in the main repos, not in the AUR. The package is updated so that it relies on the new features introduced in libxyz's version 1.1 however Manjaro delays packages so libxyz is still on 1.0 in Manjaro. If you update the package in Manjaro, it will break because Manjaro holds back packages. So the only way Manjaro can be stable is by literally forking all the Arch related repositories including the AUR and keeping them in sync.

Security

Manjaro is not really a secure distro.

Their own updater had a security vulnerability that wasn't fixed until recently [2]. This is actually a core package, not an extra or community package. To quote the list,

I have discovered an issue with one of your core Manjaro packages, manjaro-system 20180716-1 and earlier. The issue allows a local attacker to execute a Denial of Service, Arbitrary Code Execution, and Privilege Escalation attack.

The amount of attacks that can be done due to the vulnerability is a lot!

The Manjaro updater [3] does all the bad practices that one could do in a general Linux system and Arch Linux system specifically. Each time the system updates, they reinstall some packages to "fix" issues and they use the --no-confirm flag (force) every time they do so and various other odd sequences of commands which are just as bad, if not more.

In an update, password less updates in pamac (Manjaro's AUR helper) were sneaked in and from the look in the issue [4] made concerning this, the change was made to look like a "feature". This is a major security issue considering that packages in AUR are not checked by Arch Linux maintainers (and Manjaro does not maintain its own either). Some AUR packages were found to be malware in the past. So think about a casual user (Manjaro's target demographic are not really power users) installing a harmless-looking AUR package that could potentially mess up their system!

SSL Certificates

Manjaro let their SSL certificates expire not once, not twice, but thrice [5]! The first time, they asked the users to use a private window and/or change the system time [6]. The second time when the SSL certificates expired, they did the same [7]. The third SSL certificate expiration was handled a little more sanely[8].

DDoS'ing the AUR

On 2021-04-26, the AUR (Arch User Repository) was DDoS'd by a bad version of pamac, which is the default Graphical Package Manager for Manjaro [9].

On 2021-10-14, Pamac was once again blocked by the AUR for shipping another bad version that flooded the AUR with requests [10, 11].

Fishy Finances

It appears that, in September of 2019, Manjaro switched from holding community donations in Philip Müller's personal bank account to accounts being held by OpenCollective and CommunityBridge [12]. This change also brought on Jonathon Fernyhough as treasurer. There is also a policy in place that requires all expenses to be discussed on approved channels and nominally approved prior to any purchases [13]. On (or around) July 24th of 2020, a request for a $2,000 laptop was made by Philip for developer Helmut Stult [14]. Johnathon rejected this expense due to lack of prior discussion and questioned the expense [15]. The role of treasurer is now back fully in Philip's hands, and has approved the $2,000 laptop. This draws questions on the integrity of Philip's leadership.

Further discussions and sources: