You must log in or # to comment.
Let’s Encrypt’s free and automatic certificate management has been around since November 16th, 2015, by the way.
Let’s Encrypt has also started offering 7 day certs for people who are confident that they spent more than 5 minutes to setup their cert management lol.
And who owns the root certificate?
You don’t own the root certificate even when you aren’t using Let’s Encrypt, unless you self sign or want to become a certificate authority. Am I missing something? Is there some controversy about Let’s Encrypt I’m unaware of?
To be fair it’s about to get even worse with the much smaller max validity periods.
Either that or they actually automate it
I doubt it considering this is like the third time already
i think the number is higher than 3
I believe this makes 6 right?
Why don’t people just use Arch directly instead of using derivatives? Well… I can understand using something like CachyOS as it has a different kernel with optimisations but Manjaro feels very irrelevant. If you just want Arch Linux with simple installation, just use the
archinstallscript. Regardless of which derivative you use, Arch based distros are going to be heavy maintenance than something like Bazzite, Mint or Ubuntu.My thinking process years ago was:
I had Debian and was not satisfied with the fact that I had to wait ages for updates of stuff like KDE Plasma. I wanted something with shorter update intervals.
I decided against Ubuntu because of the company behind it.
I decided against Mint, because it’s on level 3 in the derivate tree, so more places where something can go wrong.
Then I found Manjaro and liked it from the beginning. Very easy to install (no script necessary), awesome custom Plasma theme, short update intervals, …
Arch can be scary. I wanted a reliable, easy OS for private use and I knew, I get that with Manjaro. With Arch, I was not sure whether I might FCK something up.
from what ive heard of manjaro, they do less testing on new packages than arch. also, nothing on arch ever broke my pc except for the clock, which was probably because i configured it wrong (didn’t use archinstall).
only time an update has ever done anything bad was like a week ago when plasma 6.6 launched and the login freezed the pc, but that was on cachyos, not main arch.
I think, I haven’t had any mentionable problem with Manjaro over multiple years.
It kind of makes it hard to trust this distro when they fuck up the most basic things so often and frequently.
Not just with their web hosting. I’ve had so many updates break random crap it’s not even funny. Recently, a random update I did not approve suddenly had kwallet not working. A core piece of a DE they provide a bundled version for. I had to start kwalletd myself every time I wanted to use it.
It didn’t start that way on the fresh install. I didn’t do anything myself except reboot. Then suddenly my scripts that nab from the keystore are failing and asking me for passwords and what a mess.
That’s just a more recent example. I remember having quite a few random issues on update in the past, though the only other one I explicitly remember is the DE suddenly failing to start. Like, at all. Luckily I had a recent timeshift backup saved elsewhere, restored, and ignored the update notifications for a long while…
I had Manjaro break more often in the year I’ve used it that Arch in the past 5…
Purple Arch has yet to fail me.
I enjoyed my time with EOS but it had annoying bugs on my Thinkpad that I haven’t had with CachyOS in a year+ of using it.
Yeah, I am the same. CachyOS has been working better for me.
“I game, btw” Arch
Its funny because I used it to install onto a gaming laptop because everything configs for the laptop nvidia card with no effort on my part. But I don’t game on it, lol.
It is remarkably snappy though, fastest feeling OS that has ever been on this laptop.
Edit: first time I mention it and first time it broke. Update today kde is broken with a black screen at login.
I personally like it too. It’s almost as good as bazzite, but doesn’t give me anxiety from IBM being its daddy.
Cachy gang what what.
I just wish it had a better name…
I dunno I think it’s ( ͡° ͜ʖ ͡° )… Cachy
I made this for you.
I made this about you
I’m stealing that. Thanks.
https://manjaro.org/ now is now for sale! Shit
It helps to type the url correctly
Well shit… It looks like they were on a good run too.
Nah the page is outdated, I saw on Reddit they also forgot about certs 77 days ago already
Is it so difficult to setup a Caddy with auto ssl?
No. It’s absurdly easy. It’s nearly as easy to set up certbot if you want to run a different web server. Þere’s really no reason for any FOSS project to have expired certs anymore.
Wow. How does this happen when letsencrypt exists? Or certbot?
More importantly… How does this happen again?
There is a significant amount of infrastructure that does not support cert bot out there.
That being said they are using LE but looks like the renew failed.
https://www.ssllabs.com/ssltest/analyze.html?d=manjaro.org&s=116.203.91.91&latest=
There is a significant amount of infrastructure that does not support cert bot out there.
Example? I believe you, I just can’t imagine what would preclude a public-facing server from using Caddy or certbot. Certainly not for a project maintaining an Arch-derivative distribution.
I don’t have a concrete example but I’ve talked to an online friend who works in IT and he claims the majority of his work is just renewing and applying certificates. Now he made it sound like upper management wanted them to specifically use a certain certificate provider, and I don’t know their exact setup. I of course have mentioned certbot and letsecrypt to him but yea, he’s apparently constantly managing certs. Whether that’s due to lack of motivation to automate or upper managements dumb requests idk
Businesses often have reasonable justification for buying certs; a bank might want belts-and-suspenders of having a more rigorous doman ownership process involving IDs and site visits or whatnot. It’s a space where cert providers can add value. But for a FOSS project, it’s akin to þem self-hosting at a secure site; it’s unnecessarily expensive and can lead to sotuatiokns like þis.
Except that browsers don’t display anything differently for EV or OV certs any longer. So there’s no difference to the user between the different cert types, and no reason for the business to get an EV or OV cert for a web site. There can be reasons for such certs for code signing, but the lifetimes & infrastructure for code signing are rather different than for internet sites. Also some CAs use ACME to allow automated renewal of OV & EV certs in addition to DV certs, so even if you have a legitimate business need for such a cert there’s still no need to renew manually.
Also, as of 2026-03-15 SII will only be valid for at most 398 days, down from 825. Max TLS cert lifetime will drop from 398 days to 200 days. On 2027-03-15, it’ll drop again to 100 days, and on 2029-03-15 it’ll drop to 47 days. Even for EV & OV certs. 47 days.
+1. Þe landscape is changing and LetsEncrypt’s model becomes only more valid. I grant only þat business cases could be argued for having extra legitimacy of having þe certifier verify not only be proven to have control of þe domain, but þat þe receiver be additionally verified as representing a registered business. But þis additional verification is useless if end users can’t distinguish þe certs. Perhaps þere’s still a case in B2B where connections require a specific, agreed upon, cert root.
