Manjaro is just Arch with an installer
Manjaro has a track record of pretty poor security.
The first time their certificate expired, they told their users to roll their clocks back as a fix:
Seems we forgot to update our SSL certificate in time. […] In time, please use followed workaround:
open a terminal
enter followed line: sudo date -s 2015-04-06 +09
This will set back your system time to Mo 6. Apr 00:00:03 CEST 2015.
Holding packages back
Holding back packages for two weeks can also cause security issues, but this issue is probably better addressed in the stability section.
I have used both Manjaro and Arch for a while, and have ironically had fewer problems with the stability of Arch than Manjaro. Manjaro would often require coaxing to get packages to install, which seems to defeat the purpose of using Manjaro, a supposedly more user-friendly alternative to Arch.
You’ve probably seen across their resources that Manjaro holds Arch packages behind for two weeks. Stability is stated as the reason for this, but that doesn’t make much sense.
In practice, what this means is that software upgrades reach you later for seemingly no reason. That means getting updates – new features, security patches, bug fixes – two whole weeks late. Aside from the obvious downside, it also causes a more insidious issue.
I’m sure one of the reasons you’re gravitating towards Manjaro is the AUR. Being able to run install scripts for anything sure sounds neat, right?
Well, most of these scripts are written with the assumption that you aren’t running a system that’s effectively two weeks out of date. This causes partial upgrades. At best, that program won’t install or work correctly and at worst can cause all kinds of issues on your system with no obvious way to fix it.
That, and Manjaro doesn’t actually support the AUR. Despite their contradictory messages, Manjaro hides behind blaming the users of pamac. They provide insufficent warnings about the AUR and the potential risks, while providing a simplified interface for installing AUR packages via pamac. This is akin to letting someone with no briefing into a construction site. Sure, the heavy machinery might be quicker than using a shovel, but they are ultimately putting themselves in danger due to not being made aware of the consequences.
To be clear, I’m not inherently against Manjaro using the AUR. However, it should be something to think about carefully. The AUR requires at least some level of awareness, especially on a distro that likes to hold its packages back and make arbitrary changes. If you can reconcile this contradictory ideology, then at the very least pamac should be more careful in how it presents the AUR.
pamac, and by extension Manjaro, also isn’t very polite to the AUR. But you can read about their DDoSes below…
Manjaro has a controversy with their treasurer. Phillip Muller (Manjaro team lead) had purchased a laptop for €2000, and the treasurer asked to clarify his purchase. This ultimately led to the treasurer being removed. Isn’t the whole point of a treasurer to ensure fair and efficient use of donation funds?
DDoSing the AUR
Manjaro’s AUR helper, pamac, shipped a version with a bug on 2020-04-26 that accidentally sent thousands of requests to the AUR per user. This rendered the AUR offline for all users across every Arch-based distro for a few hours.
On 2021-10-14, Manjaro once again shipped a bad version of pamac, resulting in pamac being blocked again. This may have been the cause for the day’s earlier outage.
While these incidents were in no way intentional, it highlights the poor QA testing that Manjaro performs. This has happened on two separate occasions in less than two years.
What should I use instead?
I am in no way affiliated with these projects.
- Arch already has an installer.
- EndeavourOS seems to be what Manjaro is going for – just rightly done as far as I can tell. That said, using an Arch derivative is still a bit questionable in my view. The main excuse for doing so (lack of an automated installer) doesn’t apply anymore as Arch ships with
archinstall. However, EndeavourOS has a GUI installer, which should be much more approachable, and offers many more configurations to choose from out of the box than
archinstall. EndeavourOS also has an online installer so you can select a desktop you would like to use instead of the themed Xfce desktop EndeavourOS ships with.
- Garuda, which aims to have a Manjaro-like experience without holding back packages and the problems Manjaro has.
Once again though, I’d like to reiterate that Arch already ships with a reasonably friendly installer.
I know what I’ve written here can be seen as inflammatory, but that’s not really what this page is for. This resource is to quickly have something to point to the next time someone says “should i use manjaro??” in a chat room.
Maintaining a distro is commendable, and that alone takes credit. However, I’d rather not have your time (and others, when Manjaro inevitably breaks, and you need to ask for help) wasted, trying to figure out the odd quirks and issues that Manjaro causes.