Arch approach to security

Similar Messages

• Best Approach for Security in WebCenter Portal Application

  Hi,
  We are analyzing a right approach for webcenter portal security on an application . We found that we can do all Roles and Security in Page Hierarchy which in turn stores the security details in Jazn-data.xml . Is this the right approach for defining the roles and security for a webcenter portal application .
  What is the importance of Configuring WS_security in webcenter Portal Application and do we need to define this WS_Security even after defining them in page hierarchy. Could you please guide us on this .
  Thank you,
  Sashank P

  Hi Shashank,
  First sorry for late reply,
  WS_Security, can you please explain what do you mean by WS_Security, from the term i could not infer which part you are talking about.
  Let me tell you about the Webcenter security -
  This is the heirarchy , the Fusion middelware forms the base with webcenter at the top.\
  Webcenter Security
  |
  ADF Security
  |
  Fustion Midddleware Security (OPSS)
  Now you are goin to apply security to your Webcenter and ADF layers.
  Lets come back to the question .
  Any webcenter portal, you have to use the Jazn-Data.xml file to secure all the content whether its the navigation /pages /admin pages/taskflows etc.
  Its pretty much easy to use , let me know if you have any difficulty on that.
  Page hierarchy -> Yes you have an option to set your security for pages alone, here you have addition fine grain permisions (update/delete/personalise etc).
  If you need those fine grain permissions you can use this.
  To Conclude i would say use jazn-data for taskflows/components/admin page protection etc.
  Use Page heirarchy's fine grain permission to pages and navigation model's visible attribute to show/hide navigation based on user's roles.
  Let me know if this helps

• Approaches on security in JSF

  My question is pretty broad, so I'm just looking for a general answer.
  What is the standard (or most common) approach to authentication and authorization in JSF?
  1) At one instance, some time ago, I was utilizing a simple declarative, form-based, container-managed login mechanism in Tomcat (with DataSource/JDBCRealm), but that made me do some acrobatics with redirections because the container did all the checks and never gave me a chance to grab the details typed by the user... so, in the end, it turned out to be more of a hack than an actual way to do security.
  2) I also keep reading that people turn to Spring security (Acegi). This seems like a good idea, but it's hard to believe that JSF does not have it's own security mechanism.
  3) JAAS also comes to mind, especially after seeing the JAASRealm implementation on Tomcat, but this is Tomcat specific and requires a self-implemented LoginModule and Principal...
  4) I also see some third-party libraries like jGuard that seem pretty decent (first-look impression), but still, that's hardly the norm.
  So I am at loss now, how is security "supposed" to be done is JSF? Is it usually vendor specific? Any insight will be greatly appreciated!

  jadespirit wrote:
  My question is pretty broad, so I'm just looking for a general answer.
  What is the standard (or most common) approach to authentication and authorization in JSF?To start, authentication and authorization should not be tight coupled to JSF. JSF is just a component based MVC framework which can run on top of JSP/Servlet. Security is to be done at lower level, in the JSP/Servlet API.
  1) At one instance, some time ago, I was utilizing a simple declarative, form-based, container-managed login mechanism in Tomcat (with DataSource/JDBCRealm), but that made me do some acrobatics with redirections because the container did all the checks and never gave me a chance to grab the details typed by the user... so, in the end, it turned out to be more of a hack than an actual way to do security.In JSF you can just get the underlying HttpServletRequest by ExternalContext#getRequest(), which on its turn provides methods to get details about the logged in user.
  2) I also keep reading that people turn to Spring security (Acegi). This seems like a good idea, but it's hard to believe that JSF does not have it's own security mechanism.JSF is not comparable with Spring.
  3) JAAS also comes to mind, especially after seeing the JAASRealm implementation on Tomcat, but this is Tomcat specific and requires a self-implemented LoginModule and Principal...Realm is not appserver specific.
  4) I also see some third-party libraries like jGuard that seem pretty decent (first-look impression), but still, that's hardly the norm.No wording about this as I don't have experience with them.
  So I am at loss now, how is security "supposed" to be done is JSF? Is it usually vendor specific? Any insight will be greatly appreciated!Realm is good. You can also decide to homegrow a simple one yourself. Have a database with users, have a loginbean which puts the logged in user in session, have a Filter which checks the logged in user. In JSF you can if necessary just use EL to access the logged in user in session.

• Project Server 2013 reporting security

  HI
  I have a question and I have seen a couple similar ones but nothing definitive on the topic of permissions/security for Project server 2013 (in project server security mode) for either Excel(Odata) reports or for SSRS reports. 
  Even setting security aside the Out of the box configuration is certainly not elegant or even usable.
  Situation:
  In PWA project managers and team members can only see projects they, own, are team members on, or have been granted permissions explicitly to. (Pretty standard - is using security templates and "my Projects"). We are using secure store
  and impersonation for access to reports. We do have report authors groups.
  As an example a PM needs to create a weekly  status report but should not have to pull all the data back to then filter for their one project.
  However, when a PM goes to either SSRS or Excel using oData they can see every project in the company.  This is just does not make a lot of sense. Why would I hit the database for 100projects when I only care about one and yet there seems
  to be a lack of information on the topic. In contacting Microsoft we were told there was nothing we could do that is how it was designed.
  REALLY???? (see above)
  What we have come up for our approach is  that we're currently using the UserID value to set parameters in our data sources, but are looking for more 'elegant' approaches
  to security (if they exist) as there are some liabilities with this approach (EX is a report author forgets to put the parameter in the users will get everything back.
  QUESTION:
  If there is not another approach then we will stay with it. We can't imagine there isn't a better way.
  Additionally, the Project user view only contains the identity of the project owner not the rest of the team members (including sponsors who might need to see the data.) so where are they in the database?
  Tasks

  Hi Paul,
  I have a similar situation only I'm using Project Online. I have setup Groups and Categories where there is a relationship between clients and groups, and projects and categories. 
  Only issue is that when running a report a user receives an error and then all the data shows for all projects irrespective of the group/category/project relationship and the fact that user only exists in one group (and therefore can't see
  or access the other projects in PWA outside of their group.
  Hope that makes sense.
  Regards,
  Conrad

• The role of java.security.acl in Java 2 security

  I have been trying to assess the role of the java.security.acl package within the Java 2 Security architecture. I have some questions regarding it.
  First where in the JVM are the interfaces of java.security.acl used? Are there any examples out there to guide developers in understanding their proper implementation?
  What is the relationship between this package and the core security package? There seems to be a Permission interface in the acl sub-package and an abstract Permission class in the core security package. Why is this the case? Why is the core abstract class not used instead of declaring a new Permission interface within the acl subpackage?
  Are not PermissionCollections and Permissions analogous to ACLs? If so then wouldn't that fact make the acl subpackage redundant?
  JSR 115 tries to bridge the gap between Java 2 Security in the SDK with security in J2EE. Namely enabling the RBAC-like approach to security in J2EE while using the AccessController of the J2SE to do the evalualtion of J2EE (Servlet/EJB) Permissions. Why are the Group and Owner interfaces defined here not leveraged in both JSR 115 and in general for Role Based Access Control?
  Could someone give some background on the vision behind creating the acl subpackage and how it relates to the historical progression of security advances in Java security architectures?
  Thanks much,
  Alex Karasulu

  I see from the defined interfaces that its an attempt at a formal approach to RBAC. However RBAC can be implemented without it all together using existing J2SE and JAAS based constructs. This does not answer the redundancy question. Could you elaborate a little bit more?
  Thanks,
  Alex

• Recommended way to secure page

  Hi Experts,
  Can u tell me what is the recommended way to secure a page??
  1. secure page def
     or
  2. I have to add page in bounded taskflow and secure TF.
  Thanks

  If you have to restrict access to a whole page which is not part of a BTF, it will be enough to secure the page's PageDef. It is not necessary to wrap the page in a BTF.
  If the page is part of a BTF, you cannot secure it alone but you can secure the whole BTF only. Permissions on a BTF are propagated to all the TF activities within the BTF (including the view activities - pages and fragments).
  If you need to apply security policies only on particular components within a page, then you can use EL expressions like #{securityContext.userInRole['MyRole']} in order to exclude the necessary components from the view tree (e.g. using components' "rendered" attribute), to hide or disable them (e.g. using their "visible" and "disabled" attributes), to make them read-only (e.g. using their "readonly" attribute), etc. Have a look here for other useful EL expressions:
  http://docs.oracle.com/cd/E23943_01/web.1111/b31974/adding_security.htm#BGBIFHDF
  For example, you can use this approach to secure menu items and command components (e.g. buttons and links) in other pages that navigate to a secured page or BTF. You should disable or hide these components conditionally if the user has no rights to access the corresponding secured page or BTF. If you do not disable/hide these components, an user could use them, the framework would try to navigate to the page and an exception would be thrown because the user had no rights to access the page.
  Dimitar

• Securing WebServices call without user login

  Hello,
  I spawned a thread in the Java Technologies for Web Services forum about different approaches to securing web service interactions.
  The security level required is:
  - guaranteeing the server's identity (so that the customer does not talk to a phishing server
  - guaranteeing the client's identity (so that we don't provide the service for free, and don't leak customer-specific data across customers)
  - encrypting the exchanged data
  Whichever approach will end up having some local security info stored on the client machine (e.g. client certificate used to guarantee the client machine identity).
  Now we have a requirement from some customers that the operator be not required to input any password on the client computer (basically the whole client system is some industrial machine (let's say a steel-knitting machine), and the operator does not knowingly use a computer, but merely a steel-knitting machine with levers and a couple of big plastic square on/off push-buttons).
  We also don't have the power or time-to-market to include a hardware authentication mean (e.g. an ID card or dongle).
  As far as running our software go, no problem, we will configure the OS to auto-log on startup.
  However, we are concerned that the client software, and its client configuration, may be copy-pasted on another machine, and used to sniff our provider's valuable steel-knitting patterns (those data whose transport has to be encrypted).
  You may have understood that I am a totally noob as to security aspects. I hope you can help me with the following questions:
  - Is there any way to prevent a clone of the client software being copied onto another host?
  I guess not; I mean, as far as someone can log onto the machine using the same user as the one the software runs under, he can download the software package, including the configuration and certificates.
  - Is there any built-in mechanism that could makes the certificate unreadable or invalid on a cloned machine (e.g., if the certificate includes some terminal-specific info, such as a MAC address)?
  - would a check of the client's IP address protect me - I think an attacker can forge its sending IP address, but then he may not receive the reply, is that correct?
  Note that we trust our customers to not install more steel-knitters than they bought, so validating the full DNS hostname would protect us. But I'm probably naive to think that we can guarantee against forged domain names.
  - It it hopeless? AFAIC, the customer is violating the recommendation to base security on "something he has (conf) plus something he knows (password)". Is it enough of a no-go to pop up the problem to the boss or sales, so that they try to convince the customers?

  It's a nogo.Thanks for your valued opinion.
  Yes, the more I think about it, the more I'm convinced the requirement is technically unreasonable - although I understand that they want to lower the training and process costs.
  (blushing) From a formal point of view (hey, I have a marketing guy to convince first), I haven't found an advisory bulletin from e.g., CERT or OWASP, to support the claim "it's obvious that you can't authenticate a person without a password or a body scan". It must be too obvious...
  I'd like to bend their head to authenticating the hardware instead (card/dongle).
  What you need here is mutually authenticated SSL with an HSM at the client that requires a password for its use.Yes we are going the mutually authenticated SSL route (subject of the other thread).
  As far as using an HSM go, anything more robust that personal cards (which can be a form of HSM) is bound to be too costly for the market.
  I'm concerned though about requiring a password: if we force a password scheme onto reluctant customers, I'm convinced we will end up with company-wide passwords shared among all operatives.
  Not that different from having a shared (non-password protected) card/dongle that unlocks the machine (e.g. hosts the certificate and compute keys, I don't know too well how an ID card works). The card scheme seems even more secure, as attempts against the card (card lost, stolen, damaged) are more likely to be reported (and trigger revocation of the certificate) than password leaks.
  Edited by: jduprez on Sep 14, 2009 3:04 PM

• Namespace and security

  When I wrote my driver I decided to follow
  Walter Oney's advice not to name my device object.
  According on Oney, there are security issues that make this approach less secure. I admit that I never understood this point.
  So I decided not to name my device but rather to take the "device interface" approach (WdfDeviceCreateDeviceInterface).
  Now I need to extend my driver to support many (250) virtual devices and I was advised to use a "namespace" instead of creating 250 device interfaces.
  1. What makes named object less secure? An example please.
  2. Is it possible to use a namespace with an unnamed device object?
  Thank you

  Thank you for the excellent replies.
  I now understand that not naming my DO was not a wise decision but this will not be reversed. However, I can still name the DO so that its devices will be interfaced either by the new namespace or by
  the old interfaces.
  250 joysticks?!  that's insane ...
  Not Exactly. One of my users wants to use it for over-the-net gaming server where many players play simultaneously. Anyhow, the current 16 device limitation was relevant for the old WINMM interface and should be removed.
  Whether or not the device object has a name, or not, is not relevant to whether it can have a namespace.
  Good news then? Suppose the driver creates this name for my driver interface:
  \\?\{d6e55ca0-1a2e-4234-aaf3-3852170b492f}#vjoyrawpdo#1&2d595ca7&147&vjoyinstance00#{781ef630-72b2-11d2-b852-00c04fad5101}\device_001
  Can I assume that the string followed by
  device_001 is my namespace? If so, what is the use of creating an interface? What happens if I try to create file (CreateFile()) with a arbitrary sub-name such as
  \\?\{d6e55ca0-1a2e-4234-aaf3-3852170b492f}#vjoyrawpdo#1&2d595ca7&147&vjoyinstance00#{781ef630-72b2-11d2-b852-00c04fad5101}\device_BlaBla?

• Arch Linux as a WebServer

  I want to set up a webserver with PHP and Mysql to host webpages. I have a couple of questions about Arch Linux.
  1.) Is Arch Linux a good distro to implement a web server with PHP Mysql and Apache? Is it safe?
  I had already chosen Freebsd but I still like Arch linux too much to ignore it.
  2.) What type of firewall can I install? Is it possible to install a firewall on the same computer as the server, or is it best to dedicate another computer as a firewall.

  ovihc wrote:1.) Is Arch Linux a good distro to implement a web server with PHP Mysql and Apache? Is it safe?
  Sure. Any distro can generally be as safe as you make it. Since most arch users know their systems a bit better than some (how many fedora users know EVERY single package that is installed on their box?), they might have a better shot at securing it.
  I would say that arch has some security permission issues, but most of these would only cause problems when there are user accounts on the box and you hand out ssh permission to them. For standalone services, these issues should not effect things.
  2.) What type of firewall can I install? Is it possible to install a firewall on the same computer as the server, or is it best to dedicate another computer as a firewall.
  Yes, you can have a firewall on the box itself. It is usually recommended to have both, depending on your requirements. For most instances, though, you would probably be fine to just have one on the box.
  I just use iptables for my firewall. I just hand edit the rules in a bash script, then just save off the rules when I get them how I wan't them. If you are serious about firewalls, I recommend you just hunker down and get familiar with generating the iptables rules by yourself. If, however, you could really care less about firewalls, and only want simple security from your firewall, then by all means...there are firewall script generators out there for iptabes (gui pointy-clicky things).

• PS 9.0 Security - maintaining security in 2 releases.

  I am working on an upgrade approach for security 9.0, Our current PS environment is 8.3, with PeopleTools 8.2. We are upgrading to PS 9.0/ PT 8.49. We create Oprid's during a nightly batch cycle. We have taken a copy of our PS 8.3 database, with the PeopleTools tables for the initial upgrade, using Oracle Labs. My question, is there a way to migrate the new production Oprid's that have been created since the initial copy of production. We will not be going live with 9.0 for 16 months, and need to maintain PS Oprid's in the upgrade environment.
  Any help is appreciated,
  KT Hargett

  I do not know why PeopleSoft does not provide a good solution for such situation. i've seen numerous situations where the client need to address this problems through thier own solutions.
  In order to preserve security upto date as with production, your golden copy (the target database that was upgraded during initial pass) must be constantly updated with all security tables. There is no one clear cut solutions. What many of them have done is if the length of upgrade project is spanning more than 6 months, they would write a custom process to update the OPRID everytime they do test move to prod and migrate the security tables data to golden copy.
  here's what one of the PeopleSoft Customer Connection Solution says:
  E-UPG How can you preserve security through upgrade passes? (Doc ID 642944.1)
  SOLUTION:
  In order to preserve security through your upgrade passes, you will have 3 options.
  1) Low Risk - Re-enter your security changes into one of the target databases. Once this is complete, those security tables can be exported out and imported into any other upgraded databases at the same tools release using security migration reDocument:610138.1, included below.
  2) Low Risk - Re-do the Initial Upgrade again. This will get the security as it is when you take the copy of production. Many customers chose this option because they are most comfortable with it. Once the initial upgrade is completed, follow the steps outlined in reDocument:610138.1 (Included below) to migrate security to your other upgraded databases.
  3) High Risk -
  Attention! This workaround has not gone through our formal quality regression test cycle. We strongly recommend that you thoroughly test this workaround in a development environment before applying it to your production environment.
  Be sure to document this change as this workaround may be detected during your next upgrade. Because this workaround has not yet gone through our formal quality regression test cycle, this workaround will have risk.
  You should only follow this option if you only want the latest operator security in production migrated to your upgraded database. Do the Initial Upgrade again, up through the end of Chapter 2 (Updating PeopleTools). You will need to definitely run the Relnnn.sql scripts, copy the projects and do the alters - but to make sure you get everything correct, it would be best to run all steps in Chapter 2. Once completed your tools release will be at the same level as your fully upgraded database that you want operator security imported into. DO NOT FOLLOW Document:610138.1 as you will LOSE ALL security delivered by the new application release you just upgraded to. To migrate your operator security, select the appropriate Data Mover script for your PeopleTools release to export and import operator security:
  For PT 8.4x -
  ******Export******
  USEREXPORT.dms
  This script looks as follows:
  -- USERS
  EXPORT PSOPRDEFN;
  EXPORT PSOPRALIAS;
  EXPORT PSROLEUSER;
  EXPORT PSUSERATTR;
  EXPORT PSUSEREMAIL;
  EXPORT PSUSERPRSNLOPTN;
  EXPORT PS_ROLEXLATOPR;
  EXPORT PS_RTE_CNTL_RUSER;
  ******Import******
  USERIMPORT.dms
  This script looks as follows:
  UPDATE PSLOCK SET VERSION = VERSION + 1 WHERE OBJECTTYPENAME = 'UPM';
  REPLACE_DATA *;
  UPDATE PSVERSION SET VERSION = VERSION + 1 WHERE OBJECTTYPENAME = 'SYS';
  UPDATE PSVERSION SET VERSION = VERSION + 1 WHERE OBJECTTYPENAME = 'UPM';
  UPDATE PSOPRDEFN SET VERSION = (SELECT VERSION FROM PSVERSION WHERE OBJECTTYPENAME = 'UPM');
  hope this helps
  [Learn PeopleSoft HRMS and Upgrade|http://www.learnpeoplesoft.info]

• RE: WMI Monitoring - Security

  Hi
  I am currently using a product to monitor our network which can make use of wmic. Currently connecting to remote machines require a username and password. What would be the best approach to secure wmi communications. I that you have to be part of the local
  admin group to see most of the wmi values, but I was wondering if there is any way to create a local user on machines that gets used for monitoring purposes only? Prefereably not part of local admin group.
  Thanks
  Karl

  Hi Karl,
  Windows Management Instrumentation (WMI) supports a limited form of security that validates each user before the user is allowed to connect to WMI, on either the  local computer or a remote computer. This security is layered on top of the operating
  system security. WMI does not override or circumvent security provided by the operating system.
  By default, all members of the Administrators group have full control of the WMI services on the managed computer. All
  others have read/write/execute permissions on their local computer only.
  Reference from:
  Managing WMI security
  I hope this helps.

• DB Security Datadictionary views

  In our company , Security persons requested to send the reports of
  select * from
  • DBA_PROFILES
  • DBA_ROLE_PRIVS
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
  • DBA_USERS
  • V$PARAMETER
  • DBA_PRIV_AUDIT_OPTS
  • DBA_STMT_AUDIT_OPTS
  • DBA_OBJ_AUDIT_OPTS
  My question is what we can check what is right & wrong from these views?

  It is very unlikely that there is such a thing as a "right" or a "wrong" value in any of these tables.
  In general, you want to take a holistic approach to security, so what you should be most concerned with is how your various security policies and settings interact. You start by figuring out what sort of attacks each system is most likely to be exposed to, then you determine whether the totality of your security measures provides appropriate protection from those attacks.
  For example, if you have System A that is full of personally identifiable customer information, System B that has information about every phone call that came through your phone switch, and System C that has accounting information, you would tend to have very different expectations about the sort of threats there would be to each of the systems. System A would be an ideal target of external hackers (or a trusted insider that might want to extract the information and sell it to those hackers). System C would be an ideal target for an insider to manipulate the books. System B, on the other hand, probably wouldn't be a target of an exploit (lists of phone numbers aren't particularly valuable) though you do need to ensure that the data is collected and retained because it probably feeds a number of different reports. Of course, I'm ignoring the fact that you'll likely end up with multiple threats in your threat matrix for each system and that you'd want to go into a bit more detail in reality.
  Once you understand and prioritize the threats, you can identify what steps you're taking to mitigate those threats and determine whether that is sufficient. No system is completely secure (other than, perhaps, the system that is disconnected from the network, unplugged, run through a high powered magnet, encased in concrete, and dropped in the middle of the ocean). So you have to figure out how secure your systems need to be, what your options are for creating that level of security, and what sort of trade-offs you're willing to accept. You may decide, for example, that there are a handful of tables in system C above (accounting information) that are particularly vulnerable to insider tampering, so you want to audit all the changes to them and/or restrict what users can make those changes. Depending on how users are set up (i.e. are there individual users in Oracle for every human accessing the database? Or is there a single ACCOUNTING user that everyone knows the password to?), whether you're concerned with DBAs making data changes, your Oracle version, whether you want to purchase something like Audit Vault, etc., you might conclude that enabling Oracle auditing on those tables gave you a sufficient level of confidence that the data was secure. On the other hand, you might decide that you need to take additional steps (audit triggers, Workspace Manager, re-thinking the Oracle user setup and privileges, etc).
  Justin

• Physical port security on Cisco switching

  We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.
  I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.
  Is there a hardware or software or combination solution out there that works well for this ?
  Thank you

  Steve
  2 solutions spring to mind
  1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.
  Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.
  2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.
  A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.
  Jon

• I just installed Firefox and I can't seem to be able to add my AVG toolbar to it. I already had AVG Internet Security before I installed Firefox. How do I add the AVG toolbar?

  I just installed Firefox and I have been trying to add the AVG toolbar to it but I just can't seem to be able to do that. I already had AVG Internet Security before installing Firefox today. Does anyone know how I can add the AVG toolbar to Firefox?

  It seems no one here is familiar with this application.
  Which IE settings need to be changed? While Firefox doesn't have the same approach to security (e.g., by "zone") there may be some parallels.
  In case the problem is the built-in PDF viewer introduced in Firefox 19, try the steps in this article: [[How to disable the built-in PDF viewer and use another viewer]].
  Does that make any difference?

• Questions about the differences between Arch and Chakra.

  I'm trying to decide whether to install Arch or Chakra on my laptop. Currently, I'm running Arch on my desktop and Windows 7 on my laptop (which I plan to overwrite). My skill level with GNU/Linux is somewhat intermediate – noobs refer to me as an expert, experts refer to me as a noob. If it matters, I'm a KDE user and primarily use my computers for web browsing and python development. Anyway, I just wanted to get an objective opinion on the differences between Arch and Chakra. I have a few points that stand out to me, but I welcome any input.
  -Stability
  I started my journey into GNU/Linux with Debian back in 2009 due to it's stability. I really disliked Debian's ancient software and considered moving my system to Unstable. While doing some googling about Debian Unstable, I stumbled across Arch – it was love at first sight. I've been an Arch user ever since. I love the bleeding edge software, and haven't had any major problems since I originally installed it. However, every time I run a system update I cringe a little. While Arch hasn't broken on me yet, I've read plenty of horror stories and it makes me uneasy. I understand that Chakra is a mix between a point and rolling release model. Is it any more or less stable than Arch? I know there are other distrobutions out there, but I'm in love with the Arch philosophy.
  -Security
  Pretty self-explanatory, but is there any difference in security between the two?
  -AUR
  As much as I love Arch, I wouldn't be able to stand it if it weren't for the massive collection of software available in the AUR. While I'm perfectly capable of compiling software myself, I prefer to use a command like tool like yaourt to manage my software. I understand that Chakra doesn't officially support the AUR and that they have their own user repository. Seeing as Chakra is still relatively new, is it lacking? Will I miss the AUR as a Chakra user?
  -Repositories
  Is there much difference in the official repositories between the two distrobutions?

  avonin wrote:
  I'm trying to decide whether to install Arch or Chakra on my laptop. ... I'm a KDE user ... I just wanted to get an objective opinion on the differences between Arch and Chakra..
  -Stability...
  -AUR...
  -Repositories...
  My take on Chakra is that it's the same as Arch with different developers.  They use pacman. They have a different and rather nice build system for their developers. They're doing a good job, but I'd hate to give up the services of Allan McRae who must work full time keeping the Archlinux core and toolchain up to date.  Chakra devs probably piggy-back off his work.
  As for "semi" rolling: I don't see Chakra as having a stable core.  A stable core sounds attractive, it would be like NetBSD which has a very stable core Unix operating system with apps added via pkgsrc.  But Chakra's core and toolchain is at the same version levels as Archlinux most of the time and are no more tested and stabilized than ours. Their core packages are updated piecemeal just like ours; there is no stable core that is released as a unit (afaik). Today Chakra has gcc 4.7 / glibc 2.15 just like ours. Their kernel is a little more stable: they're using udev 181 / linux 3.2.8 while Arch is on udev 182 / linux 3.3.7.  They are more conservative in upgrading xorg and the video drivers than Arch.  For example, today they're on xorg-server 1.10.4 / intel video 2.17 while Arch is up-to-the-bleeding-edge-minute with xorg-server 1.12.1.902 and intel video 2.19.  Yeah, I would consider Chakra to be a little more "stable" than Arch mainly because of their relaxed pace in changing the kernel and the xorg stuff.
  Most of the patches that I look at for Arch packages (I build my system entirely from source and try to build monthly releases for myself) are needed because we use more recent core packages like glib2/glibc/gcc than the developers of higher level stuff like qt.  Chakra is in the same situation.  We're on the front of the wave
  The Chakra CCR is compatible with the Arch AUR and mainly draws from AUR (an AUR buildscript will usually work fine on a Chakra system -- they just add one or two additional info fields.)  With a little effort you could get any package installed on a Chakra system that is available on Arch.
  Last edited by sitquietly (2012-05-24 20:43:58)