Omarchy is not a secure distribution and should be taken off the Linux installation options

This is not about DHH, who I do not like. This is about his idiotic security decisions and how they could end up reflecting badly on Framework even in non-political contexts.

Most of this will be a bullet point version of https://xn–gckvb8fzb.com/a-word-on-omarchy, specifically the part on security. You should read the whole thing, it’s a good article, if a tad elitist.

1. Up until Omarchy 3.1.0, despite claims otherwise from 2.1.1, the firewall, despite being configured, was not actually turned on. This does not inspire confidence that other security systems are working.
2. Said firewall also allows SSH through by default, which is not a bad thing on its own if you are a developer, but OpenSSH is kept at its insecure defaults on installation. This opens up an everyday user’s computers to brute force attacks that would not be possible by default on Windows and MacOS. It really should be off by default, so that users who need it will go on the Arch Wiki and see all the warnings.
3. Hansson says he takes security seriously, but does not make use of security mechanisms built into the kernel such as Linux Security Models, does not use the linux-hardened kernel by default, or patch stuff to use musl and hardened_malloc, among other things. Instead, he has weakened it by increasing the number of password retries and decreasing faillock timeouts.
4. Some of his scripts commit the cardinal security sin of piping curl into sh. This essentially executes code from the internet without review. Hope that domain DHH is getting scripts from isn’t hijacked by a paranoid NSA!
5. Omarchy uses ad-hoc bash scripts instead of proper packages. This makes security issues hard to find. It also proves that DHH knows less about Arch packaging than me, someone who lives with their parents and just had to go back to load the dishes twice. Arch packaging is really that simple if you know shell scripting.

All of these tell an informed buyer of Framework one thing, no matter their political orientation: that Framework knows nothing of actual security and does not vet the distros it recommends. I hope Nikev learns from this why most programmers pragmatically don’t like racists: the code they write is all form and no function and they have no idea of the deeper parts of a system.

If you want an Arch distro that’s easy to install and use by the layperson to replace Omarchy, might I recommend EndeavourOS? It’s basically Arch with a GUI installer, and I trust them far more than DHH, who has proven he has not even heard of PKGBUILD, the fundamental packaging format of Arch Linux. Hell, even Manjaro would be better than Omarchy, as the distro maintainers, inept as they are, at least try to be friendly to GUI users, even if it ends up falling kind of flat.

If you really need something to show investors what open source can do, might I recommend installing CachyOS with Niri? It can be configured to look almost as good as Hyperland, it’s far better at handling the modern app ecosystem, and it makes its benefits known after you open two applications by default. I can personally promise you that it would be very compelling to anyone who has had to wrestle with iPadOS’s window management, and that Niri would be an excellent WM to sponsor.

That being said, if you are done reading this and want to say something, please try to keep the conversation on DHH to laughing at his mistakes, as I would argue the nature of those mistakes reveal far more about DHH than his posts. That being said, lambasting me or the author I paraphrased from for being a moron is not off-limits.

[Removed by moderators] You see, Omarchy is just Linux, Arch Linux to be exact. On Linux, you have full control over everything you are upset about. You have the power to change it all yourself. Omarchy may be opinionated in usability, but that doesn’t mean un-changeable. All you have to do is dive in, learn, and have fun!

[Removed by moderators]

One that comes with an ISO almost 3-ish times the size of vanilla Arch, executes a whole bunch of hacky scripts, and requires about 2 more gigs of package installs??

While the post might be alluding to DHH, the crux of the discussion here and in the attached blog post do all justice to stick to rating Omarchy and presenting the pros and cons of the project. I believe this is completely valid and separate from the other thread we are both thinking about.

Do I believe that Omarchy has some good ideas with terrible execution? Yes. This is before we even get into the details of the other thread, and I’ll refrain from my personal opinions on the project author.

Do I believe that creating yet another distro is the way out here?? Personally no, but that is the beauty of Open Source. I’d even be open to creating a better fork of Omarchy.

If you are into security you should look at secureblue, it’s a fedora atomic based distro (kind of) with focus on security. I’d call it the grapheneos of computers, it even has it’s own browser (and the hardened malloc you mention and much more, check secureblue.dev for features). edit: i only use secureblue, i would actually feel dirty and insecure on any other system :)) (and grapheneos on phone, openwrt on router)

The packaging is even more terrible than I thought. I have also seen quite many posts regarding broken systems after the installation, on reddit and on the Omarchy github issue tracker.

CachyOS with Hyprland WM could be also a good alternative here (if you want to have Hyprland), but for those only, who accept the idea of Arch, and are willing to read its wiki, when things break. For those, who want to have good OOTB experience, with lesser risks on breaking the system during first install, or during a later update - indeed, why not choosing Fedora, Mint or other well known distro instead ?

I do not fully agree nor understand this statement. So, we are only allowed to point out the mistakes ? What if DHH actually did something right as well ? Omarchy has problems, but i.e. also provides a nice and usable UI according to its users. Some people like it, and some people copied its configurations to their Hyprland setups. Can we not credit him then ?

Alternatively, some people here want to bash everything related Omarchy too much - mainly just because its is lead by DHH. In my opinion, its better if DHH keeps his focus on something more useful (such as Omarchy, even with all its flaws) instead of writing another controversial post in his blog.

EDIT: actually @kxh already summarized my thoughts in the post above. I also approve that someone could fork the Omarchy project, i.e. creating a version that replaces all the suspicios 3rd party AUR installs and webapps with open-source alternatives.

Quick PSA: the website you linked to does a fun prank where it substitutes the title and favicon with something else that may be undesirable to find in your tab list when you switch tabs (i think thats what triggers it). If visiting it, you should disable javascript (it works fine without js).

Other than that, it was a very good read. I am shocked to see that omarchy is quite that much of a mess, and I think that this is a strong (technical) reason for Framework to stop giving them publicity (to avoid unsuspecting users from being plunged into the deep end of linux system administration when their distro abruptly breaks) [removed by moderators].

Gotta be honest that’s a pretty neat troll

I would assume that was meant as “please limit DHH criticism to the technical aspects and discuss the politics side elsewhere” and not “please only criticise DHH, don’t praise him”. Language can be fuzzy like that.

This ignores the power of defaults. Most people will never change default settings and more so when you need to have the knowledge of where to find/change those settings. Bonus difficulty when you need to understand the setting. Your argument works for the reverse too. Sane defaults can be changed as part of the experimentation/learning process. There is no benefit to not having sane defaults and a great deal more to lose.

[Political message removed]

I personally haven’t used Omarchy and really never planned to. I’m far more interested in projects like Bazzite that also aren’t really distros but more of an opinionated install of Fedora Kinoite/Silverblue. That or Pop_OS if I really want to try tiling. COSMIC looks interesting.

Is there a list of recommended Linux distros other than the frame.work/linux page? If Omarchy was on there at some point, then it has been removed quite a while ago. I am not sure what concrete change is being proposed here.

Okay, that got me curious. Omarchy has a script to install Tailscale which follows the official Tailscale installation instructions and uses curl, but this looks like an opt-in feature? In comparison, my beloved Bazzite (a recommended distro for most FW computers) comes with Tailscale preinstalled through a third-party RPM repo. Is that fundamentally better than the curl call to the same domain? I don’t want or trust Tailscale to begin with, so that seems like a pretty arbitrarily drawn red line to me. But I also don’t want FW to do the boring thing and only recommend super-safe choices like RHEL and Ubuntu.

(It doesn’t even seem like the Omarchy team is fully oblivious to supply chain issues, given that they have worked to reduce their reliance on the AUR, but I don’t follow the project too closely.)

Great, then Framework should support Arch, and not Omarchy. Supporting Omarchy is support for the additional defaulted configuration that it brings.

You know whats awesome about Linux? You can contribute….so instead of complaining about Framework supporting Omarchy and DHH, which is what this really is, you could actually contribute to the OS and make it better?

This. Omarchy is blasting off like a rocket ship!!!

We are allowing this post to remain separate so long as the discussion remains technical in nature. Any non-technical posts should be posted in the existing thread about Omarchy and DHH. Any political posts will be moved to the other thread or deleted (political messages in otherwise technical posts will be edited out with a note). We will be strictly enforcing our normal community guidelines in this thread.

You deleted my posts offering simple Linux advise that was not political at all, it’s even quoted by a few in here. You are clearly biased in your moderations.

Re-reading now, I see that the bulk of the message was technical and I have reinstated it. Two excerpts were removed (as indicated in the edited message) for violations of the community guidelines. In the future, please send a direct message to the @moderators group to raise concerns about moderation decisions.

you seriously complaining and warning about: ssh enabled and reachable. your complaint? do you read what they describe about themselves on the very first

https://learn.omacom.io/2/the-omarchy-manual/91/welcome-to-omarchy

Welcome to Omarchy! #

Omarchy is an omakase distribution based on Arch Linux and the tiling window manager Hyprland. It ships with everything a modern software developer needs to…..

developers. exactly. so why are you complaining about firewalls being configured this or that way making only sense if you were a developer. thats exactly how they advertise themselves right from the start.

I don’t believe Omarchy ever was on the list. Here is the history of frame.work/linux: Wayback Machine

It being enabled is not as much of a problem (also not sure if that is even the case, the article makes it sound like it is just the firewall exclusion that is configured and the service isn’t enabled by default, just like the firewall itself) as it being implemented pretty half assed.

Many of us who find certain aspects of the Linux community not to our liking prefer Haiku which to a large extent has avoided all this sectarian nonsense. Part of it is being small enough to fly under the radar of most political zealots, the other is a community that works hard to prevent fragmentation.

I think you will find us (and our operating system!) most welcoming.