[mtlynch]

These criticisms all feel very nitpicky and subjective. So many of them seem to boil down to, "this is an opinionated configuration, but their opinions differ from my opinions."

This part was where I stopped taking the article seriously:

>Moreover, taking into account that the system relies heavily on sudo (instead of the more modern doas), and also considering that the default installation configures the maximum number of password retries to 10 (instead of the more cautious limit of three), it raises an important question: Does Omarchy care about security?

This is such a reflexive and petty critique. How many real world security breaches happened because a login prompt that requires physical access limited to 10 tries instead of the "more cautious" limit of 3? And do you even care about security at all unless you limit to the even more cautious limit of 2?

[pizzooid]

This seems pretty valid if true:

Moreover, the entire Omarchy ecosystem is held together by often poorly written Bash scripts that lack any structure, let alone properly defined interfaces. Software packages are being installed via curl | sh or similar mechanisms, rather than provided as properly packaged solutions via a package manager. Hansson is quick to label Omarchy a Linux distribution, yet he seems reluctant to engage with the foundational work that defines a true distribution: The development and proper packaging (“distribution”) of software.

[antonyh]

Because it's opinionated? So maybe there are scripts that use sudo, and perhaps he needs more than 3 tries to fat-finger his password?

Personally, my opinion, I use sudo, and if I take more than 3 goes then I deserve a timeout to get my act together. Anyway, 10 attempts isn't enough to brute-force a decent password, and if bruteforcing is a concern then add 2FA codes or hardware.

There's more serious concerns in the article though - the part about the screensaver / hyprlock? That's just security theatre.

[wltr]

I’m all in for opinionated software, but not in the cases it is made by people… (if not vibe-coded, lol) by incompetent people. That’s what the article is about if you were to read it longer than you mentioned. Great that you are the top comment, summarises this community for me.

[Foxboron]

What about just ignoring package signatures?

https://github.com/basecamp/omarchy/blob/master/default/pacm...

[Fire-Dragon-DoL]

That was my feeling.

I find somewhat ironic that he calls out the security aspect of it without considering the audience.

I feel the tracking for advertising is a lot more a security issue than it is the chances of somebody brute forcing a laptop password

[mexicocitinluez]

>This is such a reflexive and petty critique. How many real world security breaches happened because a login prompt that requires physical access limited to 10 tries instead of the "more cautious" limit of 3?

God, this comment is funny to me. This is pulled straight from this website (https://learn.omacom.io/2/the-omarchy-manual/93/security)

> Omarchy takes security extremely seriously. This is meant to be an operating system that you can use to do Real Work in the Real World. Where losing a laptop can’t lead to a security emergency.

lol Are you saying that a distro that makes this kind of claim shouldn't be concerned with the amount of times you can type in a wrong password? Especially since it's not vetting that actual security of the password itself?

How many times does your bank allow you to type in the wrong password? Is it 10? Cmon.

[mtlynch]

>lol Are you saying that a distro that makes this kind of claim shouldn't be concerned with the amount of times you can type in a wrong password? Especially since it's not vetting that actual security of the password itself?

It should, but anything below 100 guesses or so is kind of fine, unless the attacker knows you and has good guesses about your password.

Let's be generous and assume a six character password of all lowercase letters. That's 26^6 possible passwords. That's 3x10^8 possible passwords.

3 guesses means that you have a 0.000001% chance of guessing the password, whereas 10 guesses means your chances are 0.0000032%. Are you worried about a 0.0000022% difference?

The odds are slightly scarier if you limit it to English words, but I still doubt that 3 vs. 10 has any meaningful difference in practical terms.

[OGWhales]

I'm not seeing why 10 is so significantly worse than 3... How big of a difference is that, really? I believe it took something like 6 failed attempts for my bank to lock me out.

[aragilar]

But why change the default? Is this in the top 10 things you would do after installing your distro of choice?

To me, this indicates a lack of judgement around what should be prioritised, which is reflected across the many issues the post raises. Naturally judgement is an acquired skill, which novices lack (and which they gain through experience and guidance), but given the big names associated with the project, that doesn't reflect well on their other projects.

[yjftsjthsd-h]

> lol Are you saying that a distro that makes this kind of claim shouldn't be concerned with the amount of times you can type in a wrong password?

I will absolutely say that a distro making that claim should not worry about the difference between 3 and 10 password attempts on sudo (i.e. when you're already logged in).

> Especially since it's not vetting that actual security of the password itself?

Yes, that should be fixed. But it's a separate matter.

[mexicocitinluez]

> Yes, that should be fixed. But it's a separate matter.

Sure, because the complexity of your password and the amount of times you get before you're locked out historically don't effect each other lol.

[yjftsjthsd-h]

At this scale? No, no they do not. Even if you know my password is a single dictionary word in lower case, the odds of you guessing it in 3 vs 10 guesses is negligible.

In fact, let's do this right now: I've just thought of a random english word and written it down. I'll give you 20 guesses. Guess it right and I'll agree with you.

[anthonylevine]

This has to be satire. HAS TO BE.

"Hey guys, I'm going to prove that an OS that claims that you don't have to worry about security anymore is actually secure by asking a total stranger to guess my password"

lol.

[yjftsjthsd-h]

Since it's so flimsy and insecure, you should guess so you can prove how insecure it is. Alternatively, you could fail to do that, because 10 guesses is safe even against an awful password.

[neeeeeeal]

Agree with this 100%. The article reads as a super gatekeepy “he made different choices than me so I’m going to trash it and him” piece. The author’s perspective seems to be “how dare he use bash scripts! REAL programmers use system level languages”. Come on buddy.

Author claims there is no structure to the project but one look in the GitHub repo says there clearly is. Also, how many users will now try Arch (or Ubuntu via Omakub) as a result of this? If the answer is a positive number and DHH wants to put his time and weight behind it, that’s a good thing.

[ethersteeds]

I'll admit I read only the summary linked at the beginning, so I surely skipped over minutae that might have lost me. That said, I disagree with this and gp: the conclusion strikes me not as gatekeepy but reasonable and humane to inexperienced users:

> In fact, it is Omarchy that complicates things further down the line, by including a number of unnecessary components and workarounds, especially when it comes to its chosen desktop environment. The moment an inexperienced user wants or needs to change anything, they’ll be confronted with a jumbled mess that’s difficult to understand and even harder to manage.

> If you want Arch but are too lazy to read through its fantastic Wiki, then look at Manjaro, it’ll take care of you. [...]

> On the other hand, if you’re just looking to tweak your existing desktop, check out other people’s dotfiles and dive into the unixporn communities for inspiration.

That strikes me as very fair. I don't think it's gatekeeping to say that setting users up with a "distro" that eschews package management for a pile of curl|sh invocations is a bad idea for which there are much better approaches.

[wyclif]

That commentary proves that the guy doesn't get it or is being a willfully obtuse hater. One of the big reasons people have been gravitating toward Omarchy is because they don't want to spend hours ricing or tweaking their desktop, they want to be getting shit done after a sub-15 minute install. And Omarchy does that very well. That's what omakase and "opinionated" mean.

[freehorse]

That sounds fine for those first 15 minutes and maybe first weeks though. What if a certain `curl | sh` fails after a month? What if I need some other stuff down the road? If anything the article's criticism makes sense from the perspective of needing to get work done, and omarchy seems to be focused more on the aesthetics. A package manager is exactly what is needed to get shit done instead of tweaking and troubleshooting stuff.

Omarchy is fine as an (opinionated) collection of dotfiles and configurations, but there are reasons proper distros are useful aside from wanting to spend time tweaking stuff or whatever. I don't see how the article talks about anything else than practical issues with it.

[wyclif]

Omarchy is a very fast moving target at this point. I have every expectation that in the near future, they'll develop a package manager. I agree that Omarchy is not yet a "real distribution", but it's undeniable that it's rapidly heading in that direction.

[udev4096]

No one should use this script, EVER. It's a disaster waiting to happen. DHH is a fucking liar, it's not even a distro and he's ripping off the hard work of Arch and several other open source projects and using it as his own creation