Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Originally posted by prodigy_ View Post
    That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.
    Lol, a couple of devs for one open source project complain about another set of devs of another open source project on a mailing list that about 5 people will see. PR, you keep saying that word, but I don't think it means what you think it means. Just a bunch of whiners whining about another bunch of whiners, while a bunch of whiners whine about it on the biggest whiner forum known to man.

    Comment


    • #47
      Originally posted by dh04000 View Post
      Lol, a couple of devs for one open source project complain about another set of devs of another open source project on a mailing list that about 5 people will see. PR, you keep saying that word, but I don't think it means what you think it means. Just a bunch of whiners whining about another bunch of whiners, while a bunch of whiners whine about it on the biggest whiner forum known to man.

      Originally posted by NothingMuchHereToSay View Post
      I'm looking through this thread and obviously there's waaaaaay too many Linux diehards in here. Are you people trying justify your delusions by saying that wikipedia has a long lasting bug that makes Canonical's Ubuntu more popular than your favorite distro? From the eyes of an outsider that joined Linux because of Ubuntu back in 2008, I have to wonder how you people are completely missing the point when it comes to marketing.

      Sadly, they are for real. Warped and twisted their minds have become. Everything they see is a plot or a conspiracy, or evidence to support their own bloated and diseased world view. Really, there is no news here, just FOSS dev complaining.

      Comment


      • #48
        Its annoying once I mess up my posts, the edit limit takes away my ability to fix them.. :/

        Comment


        • #49
          Here is the response from Mint

          Hi Clem, can you look at this article http://www.phoronix.com/scan.php?pag...tem&px=MTUxNzY ? How serious is a Mint security problem from your point of view? Thakns for reply

          Edit by Clem: We’re very happy with the filtering system (which you can configure if you’re not satisfied with the default settings). We explained why the Ubuntu update policy was not good enough for us and we consequently developed the update manager to solve that particular problem. That all happened in Linux Mint 3.1… in 2007. Do we need to explain it again in 2013, in the middle of an RC because somebody at Canonical doesn’t understand it? No, filtering doesn’t work the way that dev thinks. No, Firefox doesn’t come to you later in Mint than it does in Ubuntu (it’s a level 2 update). Yes, by default you get updates in Ubuntu for kernels and Xorg and not in Mint. Yes, there’s a very good reason for that.

          Comment


          • #50
            Mint doesn't "disable" updates per se, they simply categorize updates in 5 levels, from 1 to 5. Each update is given a level from 1-5. Updates that are levels 1-3 are shown by default, and suggested to be installed (the checkbox comes pre-checked). Updates that are ranked at levels 4-5 are not shown by default, and when shown are not suggested to be installed (checkbox comes unchecked).

            All of this behaviour is user-configurable, if you want ALL THE UPDATES (all of them) then all you have to do is go to the update settings and set all update levels to be updated by default.

            This is to say, no updates get installed automatically in Mint. All updates require root permíssions (unlike in Ubuntu) to be installed (but you only have to enter the password once per session, which is a much more intelligent way of doing it than the Ubuntu way of not requiring a password at all). So the only difference between the levels is, which updates the installer suggests that you should install, that's all.

            The reason for dividing updates to levels is that some updates have been known to cause instability in the system, so in Mint it is thought to leave it up to the discretion of the user whether to accept those updates and when. There aren't often any urgent security updates in the level 4-5 updates, almost all of them seem to be marked as "low urgency" when they come from Canonical, and relatively few of them contain actual security updates.

            Comment


            • #51
              I don't give a fuck of any of the bullshit that I'm reading. The only thing I know is that my server in production with Ubuntu 12.04 got fucked up from this Linux kernel exploit once an hacker got into a shitty Joomla installation: http://blog.zx2c4.com/749

              Comment


              • #52
                Originally posted by FLHerne View Post
                Because it allows random people to anonymously perform far more actions than they can if not logged in, and there only needs to be one badly-thought-out interaction between two permitted actions to give them full access.
                Well, "people that have physical access" != "random people", and if your OS has obvious permission escalation breaches, I'm not sure you can trust it anyway.

                Also, there only need one security breach in your browser for allowing remote code execution, so by that reasoning, any system with a browser is a compromised system.

                Comment


                • #53
                  Originally posted by Goddard View Post
                  Saying DistroWatch is a bad source is just like when my teachers would say Wikipedia is a bad source. It always felt like a discrediting statement especially when I would write papers sourcing the material, but say it came from an encyclopedia. In other words it may not be as good as getting a piece of software on every single Linux system reporting which distro they are using, but it is as good as it gets.
                  Do you visit DistroWatch and click on your distro periodically? Because I don't know of a single individual that does. That's why it is not representative. DistroWatch is useful to read about distros. Usually, you already know what's in there for your distribution, and you'd only enter to compare a few if you want to switch. So, neither bounds one user to one distro (and the common case is that one user uses only one distro) nor to the distro he or she uses.

                  Originally posted by prodigy_ View Post
                  Yes, it's a pure coincidence that the most popular distros are on top of the list.
                  Yes, it is. Well, not a complete coincidence, as what it measures is curiosity about such distributions, but yeah, it has nothing to do with the number of users.



                  On the Mint issue, with information I've found on this thread I changed my mind. I thought this was a serious problem in general, because it sounds like they don't dispatch the updates, not like they are optional. If the user knows what he/she's doing, Mint is as secure as their upstream, Ubuntu, is. It is not so moron friendly as Ubuntu, though, having the user to think about the updates.

                  Comment


                  • #54
                    Originally posted by dee. View Post
                    All updates require root permíssions (unlike in Ubuntu)
                    Ubuntu requires super user permissions to install updates. Ubuntu doesn't have a root account by default.

                    Comment


                    • #55
                      Originally posted by NothingMuchHereToSay View Post
                      I'm looking through this thread and obviously there's waaaaaay too many Linux diehards in here. Are you people trying justify your delusions by saying that wikipedia has a long lasting bug that makes Canonical's Ubuntu more popular than your favorite distro? From the eyes of an outsider that joined Linux because of Ubuntu back in 2008, I have to wonder how you people are completely missing the point when it comes to marketing.
                      Are you suggesting that Ubuntu really has 50x more users than any other distro, and that twice as many people use tiny distros than the combined userbases of all well-known distros including Ubuntu?
                      Because that's what those WP stats say, and your dismissal is based on the premise that they're accurate.

                      Comment


                      • #56
                        Originally posted by Pajn View Post
                        Ubuntu requires super user permissions to install updates. Ubuntu doesn't have a root account by default.
                        There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
                        Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

                        BTW: All that questions are serious, I never used Ubuntu for myself.

                        Comment


                        • #57
                          Originally posted by FLHerne View Post
                          Are you suggesting that Ubuntu really has 50x more users than any other distro, and that twice as many people use tiny distros than the combined userbases of all well-known distros including Ubuntu?
                          Because that's what those WP stats say, and your dismissal is based on the premise that they're accurate.
                          For reference: These are the numbers from Wikimedia (mostly Wikipedia visitors) http://stats.wikimedia.org/wikimedia...ingSystems.htm

                          I think Wikimedia can accurately detect Ubuntu. They probably cannot accurately detect other distros besides Android, and those hide in the "Linux Other", which lumps together the various desktop and mobile distros. Let's make an uneducated guess that there is a 50/50 split between desktop (ChromeOS etc.) and mobile (Maemo/Meego, WebOS, OpenEmbedded etc.) in "Linux Other". This means that Ubuntu has maybe 50% share of the desktop market, which kind of agrees with other available numbers.

                          For the cloud market, on Amazon EC2, we have Ubuntu at around 52% share, along with a generic 25% "Linux" lump: http://thecloudmarket.com/stats#/totals

                          An older survey was done as part of Linux.conf.au 2010, a conference for Linux professionals, and it showed Ubuntu at 69.3%, twice as much as the next distro Debian, which was used by 35.5% (multiple distros could be named by respondents).

                          I think it is plausible that Ubuntu runs on more than half and less than two thirds of all non-mobile Linux computers. Not 50x more share for sure.

                          Comment


                          • #58
                            Originally posted by TAXI View Post
                            Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.
                            Ubuntu uses the sudo mechanism. If the user is in the admin group, he can use the sudo command to run tasks with superuser privileges. Ubuntu will ask for the user's password then.

                            There is no password for the root account set by default. Before you can use the root account, you need to set a password (but it is not necessary as described above).

                            Comment


                            • #59
                              Apparmor is still in repo, you will notice this if you are USING it

                              Originally posted by monraaf View Post
                              The update defaults in Mint made me leery. Finding that they remove AppArmor for no good reason meant it was not going to be my main OS.

                              Mint favors useability/appearance over everything. Not that I fault them but it shouldn't surprise anyone that Mint isn't an Enterprise OS.

                              Ubuntu on the other hand claims to be an Enterprise OS and doesn't backport all security patches. Care to explain this Mr. Shuttleworth?
                              Since Mint uses Ubuntu Repos, Apparmor is still in repo. In Ubuntu by default, Apparmor is disabled for the browser, the single most important place to use it! Since I use a custom Firefox profile with Apparmor, I would notice a missing /etc/apparmor/d directory very quickly and fetch the package after a new install from a Mint installer. If I am setting up a machine for someone else, I cannot use that Apparmor profile anyway as people would wonder why all the restrictions. I use the Apparmor profile as part of a layered defense to make CIPAV-type policeware harder to push to my machines used for activist work, it's not necessary for most users. If something REALLY counts I am going to use Tails, a specialized Tor-based security distro that runs from an immutable live image.

                              Mint does not claim to be a specialized security distro, Tails it is not and need not be. Webservers are another specialized use, requiring maximum security. Since Mint differs from Ubuntu mostly in the DE, why would anyone need a "mintserver" installer anyway?

                              Comment


                              • #60
                                Originally posted by Mike Frett View Post
                                The truth is, if you are using anything other than a main distro and are focused on security; you're using the wrong distro. Things like Mint are for experimentation and hobby purposes.
                                Again, the only difference between Ubuntu and Mint Updates is the _default_ setting of Mint to not update things like Xorg and Kernel (level 4 and 5 updates). Enable the Level 4 and 5 Updates (by Mouseclick) and from now on you have the exact same update behavior just like Ubuntu...

                                It might be a good idea to point Ubuntu -> Mint changers to this difference in default setting (so they can decide how conservative they want to be), but thats all, why this whole drama about it?
                                ...And WTF took that Canonical guy to pretend that Mint (not talking about LMDE by the way) does not get Browser updates at the same time as Ubuntu

                                Comment

                                Working...
                                X