Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Some have pointed out that Debian sid isn't quick with kernel updates, but there are some other options than running vanilla sid kernel. The siduction team (esp. 'towo') keeps their kernel pretty close to upstream, and I use that.

    I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.

    Comment


    • #62
      Originally posted by DanL View Post
      I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.
      Well, at least LMDE is based on Debian testing instead of Ubuntu.

      Anyway, here's Clem's reply to the "controversy": http://segfault.linuxmint.com/2013/1...you-configure/

      Comment


      • #63
        Originally posted by TAXI View Post
        There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
        Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

        BTW: All that questions are serious, I never used Ubuntu for myself.
        There is no password for root (it doesn't mean you can log without password, it means you cannot log directly as root, with ssh for example).
        For administrative tasks, users must be in the sudoers file, and use sudo, with their own password.
        If you are admin (ie sudoer), you can su to root, but with your own password.

        Comment


        • #64
          Originally posted by Stebs View Post
          Again, the only difference between Ubuntu and Mint Updates is the _default_ setting of Mint to not update things like Xorg and Kernel (level 4 and 5 updates). Enable the Level 4 and 5 Updates (by Mouseclick) and from now on you have the exact same update behavior just like Ubuntu...
          You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages. Mint's policy is to prioritize features and stability over security - for example in Mint 12 they shipped a vulnerable Java version for which there had been remote exploits in the public but they did not see the need to take action on this. See https://bugs.launchpad.net/linuxmint/+bug/890278

          Comment


          • #65
            Originally posted by TAXI View Post
            There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
            Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

            BTW: All that questions are serious, I never used Ubuntu for myself.
            Ubuntu uses sudo (I thought it stood for superuser do, but see now that it just is substitute user do) together with no root account
            (well of coerce there is one as it's still Linux but I don't have a password and can't be used). Everything that requires root permissions
            have to go through sudo which, this is very good because if you have multiple users with root/sudo rights you will see which one who
            actually did al those creepy stuff.

            By default the first account is allowed to use sudo and uses it by providing its own password.
            So no you are not root by default and you are required to enter your own password, the logs will say that your account is responsible.

            Other accounts are not sudoers by default.

            Comment


            • #66
              I think we might have a whole new controversy here.

              Originally posted by Clem
              I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages)
              What the fuck is this about then?

              Comment


              • #67
                Mint Responds

                Here's the full context of dee's thread:




                Answering controversy: Stability vs Security is something you configure
                by clem 33
                18 Nov 2013 | General

                I hear a Canonical dev was more opinionated than knowledgeable and the press blew what he said out of proportion. I wouldn’t mind too much, if we weren’t finding ourselves answering questions from panicked users rather than working on what matters right now (i.e. Mint 16 RC).

                So I’ll be brief.

                About package updates:

                We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.
                Anybody running Mint can launch Update Manager -> Edit -> Preferences and enable level 4 and 5 updates, thus making their Linux Mint as “Secure” and “Unstable” as Ubuntu.

                Screenshot from 2013-11-18 14:31:53

                About Firefox updates:

                Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default.
                LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.

                I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages) and it is clear they are confused about LMDE and Mint. They don’t know what repositories we’re using and they don’t know what we’re doing. We’re 2 years younger than them and they have no idea how many users we have (they use http://stats.wikimedia.org/archive/s...ingSystems.htm but don’t realize our user agent is “Ubuntu” since the days of Firefox 4 – Mint 9 if I remember correctly).

                I don’t really mind what people at Canonical understand or do not understand about us. I understand why the press and media sell controversy. I just really don’t want to waste time with this.

                From the feedback we’re getting so far, people love Mint 16 RC and we’ve got a superb release in our hands. It’s also full of bugs (https://github.com/linuxmint/Roadmap) and what we really want to do right now is not answer questions about how some guy who never ran Mint thinks it’s unsecure but get back to the code and fix as much as we can for Mint 16 to outperform Mint 15.

                If you were unaware of this controversy and you’re sad to see negativity, I’d like to apologize. I had to cut this short and make a public statement because the easiest way for us to focus on what matters and ignore this controversy is by linking people to this statement and not waste time answering people one by one, on the forums, on the IRC, and all over the Web.

                Comment


                • #68
                  If Canonical demands "licenses" for Mint to use Ubuntu packages

                  Originally posted by dee. View Post
                  I think we might have a whole new controversy here.



                  What the fuck is this about then?
                  That will be a GPL violation for any package distributed under the GPL. It will also cause a lot of people to stop contributing to Ubuntu, and force distros based on Ubuntu to dump them for Debian versions. If Ubuntu is REALLY going to act like Apple and try to stop derivative distros, there will be no choice but to throw them out of the open source community. Software you can be harassed by lawyers for redistributing is by definition NOT free and open source software. This could be a real test of the GPL in court if Ubuntu is really trying to go that way.

                  I am finished with Ubuntu if this story is confirmed, but will have to use a mishmash of PPAs targetting Ubuntu over Debian to mantain my system. Will be a dificult migration, starting with adding Debian Unstable to sources.list, setting APT to prefer Debian to Ubuntu, and then allowing updates over time to sweep out Ubuntu packages until I can migrate the startup system to whatever Debian transitions to (probably systemd if Upstart gets caught in this mess).

                  This is very serious if it is true and not FUD or someone's overreaction.

                  Comment


                  • #69
                    Hard to believe, isn't it?

                    That an uninformed/under-informed ubuntu developer could cause this much angst...

                    The "auto update manager" fight of ubuntu v mint is spreading all over net...

                    http://www.omgubuntu.co.uk/2013/11/l...ecurity-claims.

                    One thing that I see going against the pro-Canonical side of this debate is their recent dumbing-down of
                    update process in 13.10.....

                    I like the idea of having the individual choice to decide what is best for me. I do not wish to have a automatic "ubuntu patch-Tuesday" like M$ now has ....or is it "crash-Tuesday?"

                    To me, linux has and will be a matter of personal choice, not the amount of fan-boy press one can create.

                    Comment


                    • #70
                      An operating system is only as secure as it's operator.

                      Comment


                      • #71
                        Originally posted by chithanh View Post
                        For reference: These are the numbers from Wikimedia (mostly Wikipedia visitors) http://stats.wikimedia.org/wikimedia...ingSystems.htm

                        I think Wikimedia can accurately detect Ubuntu. They probably cannot accurately detect other distros besides Android, and those hide in the "Linux Other", which lumps together the various desktop and mobile distros. Let's make an uneducated guess that there is a 50/50 split between desktop (ChromeOS etc.) and mobile (Maemo/Meego, WebOS, OpenEmbedded etc.) in "Linux Other". This means that Ubuntu has maybe 50% share of the desktop market, which kind of agrees with other available numbers.

                        For the cloud market, on Amazon EC2, we have Ubuntu at around 52% share, along with a generic 25% "Linux" lump: http://thecloudmarket.com/stats#/totals

                        An older survey was done as part of Linux.conf.au 2010, a conference for Linux professionals, and it showed Ubuntu at 69.3%, twice as much as the next distro Debian, which was used by 35.5% (multiple distros could be named by respondents).

                        I think it is plausible that Ubuntu runs on more than half and less than two thirds of all non-mobile Linux computers. Not 50x more share for sure.
                        You're missing a major point, just because that many people visited Wikipedia or that Linux conference does not accurately represent the world usage and market share, it doesn't even come close.

                        When you measure the people visiting say, Wikipedia, then you are only measuring the market share of the people visiting the wikipedia website.


                        Besides, this is about security. Ubuntu is known for its enterprise OS for a good reason whether you like it or not. It is very secure.

                        That's not to say that Linux Mint isn't secure either. But a lot of you are ignoring the massive manpower that Ubuntu has over Mint and they simply would not be able to release every new version that comes out without breaking something.

                        But then you guys miss a bigger point that someone just gave, "It's only as secure as it's operator." So shut your faces now, you trolls.

                        Comment


                        • #72
                          Originally posted by Pajn View Post
                          Ubuntu uses sudo (I thought it stood for superuser do, but see now that it just is substitute user do) together with no root account
                          (well of coerce there is one as it's still Linux but I don't have a password and can't be used). Everything that requires root permissions
                          have to go through sudo which, this is very good because if you have multiple users with root/sudo rights you will see which one who
                          actually did al those creepy stuff.

                          By default the first account is allowed to use sudo and uses it by providing its own password.
                          So no you are not root by default and you are required to enter your own password, the logs will say that your account is responsible.

                          Other accounts are not sudoers by default.
                          Ubuntu uses sudo to switch to the root account. A root account does exist and it has a password, but an impossible one, which makes it impossible to login as root or switch to root using su. There is no such thing like "sudo rights", all that sudo does is elevating your rights to root rights based on the rules in its configuration.

                          Comment


                          • #73
                            Originally posted by profoundWHALE View Post
                            You're missing a major point, just because that many people visited Wikipedia or that Linux conference does not accurately represent the world usage and market share, it doesn't even come close.

                            When you measure the people visiting say, Wikipedia, then you are only measuring the market share of the people visiting the wikipedia website.
                            Yes. But still, you will always have some bias if you don't make a direct census. Wikipedia is pretty much the most universally visited site, together with Google (although nowadays few people directly visit it, and instead uses the search bar on their browsers, it should suffice to take data, I guess), so the bias should be as small as it gets.

                            Comment


                            • #74
                              Originally posted by Vim_User View Post
                              Ubuntu uses sudo to switch to the root account. A root account does exist and it has a password, but an impossible one, which makes it impossible to login as root or switch to root using su. There is no such thing like "sudo rights", all that sudo does is elevating your rights to root rights based on the rules in its configuration.
                              Well, it's the same just using different words.
                              I tend to call it super user rights as that language tend to work with both Windows, Linux and OSX folks.

                              Comment


                              • #75
                                http://ograblog.wordpress.com/2013/1...l-in-my-mouth/

                                And there you have it.

                                Comment

                                Working...
                                X