Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Some have pointed out that Debian sid isn't quick with kernel updates, but there are some other options than running vanilla sid kernel. The siduction team (esp. 'towo') keeps their kernel pretty close to upstream, and I use that.

    I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.

    Comment


    • #62
      Originally posted by DanL View Post
      I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.
      Well, at least LMDE is based on Debian testing instead of Ubuntu.

      Anyway, here's Clem's reply to the "controversy": http://segfault.linuxmint.com/2013/1...you-configure/

      Comment


      • #63
        Originally posted by TAXI View Post
        There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
        Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

        BTW: All that questions are serious, I never used Ubuntu for myself.
        There is no password for root (it doesn't mean you can log without password, it means you cannot log directly as root, with ssh for example).
        For administrative tasks, users must be in the sudoers file, and use sudo, with their own password.
        If you are admin (ie sudoer), you can su to root, but with your own password.

        Comment


        • #64
          Originally posted by Stebs View Post
          Again, the only difference between Ubuntu and Mint Updates is the _default_ setting of Mint to not update things like Xorg and Kernel (level 4 and 5 updates). Enable the Level 4 and 5 Updates (by Mouseclick) and from now on you have the exact same update behavior just like Ubuntu...
          You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages. Mint's policy is to prioritize features and stability over security - for example in Mint 12 they shipped a vulnerable Java version for which there had been remote exploits in the public but they did not see the need to take action on this. See https://bugs.launchpad.net/linuxmint/+bug/890278

          Comment


          • #65
            Originally posted by TAXI View Post
            There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
            Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

            BTW: All that questions are serious, I never used Ubuntu for myself.
            Ubuntu uses sudo (I thought it stood for superuser do, but see now that it just is substitute user do) together with no root account
            (well of coerce there is one as it's still Linux but I don't have a password and can't be used). Everything that requires root permissions
            have to go through sudo which, this is very good because if you have multiple users with root/sudo rights you will see which one who
            actually did al those creepy stuff.

            By default the first account is allowed to use sudo and uses it by providing its own password.
            So no you are not root by default and you are required to enter your own password, the logs will say that your account is responsible.

            Other accounts are not sudoers by default.

            Comment


            • #66
              I think we might have a whole new controversy here.

              Originally posted by Clem
              I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages)
              What the fuck is this about then?

              Comment


              • #67
                Mint Responds

                Here's the full context of dee's thread:




                Answering controversy: Stability vs Security is something you configure
                by clem 33
                18 Nov 2013 | General

                I hear a Canonical dev was more opinionated than knowledgeable and the press blew what he said out of proportion. I wouldn’t mind too much, if we weren’t finding ourselves answering questions from panicked users rather than working on what matters right now (i.e. Mint 16 RC).

                So I’ll be brief.

                About package updates:

                We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.
                Anybody running Mint can launch Update Manager -> Edit -> Preferences and enable level 4 and 5 updates, thus making their Linux Mint as “Secure” and “Unstable” as Ubuntu.

                Screenshot from 2013-11-18 14:31:53

                About Firefox updates:

                Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default.
                LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.

                I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages) and it is clear they are confused about LMDE and Mint. They don’t know what repositories we’re using and they don’t know what we’re doing. We’re 2 years younger than them and they have no idea how many users we have (they use http://stats.wikimedia.org/archive/s...ingSystems.htm but don’t realize our user agent is “Ubuntu” since the days of Firefox 4 – Mint 9 if I remember correctly).

                I don’t really mind what people at Canonical understand or do not understand about us. I understand why the press and media sell controversy. I just really don’t want to waste time with this.

                From the feedback we’re getting so far, people love Mint 16 RC and we’ve got a superb release in our hands. It’s also full of bugs (https://github.com/linuxmint/Roadmap) and what we really want to do right now is not answer questions about how some guy who never ran Mint thinks it’s unsecure but get back to the code and fix as much as we can for Mint 16 to outperform Mint 15.

                If you were unaware of this controversy and you’re sad to see negativity, I’d like to apologize. I had to cut this short and make a public statement because the easiest way for us to focus on what matters and ignore this controversy is by linking people to this statement and not waste time answering people one by one, on the forums, on the IRC, and all over the Web.

                Comment


                • #68
                  If Canonical demands "licenses" for Mint to use Ubuntu packages

                  Originally posted by dee. View Post
                  I think we might have a whole new controversy here.



                  What the fuck is this about then?
                  That will be a GPL violation for any package distributed under the GPL. It will also cause a lot of people to stop contributing to Ubuntu, and force distros based on Ubuntu to dump them for Debian versions. If Ubuntu is REALLY going to act like Apple and try to stop derivative distros, there will be no choice but to throw them out of the open source community. Software you can be harassed by lawyers for redistributing is by definition NOT free and open source software. This could be a real test of the GPL in court if Ubuntu is really trying to go that way.

                  I am finished with Ubuntu if this story is confirmed, but will have to use a mishmash of PPAs targetting Ubuntu over Debian to mantain my system. Will be a dificult migration, starting with adding Debian Unstable to sources.list, setting APT to prefer Debian to Ubuntu, and then allowing updates over time to sweep out Ubuntu packages until I can migrate the startup system to whatever Debian transitions to (probably systemd if Upstart gets caught in this mess).

                  This is very serious if it is true and not FUD or someone's overreaction.

                  Comment


                  • #69
                    Hard to believe, isn't it?

                    That an uninformed/under-informed ubuntu developer could cause this much angst...

                    The "auto update manager" fight of ubuntu v mint is spreading all over net...

                    http://www.omgubuntu.co.uk/2013/11/l...ecurity-claims.

                    One thing that I see going against the pro-Canonical side of this debate is their recent dumbing-down of
                    update process in 13.10.....

                    I like the idea of having the individual choice to decide what is best for me. I do not wish to have a automatic "ubuntu patch-Tuesday" like M$ now has ....or is it "crash-Tuesday?"

                    To me, linux has and will be a matter of personal choice, not the amount of fan-boy press one can create.

                    Comment


                    • #70
                      An operating system is only as secure as it's operator.

                      Comment

                      Working...
                      X