Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Canonical Developer Criticizes Linux Mint's Security

    Phoronix: Canonical Developer Criticizes Linux Mint's Security

    While Linux Mint is derived from Ubuntu's package-set, a Canonical developer has criticized the popular Ubuntu derivative for its handling of packaging upgrades that could leave the system in a vulnerable state...

    http://www.phoronix.com/vr.php?view=MTUxNzY

  • #2
    That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.

    Comment


    • #3
      Mint is vulnerable -- Agreed. No doubt.
      Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.

      Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.
      http://lists.debian.org/debian-secur.../msg00022.html
      Telling users that there is no security support in sid/Testing doesnt want me to use debian either.

      The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
      The other distros are just super duper vulnerable.

      Comment


      • #4
        Originally posted by prodigy_ View Post
        That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.
        Even though this sounds like a campaign to discredit one of their most popular competitors, if what he says is true, there should be a serious concern about those issues.

        Comment


        • #5
          At first I was confused by the title; I thought Mint didn't change much of anything that comes standard from Ubuntu/Debian. And if they did, surely they wouldn't let it become a potential issue.

          But I was wrong. Sorta. I can definitely see how this COULD be an issue at some point. Although, right now so few people use this platform that it isn't likely to be targeted in any major way, so I dunno if I would raise any red flags about it just yet. But it is always good to lean on the side of security if it's a reasonable option, so this could be a good moment for them to allocate some resources toward getting security patched included faster... If they have the extra resources to do so with. Which by itself could be an issue, over-stretching their workforce. Kinda like what Canonical does, minus the multi-millionaire funding the project.

          In any case, this could be considered constructive critisizm, at least. A valid point was made and being proactive can't hurt.

          Comment


          • #6
            Linux Mint and Cinnamon is awesome.

            I guess this is a good bit of information to have.

            It is letting any developer/package maintainer know that they should help the team.

            Linux Mint 16 is a real treat to use and I hope I can personally help when I get some extra time.

            Comment


            • #7
              It makes sense when you have less developers maintaining said updates.

              Comment


              • #8
                Debian isn't great either with kernel updates.
                http://lists.debian.org/debian-secur.../msg00022.html

                Ubuntu doesn't backport all the security updates in a kernel too.

                Comment


                • #9
                  So there are people here gullible enough to believe this sort of crap. Wow, just wow.

                  Canonical has been constantly bleeding their market share to other distros (but mainly to Mint because Mint offers the mildest learning curve to an Unbutu ex-user) for nearly 4 years. They thought they could afford it. But now with Ubuntu Touch/Ubuntu Phone going nowhere some guys are genuinely afraid of losing their jobs. And instead of saying "hey, we admit we were wrong about the whole upstart/plymouth/unity/mir debacle" they go out and start spreading slander and outright lies about Mint. Predictable but still pathetic.

                  They're not even developers. They're maintainers and without Debian they wouldn't even have a distro to maintain. They're also not security experts although they surely would love to pose as such. My diagnosis? A bunch of nobodies with outdated dreams of world domination. Hm, where have I seen that before?

                  Comment


                  • #10
                    Oh, and in a week they'll "apologize".

                    Comment


                    • #11
                      I would propose that this suggests that Mint as a whole ought to be based directly on Debian, or at least that LMDE ought to be the primary focus of their project. If Canonical's rampant, Unity-centered modifications place the Mint team in a situation where they must either compromise the security or stability of their users' systems, then it would seem that Ubuntu is not an ideal foundation for Linux Mint. With the rarity of major changes within Debian, and the promptness with which security vulnerabilities are addressed, it seems like an ideal foundation on which to build Linux Mint.

                      Comment


                      • #12
                        This is easily fixable but elements of it do make sense

                        Changes in system policy between Ubuntu in Mint are not hard to revert if you know what you are doing. Mint is comparable to Ubuntu with no DE installed, a few other packages left out, and a PPA providing either Cinnamon, MATE, or both. In fact, you can install Ubuntu, add the Mint repos to /etc/apt/sources.list, and install either DE and as much or as little as the rest of Mint as you like. If you like Mint and want to run new kernels, even PPA versions, it's not hard to do, dump Mint's apt preferences file, add the repos, and you are good to go. You might get the boot menu system name changed from Mint to Ubuntu if you don't pin base-files yourself in Synaptic after doing so, however.

                        If you do NOT know what you are doing and are running a non-LTS version of Ubuntu, you can get in real trouble with bad updates. I do not recommend auto-updating unless you are running a server or something along those lines. I still remember the day a set of post-release updates to Gutsy Gibbon trashed all audio playback, and at that time I did not know enough to debug this and wound up reinstalling.

                        I looked at the list of blocked updates. and recognized a lot of troublemakers from providing tech support to my sister and her Ubuntu Lucid/Nvidia laptop. I had to tell my sister to hold all kernel and Nividia updates until she is at my place-and had to help her get out of nasty surprises when she has done otherwise. Kernel updates incompatable with the "latest" Nvidia blob version, that sort of thing. I've seen a hell of a lot of complaints about updates gone bad in Ubuntu (and any distro you can think of) and will go so far as to say that if you need heavy-duty security, you need to know more about computers than enough to handle a borked X or xorg driver update!

                        Browser updates can also be problematic. Don't update and you risk leaving a cross-platform zero day in place. Do update and you expose users to easy browser fingerprinting when a browser is rare, new downgraded privacy policies-and the risk that if the only browser suddenly doesn't work, the user can't go online for tips on how to fix it. Yes, there is sometimes an issue with Firefox updates where the browser suddenly can no longer find it's own executable at startup, some kind of path issue. I still don't know how to fix that right, only how to muck around with it until I get it working again when this occurs. As for privacy issues, I've found every Firefox update or reinstall trashes special cookie handling rules (exceptions under "history"). I have no idea if people who rely on persistant cookies get those trashed, too, as I always clear them on browser exit.

                        Lastly, there are some Mint packages that overwrite Ubuntu packages, updating the underlying Ubuntu package will overwrite Mint's changes. Mint overwrites /etc/os-release to get the system to identify itself as Mint, a new base-files will overwrite that with the Ubuntu version. This might be a debian policy issue, Mint should have their own versio of base-files to solve this.

                        As for online banking, I would not use any machine, no matter how secure I thought it was, for that purpose. To use computers for that is to get into an arms race with specialists in hacking banking information. Also, if your bank doesn't have your email, then you know for sure an email claiming to be from them is phish. Hell, I build computers that in one case sucessfully held encrypted material against the police after a raid, and I still would not trust them for banking, as I do not trust the network, my router, or the bank's computer.

                        I do not recommend my own systems for that sort of thing, nor Mint, nor anything else. Too many possible attacks, and because it is a network transaction the attack can be on your OS, your browser, the server on the other end-or anything in between. If a Mint user gets a bank account (or just an email account) hacked, open/public wifi redirecting to a phish site or just plain email phishing would be my immediate suspects. You won't stop many of those with updates!

                        My guess is someone at Mint looked at the packages that cause the most questions (or hardest end-user fixes) on Ubuntu tech support sites and blacklisted those updates, same as I had to do for my sister. A totally unpatched, least-secure install of any Linux distro is still as secure or probably much more secure than most Windows XP machines. For Mint to be as insecure as Windows XP, Firefox would have to run as root, hell the user would have to be on a root login entirely. Yes, Windows XP (and maybe later, I don't know if this changed with Vista/8/9) users are surfing root by default! That sort of thing makes an unpatched install of Ubuntu from a two-year old DVD look like Ft Knox.

                        When my sister dumped Windows for Ubuntu, she stopped having problems with malware, even though a lot of updates had to be blacklisted so her system would keep working.

                        Comment


                        • #13
                          Mint forum post on changing mint-updater security update rules

                          Originally posted by Luke View Post
                          Changes in system policy between Ubuntu in Mint are not hard to revert if you know what you are doing.
                          http://forums.linuxmint.com/viewtopic.php?f=47&t=111929

                          Shows an easy way to change update policies in mint-update.

                          Comment


                          • #14
                            Originally posted by prodigy_ View Post
                            So there are people here gullible enough to believe this sort of crap. Wow, just wow.

                            Canonical has been constantly bleeding their market share to other distros (but mainly to Mint because Mint offers the mildest learning curve to an Unbutu ex-user) for nearly 4 years. They thought they could afford it. But now with Ubuntu Touch/Ubuntu Phone going nowhere some guys are genuinely afraid of losing their jobs. And instead of saying "hey, we admit we were wrong about the whole upstart/plymouth/unity/mir debacle" they go out and start spreading slander and outright lies about Mint. Predictable but still pathetic.

                            They're not even developers. They're maintainers and without Debian they wouldn't even have a distro to maintain. They're also not security experts although they surely would love to pose as such. My diagnosis? A bunch of nobodies with outdated dreams of world domination. Hm, where have I seen that before?
                            I can't speak about the other dude, but i've met and worked with Oliver Grawert on LTSP. He is most definitely a developer.

                            Comment


                            • #15
                              Originally posted by johnny View Post
                              I can't speak about the other dude, but i've met and worked with Oliver Grawert on LTSP. He is most definitely a developer.
                              The guy is obviously trying to rous some rabble. I've counted 3 or 4 people so far that are just blowing hot air all over the place. It's rather silly, but such is life.

                              Canonical is at no risk of losing the majority of thier userbase, as of yet. Especially with all the press it's been getting recently, more people are able to notice it. And what might have been a relatively large surge in the number of Mint users in recent years doesn't indicate a proportionally large loss from Ubuntu (a lot of folks don't know the scale of Ubuntu vs. other singular distros. It's very significant.) So I don't think they have that kind of incentive to spread dirt on other distros.
                              Of course, the fact that nobody has properly debunked this claim yet means it may be totally valid. So until then, I don't think it's right to get upset at anyone over this. Jumping the gun is silly.
                              Using a different base distro wouldn't fix the issue either, since there isn't a base distro that uses all the Mint custimizations (other than Mint, that is). They'd still be putting forth work to continue fixing up Cinnamon and such.

                              Comment

                              Working...
                              X