Page 7 of 10 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 98

Thread: Canonical Developer Criticizes Linux Mint's Security

  1. #61
    Join Date
    Oct 2007
    Posts
    1,258

    Default

    Some have pointed out that Debian sid isn't quick with kernel updates, but there are some other options than running vanilla sid kernel. The siduction team (esp. 'towo') keeps their kernel pretty close to upstream, and I use that.

    I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.

  2. #62
    Join Date
    Dec 2011
    Posts
    102

    Default

    Quote Originally Posted by DanL View Post
    I really wish Mint would get off the Ubuntu train and just follow Debian sid with rolling release model.
    Well, at least LMDE is based on Debian testing instead of Ubuntu.

    Anyway, here's Clem's reply to the "controversy": http://segfault.linuxmint.com/2013/1...you-configure/

  3. #63
    Join Date
    Sep 2012
    Posts
    650

    Default

    Quote Originally Posted by TAXI View Post
    There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
    Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

    BTW: All that questions are serious, I never used Ubuntu for myself.
    There is no password for root (it doesn't mean you can log without password, it means you cannot log directly as root, with ssh for example).
    For administrative tasks, users must be in the sudoers file, and use sudo, with their own password.
    If you are admin (ie sudoer), you can su to root, but with your own password.

  4. #64
    Join Date
    Sep 2012
    Location
    Germany
    Posts
    8

    Default

    Quote Originally Posted by Stebs View Post
    Again, the only difference between Ubuntu and Mint Updates is the _default_ setting of Mint to not update things like Xorg and Kernel (level 4 and 5 updates). Enable the Level 4 and 5 Updates (by Mouseclick) and from now on you have the exact same update behavior just like Ubuntu...
    You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages. Mint's policy is to prioritize features and stability over security - for example in Mint 12 they shipped a vulnerable Java version for which there had been remote exploits in the public but they did not see the need to take action on this. See https://bugs.launchpad.net/linuxmint/+bug/890278

  5. #65
    Join Date
    Sep 2012
    Posts
    265

    Default

    Quote Originally Posted by TAXI View Post
    There is no such thing as a super user. If you mean the command su: That stands for "switch user" and switches to root by default (but you can use it to switch to any user).
    Do you mean you need root permissions? If so: Are you required to enter your root password? Or is there no password at all? Or do you have root privileges all the time? If you say no to the first and/or yes to the second/third question Ubuntu is a very insecure distro.

    BTW: All that questions are serious, I never used Ubuntu for myself.
    Ubuntu uses sudo (I thought it stood for superuser do, but see now that it just is substitute user do) together with no root account
    (well of coerce there is one as it's still Linux but I don't have a password and can't be used). Everything that requires root permissions
    have to go through sudo which, this is very good because if you have multiple users with root/sudo rights you will see which one who
    actually did al those creepy stuff.

    By default the first account is allowed to use sudo and uses it by providing its own password.
    So no you are not root by default and you are required to enter your own password, the logs will say that your account is responsible.

    Other accounts are not sudoers by default.

  6. #66
    Join Date
    Jan 2013
    Posts
    1,443

    Default

    I think we might have a whole new controversy here.

    Quote Originally Posted by Clem
    I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages)
    What the fuck is this about then?

  7. #67
    Join Date
    Nov 2013
    Posts
    3

    Default Mint Responds

    Here's the full context of dee's thread:




    Answering controversy: Stability vs Security is something you configure
    by clem 33
    18 Nov 2013 | General

    I hear a Canonical dev was more opinionated than knowledgeable and the press blew what he said out of proportion. I wouldn’t mind too much, if we weren’t finding ourselves answering questions from panicked users rather than working on what matters right now (i.e. Mint 16 RC).

    So I’ll be brief.

    About package updates:

    We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.
    Anybody running Mint can launch Update Manager -> Edit -> Preferences and enable level 4 and 5 updates, thus making their Linux Mint as “Secure” and “Unstable” as Ubuntu.

    Screenshot from 2013-11-18 14:31:53

    About Firefox updates:

    Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default.
    LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.

    I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages) and it is clear they are confused about LMDE and Mint. They don’t know what repositories we’re using and they don’t know what we’re doing. We’re 2 years younger than them and they have no idea how many users we have (they use http://stats.wikimedia.org/archive/s...ingSystems.htm but don’t realize our user agent is “Ubuntu” since the days of Firefox 4 – Mint 9 if I remember correctly).

    I don’t really mind what people at Canonical understand or do not understand about us. I understand why the press and media sell controversy. I just really don’t want to waste time with this.

    From the feedback we’re getting so far, people love Mint 16 RC and we’ve got a superb release in our hands. It’s also full of bugs (https://github.com/linuxmint/Roadmap) and what we really want to do right now is not answer questions about how some guy who never ran Mint thinks it’s unsecure but get back to the code and fix as much as we can for Mint 16 to outperform Mint 15.

    If you were unaware of this controversy and you’re sad to see negativity, I’d like to apologize. I had to cut this short and make a public statement because the easiest way for us to focus on what matters and ignore this controversy is by linking people to this statement and not waste time answering people one by one, on the forums, on the IRC, and all over the Web.

  8. #68
    Join Date
    May 2013
    Posts
    475

    Default If Canonical demands "licenses" for Mint to use Ubuntu packages

    Quote Originally Posted by dee. View Post
    I think we might have a whole new controversy here.



    What the fuck is this about then?
    That will be a GPL violation for any package distributed under the GPL. It will also cause a lot of people to stop contributing to Ubuntu, and force distros based on Ubuntu to dump them for Debian versions. If Ubuntu is REALLY going to act like Apple and try to stop derivative distros, there will be no choice but to throw them out of the open source community. Software you can be harassed by lawyers for redistributing is by definition NOT free and open source software. This could be a real test of the GPL in court if Ubuntu is really trying to go that way.

    I am finished with Ubuntu if this story is confirmed, but will have to use a mishmash of PPAs targetting Ubuntu over Debian to mantain my system. Will be a dificult migration, starting with adding Debian Unstable to sources.list, setting APT to prefer Debian to Ubuntu, and then allowing updates over time to sweep out Ubuntu packages until I can migrate the startup system to whatever Debian transitions to (probably systemd if Upstart gets caught in this mess).

    This is very serious if it is true and not FUD or someone's overreaction.

  9. #69
    Join Date
    Nov 2013
    Posts
    3

    Default Hard to believe, isn't it?

    That an uninformed/under-informed ubuntu developer could cause this much angst...

    The "auto update manager" fight of ubuntu v mint is spreading all over net...

    http://www.omgubuntu.co.uk/2013/11/l...ecurity-claims.

    One thing that I see going against the pro-Canonical side of this debate is their recent dumbing-down of
    update process in 13.10.....

    I like the idea of having the individual choice to decide what is best for me. I do not wish to have a automatic "ubuntu patch-Tuesday" like M$ now has ....or is it "crash-Tuesday?"

    To me, linux has and will be a matter of personal choice, not the amount of fan-boy press one can create.

  10. #70
    Join Date
    Mar 2011
    Posts
    326

    Default

    An operating system is only as secure as it's operator.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •