Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #81
    Originally posted by Tinitus View Post
    You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages.
    Please stop spreading FUD.
    "About Firefox updates:
    Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default." -Quote from a Mint Developer.
    The two years I was using Linux Mint (now trying Manjaro), Firefox Updates were available at exactly the same time as on my other PC with Xubuntu on it (even if you let Mint Update Settings at default).
    Originally posted by k1l_ View Post
    Sorry, but the "only some mouseclicks" argument didnt count when talking about the "spyware" topic with the unity search scopes. Saying now: well a user could inform himself about that topic (why should he knew about that?) and make some mouseclicks to change the default behaviour is IMHO alot different from a search saying: "local and online search" beeing called spyware because it searches online.
    Well, IMHO the online search scopes are really no big deal/problem as long as you can easily deactivate them by mousecklicks, never had to do that thought because Unity is just not my "style" of DE.
    Every Distribution is different, has other advantages and disadvantages, so why not just test/read about them all and choose YOUR favorite... and be happy.
    Those Distro-Wars are just stupid. But what really annoys me is when people start telling "facts" that are not true (see Firefox Updates), maybe those were not meant as a lie, but why then start talking about those things if one has no clue?

    Comment


    • #82
      I hear the sounds of jealous Carnonical developers. Got Mint 16 on my laptop and loving it. I bet the Debian developers probably don't have too many good things to say about Ubuntu.

      Comment


      • #83
        Originally posted by hadrons123 View Post
        Mint is vulnerable -- Agreed. No doubt.
        Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.

        Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.

        Telling users that there is no security support in sid/Testing doesnt want me to use debian either.

        The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
        The other distros are just super duper vulnerable.
        Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.

        Comment


        • #84
          A moving target is also harder for attackers to hit

          Originally posted by leech View Post
          Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.
          I've traditionally used Ubuntu alphas but probably should base my personal OS on Sid. In either case, the moving target may not get explicit security updates, but the code is being updated-and therefore changed-constantly. If a targetted attacker wanted remote access to my system, one of his many problems would be to figure out exactly which vulnerabilities existed in that particular system on that day. As for kernels, I use the mainline PPA kernels they too are a constantly changing target.

          Even if someone is using a snapshot, a targetted (as oposed to random) attack on that person has to guess which day that OS is a snapshot of-or he might be good enough to find a new vulnerability first, ahead of the package maintainers. In that case, no patch will ever arrive on time, anywhere. Nobody I know has ever had symptoms of a broken-into end user (non-server) machine running ANY Linux distro, and I have evidence that an encrypted desktop stolen from me in a police raid was never sucessfully cracked. I worry little about random attackers, someone after credit card shit finding none on my machine would have to be a snitch to even be an issue for me, so he would be a threat only if he installed a back door that was then found by someone else.

          Assuming you don't surf root like Windows users, do not connect your machine to the Internet without a modem, and are not running any externally accessable servers, you are already an exceptionally difficult target. Most real-world uses of kernel attacks is to get access to webservers, the majority of which run Linux. A lot of very security-demanding servers and enterprise applications use Linux, I don't see why any of these would use Mint, as the servers don't even run X and paid tech support (RHEL or Ubuntu) is often crucial to them. No way is Google or the IRS going to have Cinnamon or MATE on their servers!

          Comment


          • #85
            Originally posted by k1l_ View Post
            Sorry, but the "only some mouseclicks" argument didnt count when talking about the "spyware" topic with the unity search scopes. Saying now: well a user could inform himself about that topic (why should he knew about that?) and make some mouseclicks to change the default behaviour is IMHO alot different from a search saying: "local and online search" beeing called spyware because it searches online.
            You're twisting and/or confusing the facts here. The dash search was called spyware not because it searched online, but because it sent your keystrokes - unencrypted in first versions - to third parties without your prior consent. It's potentially dangerous even when it's sent encrypted, as there's all kinds of things you might type in your dash to search for local files that you wouldn't want broadcasted to whoever.

            The spyware aspect wasn't the biggest issue though IMO, even if you don't consider it spyware, there's no question about it being adware. It shoves paid ads in your actual OS interface. It would be very simple to fix all the problems with the dash scopes, by simply making it opt-in instead of opt-out, and making it entirely user-configurable. No one would have anything much to complain about it then, it'd just be another optional feature. Which is why it's monumentally stupid of Canonical not to do it this way.

            Comparing it to Mint's updates is also entirely fallacious. Mint already does the updates as opt-in: you can opt-in to receive additional updates which may potentially make your system unstable.

            for me it looks like the mobilizing against canonical from the last years (and especially this year) already gone way to far. that is not worth a linux-"community".
            For me it looks like you're suffering from the same persecution complex that plagues most of the Ubuntu fanbase: "oh poor us, everyone's always picking on us becuz they jealous!! they want to make linux hard and command line only becuz ofcourse theres no other alternative to unity!!!" And it's really no wonder people spout such crap, when Shuttleworth himself encourages such thinking. And that's how we get people like bo$$...

            Comment


            • #86
              Originally posted by Stebs View Post
              Well, IMHO the online search scopes are really no big deal/problem as long as you can easily deactivate them by mousecklicks, never had to do that thought because Unity is just not my "style" of DE.
              Every Distribution is different, has other advantages and disadvantages, so why not just test/read about them all and choose YOUR favorite... and be happy.
              Those Distro-Wars are just stupid. But what really annoys me is when people start telling "facts" that are not true (see Firefox Updates), maybe those were not meant as a lie, but why then start talking about those things if one has no clue?
              I am totally fine with users choosing what suits them best. if you dont like unity: no problem, there are a lot of other desktops out there.
              what i really dont like is the double standards when it comes to ubuntu/canonical:
              mint: well, do some reading there, some mouseclicks here and everything is fine.
              ubuntu: omg! you need to make 3 mouseclicks and its not doing that out of the box.




              Originally posted by dee. View Post
              You're twisting and/or confusing the facts here. The dash search was called spyware not because it searched online, but because it sent your keystrokes - unencrypted in first versions - to third parties without your prior consent. It's potentially dangerous even when it's sent encrypted, as there's all kinds of things you might type in your dash to search for local files that you wouldn't want broadcasted to whoever.
              i disagree. when its labled "search local and online" it is very clear that some data will be send online. and you dont want to tell me, that users want to get online results but dont want to get aynthing send online, do you?


              Originally posted by dee. View Post
              The spyware aspect wasn't the biggest issue though IMO, even if you don't consider it spyware, there's no question about it being adware. It shoves paid ads in your actual OS interface. It would be very simple to fix all the problems with the dash scopes, by simply making it opt-in instead of opt-out, and making it entirely user-configurable. No one would have anything much to complain about it then, it'd just be another optional feature. Which is why it's monumentally stupid of Canonical not to do it this way.
              its not paid ads. they just get paid with a refund if you actually buy that after clicking on the search result. its the well known amazon-ref-link thing. other open source projects use that too, like music-players for music in the amazon store.

              Originally posted by dee. View Post
              Comparing it to Mint's updates is also entirely fallacious. Mint already does the updates as opt-in: you can opt-in to receive additional updates which may potentially make your system unstable.
              no its not fallacious. on the one hand you say: its ok to have to opt-in into security topics and on the other hand you say its not ok. that is the double-standard.


              Originally posted by dee. View Post
              For me it looks like you're suffering from the same persecution complex that plagues most of the Ubuntu fanbase: "oh poor us, everyone's always picking on us becuz they jealous!! they want to make linux hard and command line only becuz ofcourse theres no other alternative to unity!!!" And it's really no wonder people spout such crap, when Shuttleworth himself encourages such thinking. And that's how we get people like bo$$...
              as you can read in my postings in this thread im in no way like you described me.
              while for some very few but load group it seems to be the duty to pick on canonical/ubuntu i think in the long run that only leads to an enviroment where the community is the looser.

              Comment


              • #87
                Originally posted by hadrons123 View Post
                The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
                The other distros are just super duper vulnerable.
                Gentoo Hardened should be pretty solid as well.

                Originally posted by chithanh View Post
                For reference: These are the numbers from Wikimedia (mostly Wikipedia visitors) http://stats.wikimedia.org/wikimedia...ingSystems.htm

                I think Wikimedia can accurately detect Ubuntu. They probably cannot accurately detect other distros besides Android, and those hide in the "Linux Other", which lumps together the various desktop and mobile distros. Let's make an uneducated guess that there is a 50/50 split between desktop (ChromeOS etc.) and mobile (Maemo/Meego, WebOS, OpenEmbedded etc.) in "Linux Other". This means that Ubuntu has maybe 50% share of the desktop market, which kind of agrees with other available numbers.
                Wikimedia stats come from browser user agents. All Linux distros except Ubuntu realised that it's a bad idea to inflate the user agent string (makes for additional bandwidth and could be used for fingerprinting) and removed the distro references. Thus the non-Ubuntu distros listed there are from users using really antiquated versions of the distros, or those that set their user agent manually. I'm also not sure if Ubuntu derivatives change the user agent, but I doubt they do.

                There's no 50/50 split, it's all desktops. Note how it says "Breakdown per OS version, non mobile". So my take is that Ubuntu and its derivatives are 0.22% 32-bit + 0.21% 64-bit = 0.43%, while all the other distributions combined are 0.46% 64-bit + 0.21% 32-bit + 0.03% unidentified = 0.70%. Thus from the 1.16% of desktop Linux users, Ubuntu and derivative users take 40%.

                Comment


                • #88
                  Originally posted by k1l_ View Post
                  its not paid ads. they just get paid with a refund if you actually buy that after clicking on the search result. its the well known amazon-ref-link thing. other open source projects use that too, like music-players for music in the amazon store.
                  In other words, it's paid ads. Canonical has admitted that the purpose of the feature is to collect revenue for Canonical. It produces revenue to Canonical, therefore Canonical is getting paid for displaying ads in their dash, therefore, they are paid ads. It's simple as that.

                  no its not fallacious. on the one hand you say: its ok to have to opt-in into security topics and on the other hand you say its not ok. that is the double-standard.
                  No I'm not, I'm saying it's ok in both cases to have opt-in. Ubuntu is not having opt-in, they have opt-out of their adware feature.

                  as you can read in my postings in this thread im in no way like you described me.
                  while for some very few but load group it seems to be the duty to pick on canonical/ubuntu i think in the long run that only leads to an enviroment where the community is the looser.
                  It's spelled "loser". And if you want to speak of "the community", you'd better ask yourself why Canonical is shafting the entire community with Mir. Why are they shooting themselves in the foot by being divisive, when they'd much more benefit from a strong focus and united front behind Wayland.

                  Comment


                  • #89
                    Originally posted by dee. View Post
                    In other words, it's paid ads. Canonical has admitted that the purpose of the feature is to collect revenue for Canonical. It produces revenue to Canonical, therefore Canonical is getting paid for displaying ads in their dash, therefore, they are paid ads. It's simple as that.
                    again you miss a point: they get only paid if the user actually buys something. it is not even revenueing that much money, that canonical would think of debating a special deal with amazon.

                    so you can cut off that: canonical is getting rich with spyware.


                    Originally posted by dee. View Post
                    No I'm not, I'm saying it's ok in both cases to have opt-in. Ubuntu is not having opt-in, they have opt-out of their adware feature.
                    in both cases you have to do something to get a more secure state. if its opt-in or opt-out doesnt matter. you could think of opting-out of the not-so-good update-system, too. no matter if you call it opt-in or opt-out, the user has to take action. so its both either good or both bad. but not again these double standards that is good as long as its from canonical.


                    Originally posted by dee. View Post
                    It's spelled "loser". And if you want to speak of "the community", you'd better ask yourself why Canonical is shafting the entire community with Mir. Why are they shooting themselves in the foot by being divisive, when they'd much more benefit from a strong focus and united front behind Wayland.
                    and again i say: you need to accept cooperation if you call for cooperation. the history of unity and the big drama after the mir announce show quite clear that there is no will to accept cooperation.

                    Comment


                    • #90
                      Originally posted by k1l_ View Post
                      again you miss a point: they get only paid if the user actually buys something. it is not even revenueing that much money, that canonical would think of debating a special deal with amazon.

                      so you can cut off that: canonical is getting rich with spyware.
                      Canonical is profiting from selling paid ads in their dash, an integral part of the OS. Try whatever mental gymnastics you like, you can't get away from that basic fact.


                      in both cases you have to do something to get a more secure state. if its opt-in or opt-out doesnt matter. you could think of opting-out of the not-so-good update-system, too. no matter if you call it opt-in or opt-out, the user has to take action. so its both either good or both bad. but not again these double standards that is good as long as its from canonical.
                      It does matter if it's opt-in or opt-out. It matters a lot, as it's simply a way of making it certain that the needs of the users are being put as a first priority.

                      The user has to take action anyway when the user wants to upgrade packages. There's no windows-style automatic updates in Mint, you have to authorize and approve the updates yourself anyway. The user can opt-in to getting certain updates which can possibly lead to instability. The feature of getting extra updates is disabled by default. There is no active feature enabled by default.

                      Whereas Canonical makes it opt-out: they assume by default that you want paid ads in your application launcher, so you have to actively disable that feature yourself, to opt-out of that feature: the active feature is enabled by default. Therefore, it's opt-out.

                      I can't explain this to you any clearer. The default state is inaction, any feature that performs some activity is an active feature, that can either be enabled or disabled by default, opt-out or opt-in. Getting extra updates is an active feature, not getting extra updates is the lack of an active feature. Getting paid ads in the launcher is an active feature, not getting paid ads in the launcher is the lack of an active feature.

                      and again i say: you need to accept cooperation if you call for cooperation. the history of unity and the big drama after the mir announce show quite clear that there is no will to accept cooperation.
                      I don't think you really know that history very well.

                      Comment

                      Working...
                      X