Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    I would propose that this suggests that Mint as a whole ought to be based directly on Debian, or at least that LMDE ought to be the primary focus of their project. If Canonical's rampant, Unity-centered modifications place the Mint team in a situation where they must either compromise the security or stability of their users' systems, then it would seem that Ubuntu is not an ideal foundation for Linux Mint. With the rarity of major changes within Debian, and the promptness with which security vulnerabilities are addressed, it seems like an ideal foundation on which to build Linux Mint.

    Comment


    • #12
      This is easily fixable but elements of it do make sense

      Changes in system policy between Ubuntu in Mint are not hard to revert if you know what you are doing. Mint is comparable to Ubuntu with no DE installed, a few other packages left out, and a PPA providing either Cinnamon, MATE, or both. In fact, you can install Ubuntu, add the Mint repos to /etc/apt/sources.list, and install either DE and as much or as little as the rest of Mint as you like. If you like Mint and want to run new kernels, even PPA versions, it's not hard to do, dump Mint's apt preferences file, add the repos, and you are good to go. You might get the boot menu system name changed from Mint to Ubuntu if you don't pin base-files yourself in Synaptic after doing so, however.

      If you do NOT know what you are doing and are running a non-LTS version of Ubuntu, you can get in real trouble with bad updates. I do not recommend auto-updating unless you are running a server or something along those lines. I still remember the day a set of post-release updates to Gutsy Gibbon trashed all audio playback, and at that time I did not know enough to debug this and wound up reinstalling.

      I looked at the list of blocked updates. and recognized a lot of troublemakers from providing tech support to my sister and her Ubuntu Lucid/Nvidia laptop. I had to tell my sister to hold all kernel and Nividia updates until she is at my place-and had to help her get out of nasty surprises when she has done otherwise. Kernel updates incompatable with the "latest" Nvidia blob version, that sort of thing. I've seen a hell of a lot of complaints about updates gone bad in Ubuntu (and any distro you can think of) and will go so far as to say that if you need heavy-duty security, you need to know more about computers than enough to handle a borked X or xorg driver update!

      Browser updates can also be problematic. Don't update and you risk leaving a cross-platform zero day in place. Do update and you expose users to easy browser fingerprinting when a browser is rare, new downgraded privacy policies-and the risk that if the only browser suddenly doesn't work, the user can't go online for tips on how to fix it. Yes, there is sometimes an issue with Firefox updates where the browser suddenly can no longer find it's own executable at startup, some kind of path issue. I still don't know how to fix that right, only how to muck around with it until I get it working again when this occurs. As for privacy issues, I've found every Firefox update or reinstall trashes special cookie handling rules (exceptions under "history"). I have no idea if people who rely on persistant cookies get those trashed, too, as I always clear them on browser exit.

      Lastly, there are some Mint packages that overwrite Ubuntu packages, updating the underlying Ubuntu package will overwrite Mint's changes. Mint overwrites /etc/os-release to get the system to identify itself as Mint, a new base-files will overwrite that with the Ubuntu version. This might be a debian policy issue, Mint should have their own versio of base-files to solve this.

      As for online banking, I would not use any machine, no matter how secure I thought it was, for that purpose. To use computers for that is to get into an arms race with specialists in hacking banking information. Also, if your bank doesn't have your email, then you know for sure an email claiming to be from them is phish. Hell, I build computers that in one case sucessfully held encrypted material against the police after a raid, and I still would not trust them for banking, as I do not trust the network, my router, or the bank's computer.

      I do not recommend my own systems for that sort of thing, nor Mint, nor anything else. Too many possible attacks, and because it is a network transaction the attack can be on your OS, your browser, the server on the other end-or anything in between. If a Mint user gets a bank account (or just an email account) hacked, open/public wifi redirecting to a phish site or just plain email phishing would be my immediate suspects. You won't stop many of those with updates!

      My guess is someone at Mint looked at the packages that cause the most questions (or hardest end-user fixes) on Ubuntu tech support sites and blacklisted those updates, same as I had to do for my sister. A totally unpatched, least-secure install of any Linux distro is still as secure or probably much more secure than most Windows XP machines. For Mint to be as insecure as Windows XP, Firefox would have to run as root, hell the user would have to be on a root login entirely. Yes, Windows XP (and maybe later, I don't know if this changed with Vista/8/9) users are surfing root by default! That sort of thing makes an unpatched install of Ubuntu from a two-year old DVD look like Ft Knox.

      When my sister dumped Windows for Ubuntu, she stopped having problems with malware, even though a lot of updates had to be blacklisted so her system would keep working.

      Comment


      • #13
        Mint forum post on changing mint-updater security update rules

        Originally posted by Luke View Post
        Changes in system policy between Ubuntu in Mint are not hard to revert if you know what you are doing.


        Shows an easy way to change update policies in mint-update.

        Comment


        • #14
          Originally posted by prodigy_ View Post
          So there are people here gullible enough to believe this sort of crap. Wow, just wow.

          Canonical has been constantly bleeding their market share to other distros (but mainly to Mint because Mint offers the mildest learning curve to an Unbutu ex-user) for nearly 4 years. They thought they could afford it. But now with Ubuntu Touch/Ubuntu Phone going nowhere some guys are genuinely afraid of losing their jobs. And instead of saying "hey, we admit we were wrong about the whole upstart/plymouth/unity/mir debacle" they go out and start spreading slander and outright lies about Mint. Predictable but still pathetic.

          They're not even developers. They're maintainers and without Debian they wouldn't even have a distro to maintain. They're also not security experts although they surely would love to pose as such. My diagnosis? A bunch of nobodies with outdated dreams of world domination. Hm, where have I seen that before?
          I can't speak about the other dude, but i've met and worked with Oliver Grawert on LTSP. He is most definitely a developer.

          Comment


          • #15
            Originally posted by johnny View Post
            I can't speak about the other dude, but i've met and worked with Oliver Grawert on LTSP. He is most definitely a developer.
            The guy is obviously trying to rous some rabble. I've counted 3 or 4 people so far that are just blowing hot air all over the place. It's rather silly, but such is life.

            Canonical is at no risk of losing the majority of thier userbase, as of yet. Especially with all the press it's been getting recently, more people are able to notice it. And what might have been a relatively large surge in the number of Mint users in recent years doesn't indicate a proportionally large loss from Ubuntu (a lot of folks don't know the scale of Ubuntu vs. other singular distros. It's very significant.) So I don't think they have that kind of incentive to spread dirt on other distros.
            Of course, the fact that nobody has properly debunked this claim yet means it may be totally valid. So until then, I don't think it's right to get upset at anyone over this. Jumping the gun is silly.
            Using a different base distro wouldn't fix the issue either, since there isn't a base distro that uses all the Mint custimizations (other than Mint, that is). They'd still be putting forth work to continue fixing up Cinnamon and such.

            Comment


            • #16
              Originally posted by johnny View Post
              He is most definitely a developer.
              Then maybe he should stick to doing his job?

              Originally posted by Bathroom Humor View Post
              Canonical is at no risk of losing the majority of thier userbase, as of yet.
              Indeed. Because the said majority has already left.

              Comment


              • #17
                The update defaults in Mint made me leery. Finding that they remove AppArmor for no good reason meant it was not going to be my main OS.

                Mint favors useability/appearance over everything. Not that I fault them but it shouldn't surprise anyone that Mint isn't an Enterprise OS.

                Ubuntu on the other hand claims to be an Enterprise OS and doesn't backport all security patches. Care to explain this Mr. Shuttleworth?

                Comment


                • #18
                  Originally posted by prodigy_ View Post
                  Indeed. Because the said majority has already left.
                  I would love to see a source of such conflicting evidence.

                  Comment


                  • #19
                    Originally posted by Bathroom Humor View Post
                    I would love to see a source of such conflicting evidence.
                    I don't need a source. If the article being discussed ITT is not enough, you could look at rankings on distrowatch.

                    Comment


                    • #20
                      Originally posted by prodigy_ View Post
                      distrowatch.
                      I was afriad you'd go there.
                      A quote, from our friends at Distrowatch: "The DistroWatch Page Hit Ranking statistics are a light-hearted way of measuring the popularity of Linux distributions and other free operating systems among the visitors of this website. They correlate neither to usage nor to quality and should not be used to measure the market share of distributions. They simply show the number of times a distribution page on DistroWatch.com was accessed each day, nothing more."

                      Distrowatch page rankings are only truly relevant within the scope of that website. It gets quite a few visits a day, but it is by no means a superpopular site that most users of any OS will have heard about. Most people using Linux already know what Ubuntu is and what it looks like, so they have little reason to check it out on distrowatch, compared to people looking to switch to a new distro that isn't as popular, trying to find more info. And it can be easily manipulated, anyway.
                      It's impossible to know for sure how many people use any given Distro, but a more comprehensive picture can be drawn by using a universally known website that generates huge amounts of traffic, regardless of userbase. I have a feeling you don't know what I meant by "significant".

                      The data here may not be 100% accurate, but even if Mint (or any other distro) somehow has an order of maginitude more users than is listed, there is little risk of it approaching the same userbase size as Ubuntu.

                      Comment

                      Working...
                      X