Canonical Developer Criticizes Linux Mint's Security
Phoronix: Canonical Developer Criticizes Linux Mint's Security
While Linux Mint is derived from Ubuntu's package-set, a Canonical developer has criticized the popular Ubuntu derivative for its handling of packaging upgrades that could leave the system in a vulnerable state...
That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.
Mint is vulnerable -- Agreed. No doubt.
Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.
Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.
Telling users that there is no security support in sid/Testing doesnt want me to use debian either.
The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
The other distros are just super duper vulnerable.
Kamal Mostafa from Canonical is openly discussing Ubuntu Linux-3.8 stable tree on
Originally Posted by hadrons123
the kernel stable mailing list. They provide sources everyone can pick.
They are doing their job.
If derivative distros are not providing what it is known their upstream delivers, this attack against Mint was valuable transparency! Worth to know, thank you!
Are you people for real?
I'm looking through this thread and obviously there's waaaaaay too many Linux diehards in here. Are you people trying justify your delusions by saying that wikipedia has a long lasting bug that makes Canonical's Ubuntu more popular than your favorite distro? From the eyes of an outsider that joined Linux because of Ubuntu back in 2008, I have to wonder how you people are completely missing the point when it comes to marketing.
Are you suggesting that Ubuntu really has 50x more users than any other distro, and that twice as many people use tiny distros than the combined userbases of all well-known distros including Ubuntu?
Originally Posted by NothingMuchHereToSay
Because that's what those WP stats say, and your dismissal is based on the premise that they're accurate.
Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.
Originally Posted by hadrons123
A moving target is also harder for attackers to hit
I've traditionally used Ubuntu alphas but probably should base my personal OS on Sid. In either case, the moving target may not get explicit security updates, but the code is being updated-and therefore changed-constantly. If a targetted attacker wanted remote access to my system, one of his many problems would be to figure out exactly which vulnerabilities existed in that particular system on that day. As for kernels, I use the mainline PPA kernels they too are a constantly changing target.
Originally Posted by leech
Even if someone is using a snapshot, a targetted (as oposed to random) attack on that person has to guess which day that OS is a snapshot of-or he might be good enough to find a new vulnerability first, ahead of the package maintainers. In that case, no patch will ever arrive on time, anywhere. Nobody I know has ever had symptoms of a broken-into end user (non-server) machine running ANY Linux distro, and I have evidence that an encrypted desktop stolen from me in a police raid was never sucessfully cracked. I worry little about random attackers, someone after credit card shit finding none on my machine would have to be a snitch to even be an issue for me, so he would be a threat only if he installed a back door that was then found by someone else.
Assuming you don't surf root like Windows users, do not connect your machine to the Internet without a modem, and are not running any externally accessable servers, you are already an exceptionally difficult target. Most real-world uses of kernel attacks is to get access to webservers, the majority of which run Linux. A lot of very security-demanding servers and enterprise applications use Linux, I don't see why any of these would use Mint, as the servers don't even run X and paid tech support (RHEL or Ubuntu) is often crucial to them. No way is Google or the IRS going to have Cinnamon or MATE on their servers!
Even though this sounds like a campaign to discredit one of their most popular competitors, if what he says is true, there should be a serious concern about those issues.
Originally Posted by prodigy_
At first I was confused by the title; I thought Mint didn't change much of anything that comes standard from Ubuntu/Debian. And if they did, surely they wouldn't let it become a potential issue.
But I was wrong. Sorta. I can definitely see how this COULD be an issue at some point. Although, right now so few people use this platform that it isn't likely to be targeted in any major way, so I dunno if I would raise any red flags about it just yet. But it is always good to lean on the side of security if it's a reasonable option, so this could be a good moment for them to allocate some resources toward getting security patched included faster... If they have the extra resources to do so with. Which by itself could be an issue, over-stretching their workforce. Kinda like what Canonical does, minus the multi-millionaire funding the project.
In any case, this could be considered constructive critisizm, at least. A valid point was made and being proactive can't hurt.