Page 1 of 3 123 LastLast
Results 1 to 10 of 94

Thread: Canonical Developer Criticizes Linux Mint's Security

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    15,646

    Default Canonical Developer Criticizes Linux Mint's Security

    Phoronix: Canonical Developer Criticizes Linux Mint's Security

    While Linux Mint is derived from Ubuntu's package-set, a Canonical developer has criticized the popular Ubuntu derivative for its handling of packaging upgrades that could leave the system in a vulnerable state...

    http://www.phoronix.com/vr.php?view=MTUxNzY

  2. #2
    Join Date
    Mar 2013
    Posts
    291

    Default

    That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.

  3. #3
    Join Date
    Nov 2010
    Posts
    16

    Default

    Mint is vulnerable -- Agreed. No doubt.
    Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.

    Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.
    http://lists.debian.org/debian-secur.../msg00022.html
    Telling users that there is no security support in sid/Testing doesnt want me to use debian either.

    The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
    The other distros are just super duper vulnerable.

  4. #4
    Join Date
    Oct 2011
    Posts
    56

    Default

    Quote Originally Posted by hadrons123 View Post
    Mint is vulnerable -- Agreed. No doubt.
    Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.
    Kamal Mostafa from Canonical is openly discussing Ubuntu Linux-3.8 stable tree on
    the kernel stable mailing list. They provide sources everyone can pick.

    They are doing their job.
    If derivative distros are not providing what it is known their upstream delivers, this attack against Mint was valuable transparency! Worth to know, thank you!

  5. #5

    Default Are you people for real?

    I'm looking through this thread and obviously there's waaaaaay too many Linux diehards in here. Are you people trying justify your delusions by saying that wikipedia has a long lasting bug that makes Canonical's Ubuntu more popular than your favorite distro? From the eyes of an outsider that joined Linux because of Ubuntu back in 2008, I have to wonder how you people are completely missing the point when it comes to marketing.

  6. #6
    Join Date
    Jan 2013
    Posts
    147

    Default

    Quote Originally Posted by NothingMuchHereToSay View Post
    I'm looking through this thread and obviously there's waaaaaay too many Linux diehards in here. Are you people trying justify your delusions by saying that wikipedia has a long lasting bug that makes Canonical's Ubuntu more popular than your favorite distro? From the eyes of an outsider that joined Linux because of Ubuntu back in 2008, I have to wonder how you people are completely missing the point when it comes to marketing.
    Are you suggesting that Ubuntu really has 50x more users than any other distro, and that twice as many people use tiny distros than the combined userbases of all well-known distros including Ubuntu?
    Because that's what those WP stats say, and your dismissal is based on the premise that they're accurate.

  7. #7
    Join Date
    May 2010
    Posts
    121

    Default

    Quote Originally Posted by hadrons123 View Post
    Mint is vulnerable -- Agreed. No doubt.
    Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.

    Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.
    http://lists.debian.org/debian-secur.../msg00022.html
    Telling users that there is no security support in sid/Testing doesnt want me to use debian either.

    The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
    The other distros are just super duper vulnerable.
    Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.

  8. #8
    Join Date
    May 2013
    Posts
    639

    Default A moving target is also harder for attackers to hit

    Quote Originally Posted by leech View Post
    Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.
    I've traditionally used Ubuntu alphas but probably should base my personal OS on Sid. In either case, the moving target may not get explicit security updates, but the code is being updated-and therefore changed-constantly. If a targetted attacker wanted remote access to my system, one of his many problems would be to figure out exactly which vulnerabilities existed in that particular system on that day. As for kernels, I use the mainline PPA kernels they too are a constantly changing target.

    Even if someone is using a snapshot, a targetted (as oposed to random) attack on that person has to guess which day that OS is a snapshot of-or he might be good enough to find a new vulnerability first, ahead of the package maintainers. In that case, no patch will ever arrive on time, anywhere. Nobody I know has ever had symptoms of a broken-into end user (non-server) machine running ANY Linux distro, and I have evidence that an encrypted desktop stolen from me in a police raid was never sucessfully cracked. I worry little about random attackers, someone after credit card shit finding none on my machine would have to be a snitch to even be an issue for me, so he would be a threat only if he installed a back door that was then found by someone else.

    Assuming you don't surf root like Windows users, do not connect your machine to the Internet without a modem, and are not running any externally accessable servers, you are already an exceptionally difficult target. Most real-world uses of kernel attacks is to get access to webservers, the majority of which run Linux. A lot of very security-demanding servers and enterprise applications use Linux, I don't see why any of these would use Mint, as the servers don't even run X and paid tech support (RHEL or Ubuntu) is often crucial to them. No way is Google or the IRS going to have Cinnamon or MATE on their servers!

  9. #9
    Join Date
    Jan 2011
    Posts
    1,287

    Default

    Quote Originally Posted by prodigy_ View Post
    That's Canonical developers for you - only good at "developing" cheap PR. And their boss is their mentor.
    Even though this sounds like a campaign to discredit one of their most popular competitors, if what he says is true, there should be a serious concern about those issues.

  10. #10
    Join Date
    Jul 2013
    Posts
    54

    Default

    At first I was confused by the title; I thought Mint didn't change much of anything that comes standard from Ubuntu/Debian. And if they did, surely they wouldn't let it become a potential issue.

    But I was wrong. Sorta. I can definitely see how this COULD be an issue at some point. Although, right now so few people use this platform that it isn't likely to be targeted in any major way, so I dunno if I would raise any red flags about it just yet. But it is always good to lean on the side of security if it's a reasonable option, so this could be a good moment for them to allocate some resources toward getting security patched included faster... If they have the extra resources to do so with. Which by itself could be an issue, over-stretching their workforce. Kinda like what Canonical does, minus the multi-millionaire funding the project.

    In any case, this could be considered constructive critisizm, at least. A valid point was made and being proactive can't hurt.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •