Oliver Grawert made a pretty blunt claim on the Ubuntu Developer mailing list a couple of weeks ago, stating that Linux Mint is insecure, and that he wouldn’t deem it secure enough to do his banking. This claim appears to be mostly based on the fact that Linux Mint, by default, does not install certain updates, because they form a danger to the stability of the system.
Now let’s break this claim down, shall we?
“It might for exmaple allow security updates (which are explicitly hacked out of Linux Mint for Xorg, the kernel, Firefox, the bootloader and various other packages) so that you dont have to go online with a vulnerable system ;)”
Where should I begin? His claim that it’s a hack seems a good place to start. In Linux Mint, there’s a text file which can be found at /usr/lib/linuxmint/mintUpdate/rules, which assigns a level to certain packages, with level 1 being updates being tested and distributed by the Linux Mint developers, and level 5 being the most dangerous kinds of updates, which are known to affect the stability of the system in some cases. Is this a hack? First of all, the levels can be found in a text file, so for a power user it would be absolutely no trouble at all to just edit that text file. But what about the average users? Well, let’s have a look at Linux Mint’s Update Manager. Let’s go to Edit -> Preferences. Poof! Does this look like a hack to anyone?
By default, level 4 and 5 packages are not installed by Linux Mint’s Update Manager. With a few clicks, though, the whole issue is suddenly non-existent. Beware the stability of your system, though.
Then there’s this claim that it withholds updates from the Linux kernel, Xorg, Firefox and the boot loader. This is partially true. Linux Mint does, by default, withhold kernel and Xorg updates. As most long-time Linux users will know by now, kernel, xorg and boot loader updates often break the system. Is a broken system better than a slightly less up-to-date system? If you’re a regular desktop users (if you’re not then this doesn’t affect you, because you shouldn’t be using Linux Mint anyway), the answer is no. The Linux kernel does, to some extent, affect security. This is of importance to companies running big servers, but to a lesser extent for the regular desktop user, because they simply don’t form a compelling enough target to spend the time exploiting a kernel vulnerability (also because Linux Mint, unlike Ubuntu, comes with a Firewall pre-installed, making the task even more difficult).
Then, Xorg. Xorg does for a big part affect the security of the system, but seeing as Xorg still can’t properly separate input being sent to different applications, I don’t think a potential hacker is going to be bothered much by the “security updates” for Xorg anyway. A seemingly innocent application could capture your bank account details as you are entering them into your web browser, and you’d never know. If attackers get to the point where they actually have access to your Xorg session, then you’re screwed anyway ,and no security fix is going to stop them anymore.
The boot loaders… Please, Oliver. Enlighten me. How does the boot loader affect security? Are we Microsoft, now? Are we soon going to develop our own implementation of “secure boot”? Because unless we are, I’m missing your point with this one.
I saved the best one for the last; Firefox. Let’s have a look at the /usr/lib/linuxmint/mintUpdate/rules file again. It clearly states Firefox is a level 2 update. Level 2 updates get installed by default. I think it’s safe to say mister Oliver was simply attempting to add some juicy fud to his claims to make them spread faster, or otherwise thoroughly uninformed about the matter.
This situation has been blown up to be a much bigger ordeal than it really is, which is partially because of news sites mindlessly copying Oliver’s claims, without conducting any research of their own into the matter. This is exactly why you should never take claims from only one source for facts.
Clement Lefebvre, the Linux Mint project founder, has since made a statement and confirmed that Oliver Grawert seems “more opinionated than knowledgeable and the press blew what he said out of proportion.”