Linux Mint falsely accused of being “insecure” Robin Jacobs Nov 18, 2013 News, Ubuntu31 Comments Oliver Grawert made a pretty blunt claim on the Ubuntu Developer mailing list a couple of weeks ago, stating that Linux Mint is insecure, and that he wouldn’t deem it secure enough to do his banking. This claim appears to be mostly based on the fact that Linux Mint, by default, does not install certain updates, because they form a danger to the stability of the system.Now let’s break this claim down, shall we?“It might for exmaple allow security updates (which are explicitly hacked out of Linux Mint for Xorg, the kernel, Firefox, the bootloader and various other packages) so that you dont have to go online with a vulnerable system ;)”Where should I begin? His claim that it’s a hack seems a good place to start. In Linux Mint, there’s a text file which can be found at /usr/lib/linuxmint/mintUpdate/rules, which assigns a level to certain packages, with level 1 being updates being tested and distributed by the Linux Mint developers, and level 5 being the most dangerous kinds of updates, which are known to affect the stability of the system in some cases. Is this a hack? First of all, the levels can be found in a text file, so for a power user it would be absolutely no trouble at all to just edit that text file. But what about the average users? Well, let’s have a look at Linux Mint’s Update Manager. Let’s go to Edit -> Preferences. Poof! Does this look like a hack to anyone?By default, level 4 and 5 packages are not installed by Linux Mint’s Update Manager. With a few clicks, though, the whole issue is suddenly non-existent. Beware the stability of your system, though.Then there’s this claim that it withholds updates from the Linux kernel, Xorg, Firefox and the boot loader. This is partially true. Linux Mint does, by default, withhold kernel and Xorg updates. As most long-time Linux users will know by now, kernel, xorg and boot loader updates often break the system. Is a broken system better than a slightly less up-to-date system? If you’re a regular desktop users (if you’re not then this doesn’t affect you, because you shouldn’t be using Linux Mint anyway), the answer is no. The Linux kernel does, to some extent, affect security. This is of importance to companies running big servers, but to a lesser extent for the regular desktop user, because they simply don’t form a compelling enough target to spend the time exploiting a kernel vulnerability (also because Linux Mint, unlike Ubuntu, comes with a Firewall pre-installed, making the task even more difficult).Then, Xorg. Xorg does for a big part affect the security of the system, but seeing as Xorg still can’t properly separate input being sent to different applications, I don’t think a potential hacker is going to be bothered much by the “security updates” for Xorg anyway. A seemingly innocent application could capture your bank account details as you are entering them into your web browser, and you’d never know. If attackers get to the point where they actually have access to your Xorg session, then you’re screwed anyway ,and no security fix is going to stop them anymore.The boot loaders… Please, Oliver. Enlighten me. How does the boot loader affect security? Are we Microsoft, now? Are we soon going to develop our own implementation of “secure boot”? Because unless we are, I’m missing your point with this one.I saved the best one for the last; Firefox. Let’s have a look at the /usr/lib/linuxmint/mintUpdate/rules file again. It clearly states Firefox is a level 2 update. Level 2 updates get installed by default. I think it’s safe to say mister Oliver was simply attempting to add some juicy fud to his claims to make them spread faster, or otherwise thoroughly uninformed about the matter.This situation has been blown up to be a much bigger ordeal than it really is, which is partially because of news sites mindlessly copying Oliver’s claims, without conducting any research of their own into the matter. This is exactly why you should never take claims from only one source for facts.Clement Lefebvre, the Linux Mint project founder, has since made a statement and confirmed that Oliver Grawert seems “more opinionated than knowledgeable and the press blew what he said out of proportion.” Markcortbass Dont feed the troll.It’s very bad idea to start again a linux desktop war.. http://www.robinj.be/ Robin Jacobs I don’t think it’s a good idea to just let Canonical & co spread fud about “competing” projects, either. Myles Fister It’s not FUD when it’s true. You say for a power user it’s no problem to make sure that you get all the necessary updates and you also provide and easy way for the average joe to do it as well but the problem lies with the fact that the average joe has no idea he/she should even to this to begin with. Thanks to a Canonical employee average people may actually get a chance to read about this issue with Mint http://www.robinj.be/ Robin Jacobs You mean this issue that isn’t an issue at all? wyllie chilunga it isnt an issue at all? wow how is it not an issue? Vilender An avarage user can change update manager settings with a few click. But I think, an avarage user can not solve any break the system problem due to kernel, xorg and boot loader updates. wyllie chilunga that setting should be there the average user wouldn’t think about it because they want a system that just works, what about that dont you get? http://www.robinj.be/ Robin Jacobs Exactly Robert Campbell What a utter piece of steaming sensationalist pile of dog crap this site has become.“Oliver Grawert made a pretty blunt claim on the Ubuntu Developer mailing list a couple of weeks ago, stating that Linux Mint is insecure, and you shouldn’t use it to do your banking.”The guy said he personally woouldn’t use it for banking. He did not suggest that others shouldn’t. You are twisting words to fit your opinion.You are clearly bias. For the Online results in Ubuntu, you decry it as hard for users to turn off. Yet: First of all, the levels can be found in a text file, so for a power user it would be absolutely no trouble at all to just edit that text file.Do you see? When it’s something that Ubuntu does, the worst is assumed but Mint gets a pass.Your agenda is clear. http://www.robinj.be/ Robin Jacobs You *do* realise not every article on this website is written by the same person, right?I did not comment on online search results in the Dash, and I most certainly didn’t say it’s hard to turn off.Please check your sources before blowing stuff up. In this case, having checked the author field before commenting might have saved your some embarrassment. wyllie chilunga how did mint get falsely accused when its the truth? http://www.robinj.be/ Robin Jacobs Read the article. Either you are unable or unwilling to get it. Myles Fister Couldn’t agree more! It took everything I had just to read through this “article” we’ll call it. Brian Moore In the CIA security triad, an unstable system could adversly affect availability, and would thus be less secure. tfosorcim Regarding Mark Shuttleworth’s ability to objectively make an assessment of any Linux distribution, particularly Mint, which a major magazine* has described as “Mighty Mint”, and much better than Ubuntu, there exists a quotation from Sir Winston Churchill which is so apt, it’s downright spooky:“He was not in complete harmony with the normal.”************************************************************************ Linux Format. LXF 167, February 2013, pp.42-49:“…Better than Ubuntu…: “…All hail the new number one distro…” “…Linux Mint is one of the greatest distros available…” Ronen Thanks for the article, Robin. I suspected this whole thing was blown up out of proportion. JustALinuxUser So my choices are a stable system or a secure system? I opt for a different distro. http://www.robinj.be/ Robin Jacobs You’re free to do so, but as I explained, withholding kernel and Xorg updates will be unlikely to put users in danger. Flexo Somebody really think Ubuntu or Mint are secure and stable distros? ja http://www.robinj.be/ Robin Jacobs I think Linux Mint is pretty secure to external attackers trying to gain access to your system, because it does include a firewall. As to Ubuntu… I’m not at all sure, to be honest, but (in case some news reporter is reading this) please don’t quote me on that. Scott Dowdle This doesn’t seem good to me. How about you?http://forums.linuxmint.com/viewtopic.php?f=90&t=106520It appears Linux Mint turns on xhost + during X startup for ease of use and don’t see it as a security problem. http://www.robinj.be/ Robin Jacobs That does seem like a valid concern. The developers seem to rely on the users’ router firewall blocking the incoming connection, but if you, like me, have a buggy Belgacom router you have little choice but to set your system as DMZ host, which will automatically forward any incoming connection to your system… And then what about public networks? I think using “xhost +local” would solve the security issue while still keeping the original problem at bay…I wonder whether this issue still stands in Linux Mint 16. I’ll look into it. http://www.robinj.be/ Robin Jacobs My bad. There does not appear to be any kind of issue present here. Have a look at this post, which comes from the same topic you linked to; http://forums.linuxmint.com/viewtopic.php?p=606945#p606945 Abdel I’ve been using Linux mint for ages now and I’ve never had a problem whatsoever. jrs505050 Ubuntu is like a fly buzzing around the neck of the Lion Mint. Middle-age Such issues are bogus. Linux itself is secured enough. Why are we hellbent on doing harm to our own community and benefit Microsoft?