Lead Ubuntu Developer Claims Linux Mint is an Unsecure Distro – Is It?

Posted on November 18, 2013 4:41 PM by Rob Williams

Linux distributions are a complex thing, and for a newer user, trying to find the “right” one amongst the massive collection that exists can be undeniably tough. Even for experienced users though, some details between one distro and another might not be so obvious at first. For example, did you know that Linux Mint has a security policy that prevents kernel and Xorg updates from being applied immediately?

What started out as a simple comment to an Ubuntu mailing list earlier by one of the distro’s leading devs Oliver Grawert quickly became something much bigger, and a sore spot for Linux Mint’s developers, I’m sure. The discussion originated with a developer seeking advice on building a new distro based on Ubuntu that on the surface seemed similar in design to one of Linux Mint’s derivatives, which lead to Oliver stating, “It might for exmaple allow security updates (which are explicitly hacked out of Linux Mint for Xorg, the kernel, Firefox, the bootloader and various other packages) so that you dont have to go online with a vulnerable system ;)

These thoughts spiraled into something big, with people wondering why it is that Linux Mint would deliberately be so insecure. Well, as it turns out, Linux Mint has a leveled package system (no secret to its advanced users, I’m sure), where important updates ranged from 1 – 3 are automatically updated, while those of lower priority – which apparently involve the kernel and Xorg server – are on a lower level and left alone.

Linux Mint 15 Cinnamon

It might seem insane to not include the kernel and Xorg updates in the highest-priority levels, but Mint’s lead developer Clement Lefebvre states that there’s good reason for it. From OMG! Ubuntu!:

We explained why the Ubuntu update policy was not good enough for us and we consequently developed the update manager to solve that particular problem.

Firefox doesn’t come to you later in Mint than it does in Ubuntu (it’s a level 2 update).

Yes, by default you get updates in Ubuntu for kernels and Xorg and not in Mint. Yes, there’s a very good reason for that.

These comments highlight that some of Oliver’s thoughts were based on the past, such as with the comment that Firefox does not get auto-updated, when Clement retorts that it (now) does.

I have a hard time choosing a side here. From a system administrator perspective, Linux Mint is doing the best thing. Imagine a Xorg or kernel update that results in a non-bootable system, for example. That’d be an inexcusable thing to happen unless the user was the one that risked the upgrade. On the other side of the coin, not patching these things means that systems are left vulnerable. As it’d be hard to imagine that any of these vulnerabilities would actually be targeted at large though, the importance of keeping up-to-date with bleeding-edge patches would be a non-existent for a lot of people.

Whatever your thoughts, what good does come from this is that many likely understand better how Mint’s developers designed their package manager, and their distro as a whole.

  • http://www.centos.org/ Johnny Hughes

    I would say that they need to roll in security updates (at least) into the distro. They can usually backport the specific patch that is the security update and skip the entire update. Certainly those that are rated as Critical/High security issues have to be addressed .. if not, then that is a major problem.

  • Anand Radhakrishnan

    Hmm. Although this is unwarranted criticism it does helps in greater scrutiny of the current update design policy by Mint team. As I read in one of the comments in segfault blog, functional updates can wait but security patches should flow in.
    BTW, Any plans for a full review on new Mint 16?

Recent Tech News
Recent Site Content