• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Security of Linux Mint

Started by fox, March 20, 2017, 12:26:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

fox

A section of the latest DistroWatch seems to be provoking an animated discussion of potential security issues in Linux Mint; particularly when used by beginners. The discussion stems around Mint's defaults for software updates and the fact that point upgrades of the Linux kernel are not implemented by default. You can read about it here. If I understand correctly, these defaults changed in the latest version of Linux Mint.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

I'd entirely defend the Linux Mint article. I haven't used it as my regular distro in a couple of years but I know how their update system worked and I've tried the latest version in Virtualbox so I know how it works now as well. Nothing has changed other than in how it is presented to users. Users always had the choice to install all updates should they wish to.

For beginners, you don't want to update the kernel for every new point release right away unless it's a security issue as it can break with hardware and you could end up with an unbootable system. At no time were updates hidden to anybody, unless you went and chose to hide them. Users always had the option to install everything. Honestly, I think their update system is on of the more innovative update managers I've seen.

Btw, most distros don't update the kernel every time a new release comes out except when there are security updates and sometimes those are even backported. I bet you a coffee, Mike, that your distro, whatever you're using isn't using the latest version of the Linux kernel which is 4.11-rc3 according to kernel.org at the time of this writing. I'm using Ubuntu MATE with all the updates installed my kernel is 4.8.0.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

I won't bet you the coffee, but in fact Ubuntu is updating the kernel all the time. My mistake was referring to it as a point release. I think that point releases are much more than security updates; they incorporate new drivers for new hardware. But in Ubuntu I am constantly getting kernel updates within the 4.x.0 series. For example the current default kernel in Ubuntu 16.10 is 4.8.0-41-generic, but the "41" has been updated at least 3 times since the release of 16.10. I assume that these are security updates. I am guessing that the Ubuntu Mate version you are using has been updated several times as well. I am assuming from what I read that Mint wouldn't automatically give you those updates as a default and if my assumption, that these incorporate security updates, is correct, then I partly agree with the dissenter comments that this isn't a good idea for novices.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

What I meant was that everytime a new kernel release is put out, most distros don't upgrade to *that version* right away. Sometimes it's months before they do. Security updates are often backported, the release number being shown after the hyphen, that is, the 41 in 4.8.0-41. Some even though 4.8.0 isn't the most recent release of the kernel, any security problems noticed after 4.8 have been backported to "fix" it. I seem to recall that Linux Mint does incorporate kernels with backported security updates by default.

I'll have to check into this on the Linux Mint website more and get back to you.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Your message is time stamped 7:23 pm.  You are going to miss your bus, to get to tonight's Mug! :-)

Bill


Quote from: elpresidente on March 20, 2017, 07:23:42 PM
What I meant was that everytime a new kernel release is put out, most distros don't upgrade to *that version* right away. Sometimes it's months before they do. Security updates are often backported, the release number being shown after the hyphen, that is, the 41 in 4.8.0-41. Some even though 4.8.0 isn't the most recent release of the kernel, any security problems noticed after 4.8 have been backported to "fix" it. I seem to recall that Linux Mint does incorporate kernels with backported security updates by default.

I'll have to check into this on the Linux Mint website more and get back to you.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

bobf

Bill was probably posting FROM Timmy's, Jason! <^8#

And I've weighed in on this topic many times in the past. My 11" netbook has been LM 17.2 Cinnamon 64-bit forever, and I noticed that the GUI updater would tell me everything's up-to-date, but when I went to the CLI and ran apt-get, updates WOULD be available. Now, the whys and wherefores aside, I want to know that my computer is in the most current state available when I do updates, which simply meant side-stepping the GUI interface for what I've been using forever anyway.

And Jason's pointed out several times that the settings are simple to change, but understanding the intent behind the implementation of updates in LM means that the noob or casual user can't get themselves into trouble they can't get themselves back out of, and I circumvent the "perspective" my way...

And as for the powers-that-be at LM, it may (or may not!) be time to reflect on the continued suitability of their long-standing policy...

Jason

I spend about an hour or two last night researching this not including the time to download and install LM 18.1 to test it again. The issue is a bit complicated and I'm trying to figure out whether it makes more sense to try and explain it here or explain it at a PLUG monthly meeting.

Of course, I'm not a security expert and try hard not to pretend to be one, so still thinking about this. The thing is that LM 18.1 lets users choose one of three settings depending on whether you're a noob or an experienced user so it depends on which setting you go with to start with. So there really is no default now unless you're assuming the placement of the original dot in the center to be it. See attached screenshot. However, even if you use this setting, you may not get all security patches but it appears you get the most critical ones. How I arrived at this conclusion is a much longer post. The noob setting appears to hide any updates that might effect stability.

* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

If you have a good story on this, it would be worth hearing as part of a meeting. A lot of our group either use Mint primarily or occasionally.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

Thanks for the encouragement. I'll do a bit more research on this and have something to say about it then. It's quite the paper/net trail looking up kernel updates and how to determine whether they're serious or not. One of the interesting things I've found is that Ubuntu 16.04 LTS uses 4.4 series kernel while 16.10 uses 4.8 series. LM 18.1 (and probably 18, too) might be using the kernel (and updates) for Ubuntu 16.04 LTS.

I'd love if we had a person in the club that contributed Kernel patches or at least knew more about how the development cycle works and how they end up in various distros. It seems there are different versions of the kernel for different uses, too.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

Presentation notes here:

http://forums.plugintolinux.ca/index.php/topic,211.msg1167.html#msg1167

Feel free to come back here if you want to carry on this discussion.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

A well done presentation, last evening, at the PLUG meeting, Jason! 
You did a very good job of researching the issue of Linux Mint updates.

Your note that Mint packages numerous, similar updates, into one single update, explains why there is a difference in the number of updates Mint says, is available, and the number reported when doing a command line update.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

fox

I agree with Bill; well researched and well presented. I haven't tried Mint in a long time, but I did follow the security issue. I'm still unclear as to whether ranking kernel and firmware updates as "5" is a potential security problem for newbies who choose the "safe" route with updates. Granted that many of the changes in same-major-version updates (i.e. the xx in something like 4.4.0-xx) are additional device drivers, but at least some appear to be security fixes, too. Or maybe I missed something in the presentation?
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

Thanks, guys. Glad it was helpful.

Quote from: fox on April 04, 2017, 12:44:52 PM
Granted that many of the changes in same-major-version updates (i.e. the xx in something like 4.4.0-xx) are additional device drivers, but at least some appear to be security fixes, too. Or maybe I missed something in the presentation?

I think you did. I discussed the security updates, the vulnerabilities they were to be fixing and past kernel security updates since LM 18.1's release. Check the notes, it's pretty much the presentation. You can decide for yourself if it's a concern. Based on the evidence available, I thought not.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13