LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-22-2017, 07:43 PM   #1
road hazard
Member
 
Registered: Nov 2015
Posts: 156

Rep: Reputation: Disabled
Question General question about security updates and why do people always pick on Mint?


I'm a n00b so please explain like you're talking to a 5 year old.

With Windows, MS releases periodic OS updates that are applied via Windows updates. Some apps (FireFox) on Windows will update itself and other applications will sometimes notify you if an updated version is available while other Windows apps won't and you have to remember to manually check those for updates.

On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months.

And I right so far?

Now this brings me to Mint. I've seen lots of posts all over where people complain that the Mint team will some times hold back security updates. What updates are they referring too? App or kernel?

!!!n00b warning!!!

If it's kernel updates people are complaining about, where is the uproar about Debian 8/Jessie? I recently installed Jessie and even though the updater says I'm up to date, why do I still have a 2 year old kernel? Isn't it a good idea to always have a newer kernel to avoid exploits that are uncovered in older ones? I thought I read somewhere that 3.16.04 was susceptible to the COW exploit?

OR, buried in those updates I receive when booted into Jessie or Neon or SolydXK..... are there minor revisions to these kernels that close these vulnerabilities?
 
Old 03-22-2017, 09:39 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,514

Rep: Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017
Kind of a lot in your post to answer.

Let's leave MS out of the deal, too much going on there.

The people who spend their time working on any distro have limits. From people to technology to money to time to bugs and more can limit how fast they can respond. Remember a program change affects more than one file usually.

A goal of what one would want in a disto is a way to have all programs updated. That has not happened in linux or MS that I know of exactly.

I think that Debian has a patched kernel.

You have a choice in Linux to some degree but using a distro also limits the ability to change rapidly. If all the people who work on linux got together on one distro they might be able to get it up to date.

Maybe if Linux adopted a universal platform like snaps then it might get close. You'd still find the naysayers who go their own path.

You could with some ease learn to put your own kernel on your distro. It tends to break package management in some cases. You could watch for the major bugs and apply patches or rebuild the kernel. Might be worth it to try it.

Last edited by jefro; 03-22-2017 at 09:44 PM.
 
Old 03-22-2017, 10:10 PM   #3
road hazard
Member
 
Registered: Nov 2015
Posts: 156

Original Poster
Rep: Reputation: Disabled
The only reason I tossed Windows in there is because I'm just using that as a basis for my understanding of how (I think) updates are handled in Linux. I need to equate Linux actions to something I'm familiar with.

Is this part at least correct?

"On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months."

I completely understand that outside of a few distros (Red Hat comes to mind), the people who put them together and maintain the packages and test are probably mostly volunteers. I really appreciate their time and dedication!

I hope my post didn't come across as me complaining about slow updates or anything. I'm just trying to understand why people complain about slow updates on Mint but distros with old packages and old kernels escape this criticism. It seems to me, unless you run Arch and update on an hourly basis (and risk killing your install), you're going to get out of date kernels that are susceptible to day zero exploits and might have a version of app X that's vulnerable to a month old exploit.

But maybe it's like you said.... Debian (Mint, Neon, etc.) all release frequent kernel (minor?) updates that keep your system safe?

Just trying to wrap my head around whether or not I need something like Arch, so I'm sure I have the latest patches to the kernel (and all my apps) to safeguard against zero day exploits or if using a distro that is not updated as frequently keeps me just as safe?!

(I hope I don't need Arch because WOW.....being a n00b..... Arch is some hard core stuff and after a few days, I pulled the EJECT cord on that distro.)
 
Old 03-23-2017, 12:32 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,707

Rep: Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497
Quote:
distros with old packages and old kernels escape this criticism
In many distros eg RHEL derived, although the major (and even minor ) version nums may look 'old', in fact RH continues to supply security & bugfix updates for as long as the distro main version is supported.
https://access.redhat.com/support/po...pdates/errata/

You have to look into the minor-minor version nums and patch nums (explained in relevant release notes) if you want to know the details.
Eg I have Centos (RHEL clone) 6.8 and kernel is 2.6.32-642.15.1 ...

HTH
 
Old 03-23-2017, 12:55 AM   #5
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,511

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
All distros are a bit different in how updates are done. If you do an update, without qualification, all of the packages you have installed will be updated if there is an update for the package. You don't need to manually update each one.

There are programs to notify the user of updates for the entire distro, but not individual apps. Manually installed, i.e. from source, won't be updated. You can also mark individual packages so they don't get updated.

Debian releases security updates for stable. It releases many package upgrades for testing. In the stable release not much will change as far as features. On my Debian boxes I run some stable and some testing, depending on how much I want to fuss for the cutting edge apps.
 
Old 03-23-2017, 04:11 AM   #6
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware, OpenBSD
Posts: 4,062
Blog Entries: 11

Rep: Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240
Even in Linux, updates aren't done automatically. That would be against the spirit of Linux which puts you in charge of your computer and not some organisation that might not have your best interests at heart. Many people find automatic Windows updates an imposition.

In Linux, you update your software yourself by asking your package manager to perform an update. How often you do that is your decision. It also depends on the distro. Gentoo changes so fast that daily updates actually make sense. For other distros, once a week is good enough. I update Debian Stable once a month.

Mint has a peculiar policy, intended to be newbie-friendly, of grading updates according to their perceived safety. Updates of system-critical packages get a level 5 grade. Mint also uses its own update program as a front end to the apt system and an alternative to synaptic. Upgrades with a high danger level don't get done unless you force them. Personally I don't like this but other people may think differently.
 
Old 03-23-2017, 07:52 AM   #7
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 8,018
Blog Entries: 5

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
Quote:
Originally Posted by road hazard View Post
On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates.
This is true only if all packages that have been installed are contained within repositories that your package management suite is pointing to on your system, and additionally that the packages are not marked as "held back".

In addition, you are dependent on updates actually hitting those repositories. Depending on your distro, you might find that the versions of packages available in the repositories are well out of date. Yes, technically such installed packages might be able to receive updates, but whether any are actually made available for them is a different question altogether.

Manually installed packages, as AwesomeMachine mentioned, are not updated in this way. Personally I have written a Python script that fetches info on the latest versions of such packages on my system from their host web sites, compares the latest version to the version I have installed, and then downloads the new package if necessary for me to install.

However, even with that, I've found updating packages on Linux to be much easier and quicker due to the repository system.
 
Old 03-23-2017, 07:56 AM   #8
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 8,018
Blog Entries: 5

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
Regarding Mint, this article is hot off the presses:

https://distrowatch.com/weekly.php?issue=20170320#myth

Its summary:

Quote:
As it stands, Linux Mint's security record is about the same as other popular Linux distributions. There have been a few minor problems, but nothing out of the ordinary. For the most part, Mint's reputation concerning software security mostly seems to grow out of misunderstandings about how the distribution's update manager works.
 
1 members found this post helpful.
Old 03-23-2017, 12:48 PM   #9
DavidMcCann
LQ Veteran
 
Registered: Jul 2006
Location: London
Distribution: PCLinuxOS, Xubuntu
Posts: 5,445

Rep: Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897
Remember that "updates" is a vague term. There can be
> security fixes
> other bug-fixes
> enhanced versions

When I used Fedora, which is generous with updates, I always checked each item. The "improvements" often turned out to be more trouble than they were worth and many bug fixes were for bugs that never bothered me. Even when you look at security problems, some turn out to be unnecessary: there's a big difference between running a desktop and a web-server!

I think it's a safe bet that Linux distros will do what's necessary to keep themselves safe. If any distro was really vulnerable, word would get around and it would die. The people that describe some distros as "unsafe" always seem to be speaking from a theoretical viewpoint: you never get them saying "I used X and disaster struck."
 
Old 03-23-2017, 03:44 PM   #10
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec, CANADA
Distribution: Arch
Posts: 1,234

Rep: Reputation: 451Reputation: 451Reputation: 451Reputation: 451Reputation: 451
I've been using Arch for 7 or 8 years, so I am now more used to the rolling release model. Personally I prefer it, but there are plenty of valid reasons some people don't - that's a discussion in and of itself.

I tend to worry much less about malware exploits on linux than with Windows. I don't even primarily consider the updating process as focused mostly on security, but as a way of addressing bugs and providing added functionality.

I think choice of a linux distro is multi-factorial: rolling vs. more stable release model; minimal vs. fully-packaged; choice of desktop environment; support community and documentation; user's degree of familiarity with linux and or Windows and or MacOS ...

With respect to your question on how linux distros keep their packages updated vs. the Windows way, I believe your understanding is fairly accurate. I still use both systems on a daily basis and I prefer the way my Arch Linux systems are kept updated - essentially according to how I wish to do it. And when I do decide it's time to update (minimum once a week on each of my systems), I find the package management system that Arch uses very efficient at keeping all my packages current. I also consciously avoid installing software manually, to maintain this integrity.

Cheers,

Last edited by Rickkkk; 03-23-2017 at 04:59 PM.
 
Old 03-23-2017, 04:55 PM   #11
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,514

Rep: Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017Reputation: 3017
" no matter which distro you pick, it's safe to assume that ALL installed apps receive updates."

No,
 
Old 03-23-2017, 05:09 PM   #12
Myk267
Member
 
Registered: Apr 2012
Location: California
Posts: 422
Blog Entries: 16

Rep: Reputation: Disabled
Quote:
Originally Posted by road hazard View Post
The only reason I tossed Windows in there is because I'm just using that as a basis for my understanding of how (I think) updates are handled in Linux. I need to equate Linux actions to something I'm familiar with.

Is this part at least correct?

"On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months."

I completely understand that outside of a few distros (Red Hat comes to mind), the people who put them together and maintain the packages and test are probably mostly volunteers. I really appreciate their time and dedication!

I hope my post didn't come across as me complaining about slow updates or anything. I'm just trying to understand why people complain about slow updates on Mint but distros with old packages and old kernels escape this criticism. It seems to me, unless you run Arch and update on an hourly basis (and risk killing your install), you're going to get out of date kernels that are susceptible to day zero exploits and might have a version of app X that's vulnerable to a month old exploit.

But maybe it's like you said.... Debian (Mint, Neon, etc.) all release frequent kernel (minor?) updates that keep your system safe?

Just trying to wrap my head around whether or not I need something like Arch, so I'm sure I have the latest patches to the kernel (and all my apps) to safeguard against zero day exploits or if using a distro that is not updated as frequently keeps me just as safe?!

(I hope I don't need Arch because WOW.....being a n00b..... Arch is some hard core stuff and after a few days, I pulled the EJECT cord on that distro.)
Most of the important software receive software upgrades. Browsers, network stuff, kernels, etc. Not always, though. The 'universe' repository for Ubuntu isn't 'officially' supported (it's community supported!) so you might not get the latest and greatest if your package is in there.

I think you ought to consider the threat model of running an unpatched kernel. If you're running bad code on your machine, the least of your worries is probably that someone is going to get a root shell from a kernel exploit. A bleeding edge kernel isn't going to stop that scenario from making you have a bad day. (I also have to question whether there's any protection from a 0day, by definition...)

Mint leaves it up to you to decide, by default, if you want to upgrade critical pieces that might break your working system. If you want the latest kernels, you can upgrade them just fine. If you don't, eh, it's your machine and your peace of mind.

That said, Mint and Arch are both valid and great choices with their share of users here on LQ and around the web.
 
Old 03-23-2017, 06:27 PM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Linux is not Windows.

http://www.linuxmint.com/documentation.php
 
Old 03-23-2017, 07:34 PM   #14
road hazard
Member
 
Registered: Nov 2015
Posts: 156

Original Poster
Rep: Reputation: Disabled
Thank you all for chiming in. I think I got the answers I was looking for.

Reading through all your replies, I didn't want this to become a "windows update vs. Linux update" battle and I'm not picking on Mint. I don't want an OS to spy on me or advertise me things. I just want it to do what I ask. This is why I didn't go with Windows 10 and am sticking with Linux.

With that said, in Windows land, Windows Update would sometimes push out critical patches to the OS to protect against recently discovered exploits. I was just confused why some Linux distros ship with kernels from a year or so ago and even after updating your distro, the kernel could very well be at the same "core" level. I now know that sure, I might be using kernel 3.16 in Debian for instance, and after I applied any updates I'm still at 3.16 but the minor minor version is maybe 3.16.44.1.2 (which has been updated to block newly discovered exploits).

It was just hard for my brain to translate that into, "Yes, the kernel you're using....even with a low version #, is STILL being updated to address new vulnerabilities.

And I read that Mint article on Distrowatch and to me, it seems the criticism that Mint takes is a bit of FUD. Sure, maybe they should change that first option from "Don't break my computer" to .... "I prefer stability above all else and I'm not worried about zero day exploits".... or something not so scary sounding to n00bs. They DO give the option to show you all updates (even kernel updates) and leaves it to the end user to apply them. I'm fine with that.

After a few more months of cutting my teeth on Mint, I might move on to Debian 9 (when it's released) or stay with Mint. After all, if it ain't broke........

Thanks everyone!
 
Old 03-24-2017, 02:46 AM   #15
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware, OpenBSD
Posts: 4,062
Blog Entries: 11

Rep: Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240Reputation: 2240
Quote:
Originally Posted by road hazard View Post
And I read that Mint article on Distrowatch and to me, it seems the criticism that Mint takes is a bit of FUD. Sure, maybe they should change that first option from "Don't break my computer" to .... "I prefer stability above all else and I'm not worried about zero day exploits".... or something not so scary sounding to n00bs. They DO give the option to show you all updates (even kernel updates) and leaves it to the end user to apply them. I'm fine with that.
It's not just noobs! I used Mint briefly on a laptop and, believe it or not, I just couldn't bring myself to do the updates that were flagged as dangerous. I knew it was irrational. I'd updated those packages in a number of distros and never come to any harm. But having it pushed into my face that this could break my system made it seem just not worthwhile. I'm glad they've changed the policy.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mint and Security Updates Starkman Linux Mint 3 08-08-2015 06:00 PM
Question about Mint updates after install from Live CD neveser Linux - Newbie 3 01-28-2011 11:36 PM
Question about security updates thep0et Slackware 1 10-03-2007 06:02 PM
Apache and security updates in general Dark_Helmet Linux - Security 9 07-04-2004 12:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration