[SOLVED] General question about security updates and why do people always pick on Mint?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
General question about security updates and why do people always pick on Mint?
I'm a n00b so please explain like you're talking to a 5 year old.
With Windows, MS releases periodic OS updates that are applied via Windows updates. Some apps (FireFox) on Windows will update itself and other applications will sometimes notify you if an updated version is available while other Windows apps won't and you have to remember to manually check those for updates.
On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months.
And I right so far?
Now this brings me to Mint. I've seen lots of posts all over where people complain that the Mint team will some times hold back security updates. What updates are they referring too? App or kernel?
!!!n00b warning!!!
If it's kernel updates people are complaining about, where is the uproar about Debian 8/Jessie? I recently installed Jessie and even though the updater says I'm up to date, why do I still have a 2 year old kernel? Isn't it a good idea to always have a newer kernel to avoid exploits that are uncovered in older ones? I thought I read somewhere that 3.16.04 was susceptible to the COW exploit?
OR, buried in those updates I receive when booted into Jessie or Neon or SolydXK..... are there minor revisions to these kernels that close these vulnerabilities?
Let's leave MS out of the deal, too much going on there.
The people who spend their time working on any distro have limits. From people to technology to money to time to bugs and more can limit how fast they can respond. Remember a program change affects more than one file usually.
A goal of what one would want in a disto is a way to have all programs updated. That has not happened in linux or MS that I know of exactly.
I think that Debian has a patched kernel.
You have a choice in Linux to some degree but using a distro also limits the ability to change rapidly. If all the people who work on linux got together on one distro they might be able to get it up to date.
Maybe if Linux adopted a universal platform like snaps then it might get close. You'd still find the naysayers who go their own path.
You could with some ease learn to put your own kernel on your distro. It tends to break package management in some cases. You could watch for the major bugs and apply patches or rebuild the kernel. Might be worth it to try it.
The only reason I tossed Windows in there is because I'm just using that as a basis for my understanding of how (I think) updates are handled in Linux. I need to equate Linux actions to something I'm familiar with.
Is this part at least correct?
"On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months."
I completely understand that outside of a few distros (Red Hat comes to mind), the people who put them together and maintain the packages and test are probably mostly volunteers. I really appreciate their time and dedication!
I hope my post didn't come across as me complaining about slow updates or anything. I'm just trying to understand why people complain about slow updates on Mint but distros with old packages and old kernels escape this criticism. It seems to me, unless you run Arch and update on an hourly basis (and risk killing your install), you're going to get out of date kernels that are susceptible to day zero exploits and might have a version of app X that's vulnerable to a month old exploit.
But maybe it's like you said.... Debian (Mint, Neon, etc.) all release frequent kernel (minor?) updates that keep your system safe?
Just trying to wrap my head around whether or not I need something like Arch, so I'm sure I have the latest patches to the kernel (and all my apps) to safeguard against zero day exploits or if using a distro that is not updated as frequently keeps me just as safe?!
(I hope I don't need Arch because WOW.....being a n00b..... Arch is some hard core stuff and after a few days, I pulled the EJECT cord on that distro.)
distros with old packages and old kernels escape this criticism
In many distros eg RHEL derived, although the major (and even minor ) version nums may look 'old', in fact RH continues to supply security & bugfix updates for as long as the distro main version is supported. https://access.redhat.com/support/po...pdates/errata/
You have to look into the minor-minor version nums and patch nums (explained in relevant release notes) if you want to know the details.
Eg I have Centos (RHEL clone) 6.8 and kernel is 2.6.32-642.15.1 ...
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,521
Rep:
All distros are a bit different in how updates are done. If you do an update, without qualification, all of the packages you have installed will be updated if there is an update for the package. You don't need to manually update each one.
There are programs to notify the user of updates for the entire distro, but not individual apps. Manually installed, i.e. from source, won't be updated. You can also mark individual packages so they don't get updated.
Debian releases security updates for stable. It releases many package upgrades for testing. In the stable release not much will change as far as features. On my Debian boxes I run some stable and some testing, depending on how much I want to fuss for the cutting edge apps.
Even in Linux, updates aren't done automatically. That would be against the spirit of Linux which puts you in charge of your computer and not some organisation that might not have your best interests at heart. Many people find automatic Windows updates an imposition.
In Linux, you update your software yourself by asking your package manager to perform an update. How often you do that is your decision. It also depends on the distro. Gentoo changes so fast that daily updates actually make sense. For other distros, once a week is good enough. I update Debian Stable once a month.
Mint has a peculiar policy, intended to be newbie-friendly, of grading updates according to their perceived safety. Updates of system-critical packages get a level 5 grade. Mint also uses its own update program as a front end to the apt system and an alternative to synaptic. Upgrades with a high danger level don't get done unless you force them. Personally I don't like this but other people may think differently.
On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates.
This is true only if all packages that have been installed are contained within repositories that your package management suite is pointing to on your system, and additionally that the packages are not marked as "held back".
In addition, you are dependent on updates actually hitting those repositories. Depending on your distro, you might find that the versions of packages available in the repositories are well out of date. Yes, technically such installed packages might be able to receive updates, but whether any are actually made available for them is a different question altogether.
Manually installed packages, as AwesomeMachine mentioned, are not updated in this way. Personally I have written a Python script that fetches info on the latest versions of such packages on my system from their host web sites, compares the latest version to the version I have installed, and then downloads the new package if necessary for me to install.
However, even with that, I've found updating packages on Linux to be much easier and quicker due to the repository system.
As it stands, Linux Mint's security record is about the same as other popular Linux distributions. There have been a few minor problems, but nothing out of the ordinary. For the most part, Mint's reputation concerning software security mostly seems to grow out of misunderstandings about how the distribution's update manager works.
Remember that "updates" is a vague term. There can be
> security fixes
> other bug-fixes
> enhanced versions
When I used Fedora, which is generous with updates, I always checked each item. The "improvements" often turned out to be more trouble than they were worth and many bug fixes were for bugs that never bothered me. Even when you look at security problems, some turn out to be unnecessary: there's a big difference between running a desktop and a web-server!
I think it's a safe bet that Linux distros will do what's necessary to keep themselves safe. If any distro was really vulnerable, word would get around and it would die. The people that describe some distros as "unsafe" always seem to be speaking from a theoretical viewpoint: you never get them saying "I used X and disaster struck."
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,363
Rep:
I've been using Arch for 7 or 8 years, so I am now more used to the rolling release model. Personally I prefer it, but there are plenty of valid reasons some people don't - that's a discussion in and of itself.
I tend to worry much less about malware exploits on linux than with Windows. I don't even primarily consider the updating process as focused mostly on security, but as a way of addressing bugs and providing added functionality.
I think choice of a linux distro is multi-factorial: rolling vs. more stable release model; minimal vs. fully-packaged; choice of desktop environment; support community and documentation; user's degree of familiarity with linux and or Windows and or MacOS ...
With respect to your question on how linux distros keep their packages updated vs. the Windows way, I believe your understanding is fairly accurate. I still use both systems on a daily basis and I prefer the way my Arch Linux systems are kept updated - essentially according to how I wish to do it. And when I do decide it's time to update (minimum once a week on each of my systems), I find the package management system that Arch uses very efficient at keeping all my packages current. I also consciously avoid installing software manually, to maintain this integrity.
The only reason I tossed Windows in there is because I'm just using that as a basis for my understanding of how (I think) updates are handled in Linux. I need to equate Linux actions to something I'm familiar with.
Is this part at least correct?
"On Linux (correct me if I'm wrong).... no matter which distro you pick, it's safe to assume that ALL installed apps receive updates. Depending on whether it's a rolling distro or something like Debian (testing), some times those updates won't be the absolute latest versions of say, FireFox for example but as new versions of these programs work their way through eval/testing/etc branches, they eventually trickle down to your particular distro over the course of days/weeks/months."
I completely understand that outside of a few distros (Red Hat comes to mind), the people who put them together and maintain the packages and test are probably mostly volunteers. I really appreciate their time and dedication!
I hope my post didn't come across as me complaining about slow updates or anything. I'm just trying to understand why people complain about slow updates on Mint but distros with old packages and old kernels escape this criticism. It seems to me, unless you run Arch and update on an hourly basis (and risk killing your install), you're going to get out of date kernels that are susceptible to day zero exploits and might have a version of app X that's vulnerable to a month old exploit.
But maybe it's like you said.... Debian (Mint, Neon, etc.) all release frequent kernel (minor?) updates that keep your system safe?
Just trying to wrap my head around whether or not I need something like Arch, so I'm sure I have the latest patches to the kernel (and all my apps) to safeguard against zero day exploits or if using a distro that is not updated as frequently keeps me just as safe?!
(I hope I don't need Arch because WOW.....being a n00b..... Arch is some hard core stuff and after a few days, I pulled the EJECT cord on that distro.)
Most of the important software receive software upgrades. Browsers, network stuff, kernels, etc. Not always, though. The 'universe' repository for Ubuntu isn't 'officially' supported (it's community supported!) so you might not get the latest and greatest if your package is in there.
I think you ought to consider the threat model of running an unpatched kernel. If you're running bad code on your machine, the least of your worries is probably that someone is going to get a root shell from a kernel exploit. A bleeding edge kernel isn't going to stop that scenario from making you have a bad day. (I also have to question whether there's any protection from a 0day, by definition...)
Mint leaves it up to you to decide, by default, if you want to upgrade critical pieces that might break your working system. If you want the latest kernels, you can upgrade them just fine. If you don't, eh, it's your machine and your peace of mind.
That said, Mint and Arch are both valid and great choices with their share of users here on LQ and around the web.
Thank you all for chiming in. I think I got the answers I was looking for.
Reading through all your replies, I didn't want this to become a "windows update vs. Linux update" battle and I'm not picking on Mint. I don't want an OS to spy on me or advertise me things. I just want it to do what I ask. This is why I didn't go with Windows 10 and am sticking with Linux.
With that said, in Windows land, Windows Update would sometimes push out critical patches to the OS to protect against recently discovered exploits. I was just confused why some Linux distros ship with kernels from a year or so ago and even after updating your distro, the kernel could very well be at the same "core" level. I now know that sure, I might be using kernel 3.16 in Debian for instance, and after I applied any updates I'm still at 3.16 but the minor minor version is maybe 3.16.44.1.2 (which has been updated to block newly discovered exploits).
It was just hard for my brain to translate that into, "Yes, the kernel you're using....even with a low version #, is STILL being updated to address new vulnerabilities.
And I read that Mint article on Distrowatch and to me, it seems the criticism that Mint takes is a bit of FUD. Sure, maybe they should change that first option from "Don't break my computer" to .... "I prefer stability above all else and I'm not worried about zero day exploits".... or something not so scary sounding to n00bs. They DO give the option to show you all updates (even kernel updates) and leaves it to the end user to apply them. I'm fine with that.
After a few more months of cutting my teeth on Mint, I might move on to Debian 9 (when it's released) or stay with Mint. After all, if it ain't broke........
And I read that Mint article on Distrowatch and to me, it seems the criticism that Mint takes is a bit of FUD. Sure, maybe they should change that first option from "Don't break my computer" to .... "I prefer stability above all else and I'm not worried about zero day exploits".... or something not so scary sounding to n00bs. They DO give the option to show you all updates (even kernel updates) and leaves it to the end user to apply them. I'm fine with that.
It's not just noobs! I used Mint briefly on a laptop and, believe it or not, I just couldn't bring myself to do the updates that were flagged as dangerous. I knew it was irrational. I'd updated those packages in a number of distros and never come to any harm. But having it pushed into my face that this could break my system made it seem just not worthwhile. I'm glad they've changed the policy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.