Linux Mint is insecure, according to a Canonical-employed Ubuntu developer who says he wouldn’t do his online banking on a Linux Mint PC. The developer alleges that Linux Mint “hacks out” important updates. Is this a real problem or just fear-mongering?
The Ubuntu developer involved has gotten certain facts wrong and damaged his own case, but there’s still a real argument to be had here. Ubuntu and Linux Mint deal with updates in different ways, and each has its own trade-offs.
A Ubuntu Developer’s Allegations
Oliver Grawert, a Canonical-employed Ubuntu developer, started the verbal warfare with this message on the Ubuntu developers mailing list. In it, he stated that security updates “are explicitly hacked out of Linux Mint for Xorg, the kernel, Firefox, the bootloader and various other packages”.
He provided a link to the Mint Update rules file, stating that it “is a list of packages [Mint] will never update.” This is incorrect — the file does something more complicated than that, but we’ll go into that later. He went on: “i would say forcefully keeping a vulnerable kernel browser or xorg in place instead of allowing the provided security updates to be installer [sic] makes it a vulnerable system… I personally wouldn’t do online banking with it ;)”.
Some of these allegations are completely untrue. It’s true that Linux Mint blocks updates for packages such as the X.org graphical server, Linux kernel, and bootloader by default. However, these updates are not “hacked out of Linux Mint,” as we’ll show later. Linux Mint also does not block updates to Firefox. Updates to the Firefox web browser are important for real-world security and are allowed by default, so this Ubuntu developer’s allegations are off-point. However, there’s still a real argument here — Linux Mint does block certain types of security updates by default.
Linux Mint’s Response
Linux Mint founder and lead developer Clement Lefebvre responded to these accusations with a blog post. In it, he points out that the Ubuntu developer was incorrect about the allegations we explained above. He also clarifies Linux Mint’s reason for excluding updates for certain packages by default:
“We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.”
Firefox is automatically updated by Linux Mint, just as is by Ubuntu. In fact, both distributions use the same package that comes from the same repository.
Linux Mint’s primary argument is that “blindly” updating packages like the X.org graphical server, bootloader, and Linux kernel can cause problems. Updates to these low-level packages can introduce bugs on some types of hardware, while the security problems they solve aren’t actually a problem for people who use Linux Mint casually at home. For example, many security flaws in the Linux kernel are “local privilege escalation” vulnerabilities. They might allow users with limited access to the computer to become the root user and gain complete access, but they can’t easily be exploited from a web browser like a typical security problem in Java could.
Is This Actually a Problem?
Both sides have good arguments. On the one hand, it’s absolutely true that Linux Mint is disabling security updates for certain packages by default. This leaves a Mint system with more known security vulnerabilities, which could theoretically be exploited.
On the other hand, it’s true that these security vulnerabilities aren’t actively exploited. Linux Mint does update software that’s under actual attack, like web browsers. It’s also true that updates to X.org have caused problems in the past. In 2006, an Ubuntu update broke the X server of many Ubuntu users that installed it, forcing them into the Linux terminal. Affected users had to repair their systems from the terminal. Linux Mint’s policy on updates was spelled out just a year later in 2007, so it’s likely this episode affected Linux Mint’s current stance.
If you’re a home desktop user, you probably won’t be compromised because of a flaw in the Linux kernel. Of course, if you run a server that’s exposed to the Internet or operate a business workstation you want to restrict access to, you should ensure all possible security updates are installed.
Controlling Security Updates in Linux Mint
Any Linux Mint user who’d rather have all the security updates Ubuntu users get can enable them from within Mint’s Update Manager. These updates aren’t “hacked out,” but are just disabled by default.
To control this setting, open the Update Manager application from your desktop environment’s menu. Click the Edit menu and select Preferences. You’ll then be able to choose the “levels” of packages you want to install. “Levels” are defined in the Mint update rules file we mentioned earlier. Levels 1-3 are enabled by default, while levels 4-5 are disabled by default. Firefox is a level 2 package, which is updated by default. X.org and the Linux kernel are levels 4 and 5, respectively, so they aren’t updated by default.
Enable levels 4 and 5 and you’ll get the same updates you would in Ubuntu — coming from Ubuntu’s own update repositories — but you’ll be more at risk of “regressions” that introduce problems.
The real disagreement here is a philosophical one. Ubuntu errs on the side of updating everything by default, eliminating all possible security vulnerabilities — even ones that are unlikely to be exploited on home user systems. Linux Mint errs on the side of excluding updates that could potentially cause problems.
Which solution you prefer will come down to what you’re using your computer for and how comfortable you are with the risks.