While Linux Mint is derived from Ubuntu's package-set, a Canonical developer has criticized the popular Ubuntu derivative for its handling of packaging upgrades that could leave the system in a vulnerable state.
Ubuntu Linux developer Oliver Grawert had originally pointed out that security updates from Ubuntu don't necessarily get down to Linux Mint users since changes from X.Org, the kernel, Firefox, the boot-loader, and other core components are blocked from being automatically upgraded. Linux Mint doesn't send down updates for some Ubuntu packages automatically due to having their own customizations, etc.
The list of update rules can be found via GitHub as pointed out by Oliver in a follow-up post. Grawert explained, "this is the list of packages it will never update, instead of just integrating changes properly with the packagaes in the ubuntu archive they instead suppress doing (security) updates at all for them. i would say forcefully keeping a vulnerable kernel browser or xorg in place instead of allowing the provided security updates to be installer makes it a vulnerable system, yes. i personally wouldn't do online banking with it ;)"
Another Ubuntu developer, Benjamin Kerensa, added, "It is unclear why Linux Mint disables all of their security updates although to some degree they have tried to justify their disabling of kernel updates by suggesting that such updates could make a system unstable and that normal users shouldn't get these kinds of updates. Anyways it is something that might be better researched on their forums since people have asked a few times over the past couple years, and they probably have a better idea than us. I can say that it took them many months to get a fixed version of Firefox packaged while Ubuntu and Debian had already had security fixes in their package. This puts Linux Mint users at risk and is one of the key reasons I never suggest Linux Mint to anyone as an alternative to Ubuntu."
Linux Mint's response:
I hear a Canonical dev was more opinionated than knowledgeable and the press blew what he said out of proportion. I wouldn’t mind too much, if we weren’t finding ourselves answering questions from panicked users rather than working on what matters right now (i.e. Mint 16 RC). So I’ll be brief.
About package updates:
- We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.
- Anybody running Mint can launch Update Manager -> Edit -> Preferences and enable level 4 and 5 updates, thus making their Linux Mint as “Secure” and “Unstable” as Ubuntu.
About Firefox updates:
- Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default.
- LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.
I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages) and it is clear they are confused about LMDE and Mint. They don’t know what repositories we’re using and they don’t know what we’re doing. We’re 2 years younger than them and they have no idea how many users we have (they use http://stats.wikimed...tingSystems.htm but don’t realize our user agent is “Ubuntu” since the days of Firefox 4 – Mint 9 if I remember correctly).
I don’t really mind what people at Canonical understand or do not understand about us. I understand why the press and media sell controversy. I just really don’t want to waste time with this.
Although Canonical has made some very public mistakes recently (some very recently), I actually have to agree with the Canonical developer's criticisms on this one. I had no idea that Linux Mint imposed such a foolish security policy. Admittedly I have been critical of Linux Mint in the past for perceived technical debt, but this seems like an undeniable, blindly simple blunder. Furthermore, the project's response does nothing to allay my concerns. Is there something I missed, or is Linux Mint really justified in their current security policy?