Regardless of what you may have read elsewhere, the Linux Mint team takes security very seriously and wants you to keep your system up-to-date.
Swapnil Bhartiya gets it wrong.
Let me start by pointing out that Bhartiya is not only a capable open source writer, he’s also a friend. Another also: he knows better. That’s why the article he just wrote for CIO completely confounds me. Methinks he jumped the gun and didn’t think it through before he hit the keyboard.
The article ran with the headline Linux Mint, please stop discouraging users from upgrading. In it, he jumps on Mint’s lead developer Clement Lefebvre’s warning against unnecessary upgrades to Linux Mint.
The sage advice Lefebvre offers, and which prompts Bhartiya’s tirade is: “If it ain’t broke, don’t fix it.”
“You might want to upgrade to 18.1 because some bug that annoys you is fixed or because you want to get some of the new features. In any case, you should know why you’re upgrading. As excited as we are about 18.1, upgrading blindly for the sake of running the latest version does not make much sense, especially if you’re already happy and everything is working perfectly.”
Let me paraphrase what Lefebvre is saying: As long as you’re using a supported version of Mint, careful consideration should be made before upgrading to the latest and greatest — especially if you’re a new user who might be apt to lose data in the process.
This is good advice, and most of us who don’t have the disease of insisting on having the latest-and-greatest of everything, usually follow it — whether we’ve read Mr. Lefebvre’s personal advice on the subject or not.
Example: Until I swapped out an aging desktop here at FOSS Force a few weeks back, we had been running Mint 17.0. “Qiana” Xfce edition, which was the latest and greatest when we put the desktop in service. Since then, there have been three new Mint Xfce releases, but we haven’t bothered to upgrade to newer versions. Why? With Qiana fully supported until 2019, there was no reason to bother.
The keyword expression here is “fully supported,” which is where my friend Bhartiya made a complete left turn and goes into his tirade about the need to keep a system patched for security vulnerabilities, while wrongly shaming the Mint team for suggesting otherwise.
“A few days ago there was a bug in Ubuntu apport that allows anyone to hijack Ubuntu based systems, including Linux Mint. There was another 0-day bug in Ubuntu and Fedora that compromised a system. Every month we come across new vulnerabilities in Linux that are patched by the kernel community or the upstream projects immediately. However, I have never seen any vulnerability reports on the Linux Mint site.
“I am not sure if Linux Mint users really keep an eye on such bug reports. You can’t really keep up with them unless it’s a focus area for you.
“Security is not an ‘If it ain’t broke, don’t fix it’ problem.”
Nope. It’s not. And that’s absolutely not what Lefebvre meant when he suggested, again, that you might want to think twice before upgrading to a new version of the distro when the one you’re using is already supported.
Obviously, Bhartiya is confusing “upgrading” with “updating.”
Linux Mint takes updating your system, both for the latest security patches and bug fixes as well as to keep your system up-to-date with the latest versions of your software, very seriously. So seriously, in fact, that the Update Manager is constantly on display, alongside information about the Internet connection and time-and-date.
The update manager icon switches from being grayed-out to blue when updates are available. On the new-to-us machine I’m using to write this article, running Mint 18.0, the Update Manager is currently indicating updates are available. If I pause the cursor over the icon, it notifies me that “5 recommended updates available,” as well as indicating the download size for the updates at 8MB. Clicking on the icon brings up the manager, with a list of uninstalled updates. All that’s necessary from here is to click “Install Updates,” supply a user password when prompted, and the system does the rest.
By design, Linux Mint does not update automatically, and that’s how it should be — most Linux users don’t want anything automatically installed on their computers. And indeed, new users should be instructed on the importance of keeping their system up-to-date and taught to take a gander at the Update Manager icon at least once a day or so to see if anything needs installing.
But to suggest that the Mint crew is putting its users at risk merely by suggesting they might want to think twice before installing the distro’s latest and greatest when the version they’re using is fully supported is very unfair — and misinterprets the point being made.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
“Obviously, Bhartiya is confusing “upgrading” with “updating.””
Having read and enjoyed his columns many times since I switched to Mint 17.3 from W7 one year ago, I came to the same conclusion as quoted above. Updating software packages and upgrading your OS are not the same thing.
I thought the same thing when I read his article. Hopefully he’ll acknowledge his misunderstanding of Clem’s comment.
I agree with Christine and the other two posters. I was surprised at Swapnil Bhartiya’s article. I have read a number of his articles, and he usually brings something insightful to the table. I’m not a Mint user; I wonder if he is unhappy with Mint’s updating procedure.
Agree with Bhartiya – Mint tries to be such a Nanny distro it makes it difficult to change anything (“You might BREAK it!”), and I guess thaty extends to security patches that don’t fit their grading scheme.
Stopped using it years ago.
I too was surprised by that CIO article. It seemed poorly thought out.
Thanks for redressing the balance with this article, Christine.
There’s a small group that make it their mission to denigrate Mint, and they’re not too bothered whether the claims are based in fact or not. Having read and enjoyed many of Swapnil’s previous pieces, I know he does not fall into this camp, however I find this a puzzling u-turn after his glowing review of Mint 17.2 and a perplexing misunderstanding for someone I previously judged to be so well informed.
Mint isn’t perfect. *Newsflash* no distro is, however the team does take security very seriously.
Yes, Mint takes about ‘security vs stability’ seriously. The recommended ‘optimize stability and security’ choice of updates gives you rock solid stability for almost all the different hardware configurations of PCs out there in the wild. Otherwise, simple blind updates, as ‘Ubuntu’ does, often break ‘network connectivity’ and lead to ‘kernel panic’s on some configurations. I’ve experienced this myself personally and that’s why Mint’s update method is better. Also, Bhartiya has clearly misunderstood this concept and seems to have written that post in haste. I wish he clarified it himself though another post and kept his dignity.
Yes and No. What Linux Mint does is, e.g. marking linux kernel updates (not upgrades) as level 5 (aka may break you system). Yes they say you should inform yourself before applying the update. For some kernel versions offered the update manager is unable to procure the changelog. I do inform myself on such kernel updates and ALL the time it affects minor hardware compatibility bug fixes or medium level SECURITY fixes.
So the point is, Mint “discourages” you to up*grade* a supported distro version and that’s almost allright. But within the supported distro version it also shy’s you away from applying regular security fixes. Ans that’s not alright. I have updated the kernel in 17.3 many times, nothing broke. Even if that would one day be the case, the old kernel is kept and stays availabel in GRUB. Ther is NO reason to mark kernel updates level 4 or 5.
The other point is, newer versions of software most of the time contains new features (and new bugs) bit most of the time also security fixes and not all of the time these security fixes are backproted. I admit that Mint has a vary good record on the most prominent packages that progress in that way, e.g. Firefox and Thunderbird and Flash-Plugin. But, for example, not Cinnamon.
So with Mint I find it is so and so. I do apply level 4 and 5 updates and only very rarely have to deny a change of an associated .config file. And the kernel should never be level 5 given the fallback option of keeping the previous kernel.
IMHO none of the two articles, the one at CIO and the one here, really gets it right.
I agree with both sides of this argument…
Unfortunately especially with proprietary drivers installed kernel updates can be painful. However even though updates can break stuff the team needs to make sure users are applying security patches. Marking updates as risky is okay as long as the team makes sure users are applying security patches. There should be an automated way to update and restore. Maybe a tool to backup your OS with Tar on a USB stick or a restore partition and something to provide a restore method using the install image would be good.
I don’t know about the tools in Mint 18 but the old tools did hide risky updates rather than inform and provide risk management options.
Wow! Reading these comments and the article make me wonder why he didn’t bother to confirm with the Mint team of what he understood was correct before posting the article.
Maybe the need to put out an article is more pressing than fact-checking.
I was just hoping someone will write a response, and you did.
Thank you Christine Hall.
There are plenty of bugs fixed that are not marked as security bugs (because there was no specific exploit or vulnerability for them) but that may well have unreported flaws. these will never be backported.
if you want a secure system you should upgrade && update.
As a long time Linux user, I have found Linux Mint to be the epitome of a “User Friendly” Linux distro. I have seen people denigrate or try to lessen it because of one issue or another. But why is it no one speaks this way of Windows? Are we forgetting the entire Windows 10 debacle where it not only installed it WHETHER you WANTED IT TO or NOT, but sometimes it COMPLETELY HOSED YOUR SYSTEM! Why is it Microsoft who has BILLIONS of dollars to spend in testing and research gets a free pass and Clement Lefebvre who has NO WHERE NEAR THE AMOUNT OF MONEY MICROSOFT HAS is penalized? Listen if you want Updates to install all by themselves and don’t want to monitor or keep an eye on your systems? Use Windows. If you want to b an “active” computer user and want to have a strong grip over WHAT gets installed on your system (and WHEN it gets installed!) then use Linux. If you’re going to use Linux? shut up, stop your belly-aching and use it, if something breaks there is NO WAY you can blame the developers and maintainers, since YOU have to authorize the installation of ANYTHING on your system. Stop waiting for Clement Lefebvre to fix the update that crashed your PC, YOU’RE the Administrator for your device, and if you’re not going to be willing to do the homework and read up on what an update may or may not break then you deserve what you get.
On another note? I’ve been using openSuSE 13. since it was released an haven’t seen the need to upgrade the OS. I eventually might, but for now? it works, I get ClamAV updates regularly and I run a hardened Firewall, so I’m not to worried. I also have Fedora 24 and Ubuntu 15.04 running with no problem.
@Eddie G: I’m not sure what you mean when you say nobody complains about Windows. People have been complaining about Windows for decades.
A Google search for *windows 10 installing without permission* returns 943,000 results. How do you possibly translate that to “nobody is talking about this”?
Beyond that, your insistence that if there’s something wrong with a piece of software it’s the user’s fault and not the developer’s or the packager’s is downright silly. There’s a reasonable point buried in there somewhere — yes, MS has way more resources than Mint does, a fact which people don’t generally point out because *it is so obvious that it doesn’t need to be pointed out* — but there’s a difference between saying “You should cut a small team some slack when things don’t always work right” and saying “If your software doesn’t work, you should shut up and fix it yourself.”
@chee
> “There are plenty of bugs fixed that are not marked as security bugs (because there was no specific exploit or vulnerability for them) but that may well have unreported flaws. these will never be backported.”
This is true, but its really just a side effect of developer laziness and general incompetence when it comes to security matters.
> “if you want a secure system you should upgrade && update.”
Not really. You’re just inheriting a brand new set of security flaws which will also likely go unreported until a specific exploit is found.
Keeping up with security updates, but otherwise keeping your software at a point that works for you: Good.
Never updating: Bad.
Blindly installing ‘the latest and greatest’: Just as bad.
@Eddie G >> Listen if you want Updates to install all by themselves and don’t want to monitor or keep an eye on your systems? Use Windows.
It’s exceptionally simple to set up auto update on Linux, if you don’t want to take responsibility for updates, you don’t need to use Windows