Answering controversy: Stability vs Security is something you configure
by clem 38

I hear a Canonical dev was more opinionated than knowledgeable and the press blew what he said out of proportion. I wouldn’t mind too much, if we weren’t finding ourselves answering questions from panicked users rather than working on what matters right now (i.e. Mint 16 RC).

So I’ll be brief.

About package updates:

  • We explained in 2007 what the shortcomings were with the way Ubuntu recommends their users to blindly apply all available updates. We explained the problems associated with regressions and we implemented a solution we’re very happy with.
  • Anybody running Mint can launch Update Manager -> Edit -> Preferences and enable level 4 and 5 updates, thus making their Linux Mint as “Secure” and “Unstable” as Ubuntu.

Screenshot from 2013-11-18 14:31:53

About Firefox updates:

  • Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default.
  • LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.

I personally talked to the legal dept. at Canonical (for other reasons, they’re telling us we need a license to use their binary packages) and it is clear they are confused about LMDE and Mint. They don’t know what repositories we’re using and they don’t know what we’re doing. We’re 2 years younger than them and they have no idea how many users we have (they use http://stats.wikimedia.org/archive/squid_reports/2013-10/SquidReportOperatingSystems.htm but don’t realize our user agent is “Ubuntu” since the days of Firefox 4 – Mint 9 if I remember correctly).

I don’t really mind what people at Canonical understand or do not understand about us. I understand why the press and media sell controversy. I just really don’t want to waste time with this.

From the feedback we’re getting so far, people love Mint 16 RC and we’ve got a superb release in our hands. It’s also full of bugs (https://github.com/linuxmint/Roadmap) and what we really want to do right now is not answer questions about how some guy who never ran Mint thinks it’s unsecure but get back to the code and fix as much as we can for Mint 16 to outperform Mint 15.

If you were unaware of this controversy and you’re sad to see negativity, I’d like to apologize. I had to cut this short and make a public statement because the easiest way for us to focus on what matters and ignore this controversy is by linking people to this statement and not waste time answering people one by one, on the forums, on the IRC, and all over the Web.

p5rn7vb

38 thoughts on “Answering controversy: Stability vs Security is something you configure

  1. Rüssel Nov 18, 2013 15:45

    Clem, thank you for commenting on this.

  2. Ondřej Kolín Nov 18, 2013 15:52

    Thanks Clem for responding, without deep knewledge of Mint & Ubuntu i was thinking it’s something connected to stability…

  3. Wando Nov 18, 2013 15:57

    Absolutly Right Clem.

    Don’t waste your time with Canonical.

  4. TomG Nov 18, 2013 15:57

    Clem, thanks for discussing this. My simple answer to people concerned about this is: Learn to use Synaptic instead of the Software Update Tool if you are that concerned about Mint’s policies.
    It bothers me that in the article at OMGUbuntu, no-one mentioned that the Software Update Tool is not the only place that you can obtain updates from.

  5. bimsebasse Nov 18, 2013 15:59

    The way things work now it’s already too late, Mint is henceforth known as less secure than Ubuntu all because of one misinformed comment blown out of proportion.

    • pst007x Nov 18, 2013 19:22

      I wouldn’t worry dude… I use Ubuntu Gnome… we’re all cousins… just a family quarrel that’ll blow over… Mint is solid and has a good reputation, that wont change…

  6. James Nov 18, 2013 15:59

    Sweet and straight to the point, I respect you for giving an answer that makes sense and funny at the same time. I do enjoy the media how they’ll use anything to get sales etc. Wish you the best with your coding and good job on ignoring ubuntu and focusing on what’s more important to you guys I doubt you’ll read this as your too busy being a boss and getting the new mint sorted out but thanks for your time and have a good one!

  7. Michael Hall Nov 18, 2013 16:04

    I’d like to clarify that Benjamin Kerensa, who made the specific comments about Firefox, is not a Canonical employee, but rather a member of the Mozilla and Ubuntu communities.

    • clem Nov 18, 2013 16:13

      Thanks Michael,

      It was Oliver Grawert who made these comments about our updates and our Firefox package. There might have been other people involved, I’m not really sure, I guess it’s still ongoing. You’re right though, I didn’t check if “oli” was indeed a Canonical dev, I assumed that from what I read in the press.

      • Michael Hall Nov 18, 2013 16:23

        Oliver mentioned Firefox in a list of packages not getting Ubuntu’s updates, but it was Benjamin who said it took months to get Firefox patches into Mint.

        It’s also worth nothing that all of this was originally in a discussion of an Ubuntu MATE flavor and how it might differ from Mint, it was not initiated as a critique of Mint itself.

        • sanjit Nov 18, 2013 16:34

          You are arguing semantics. Here is what Oliver said:

          https://github.com/linuxmint/mintupdate/blob/master/usr/lib/linuxmint/mintUpdate/rules
          this is the list of packages it will never update, instead of just
          integrating changes properly with the packagaes in the ubuntu archive
          they instead suppress doing (security) updates at all for them.

          i would say forcefully keeping a vulnerable kernel browser or xorg in
          place instead of allowing the provided security updates to be installer
          makes it a vulnerable system, yes

          i personally wouldn’t do online banking with it ;)

          and

          It might for exmaple allow security updates (which are explicitly hacked out of Linux Mint for Xorg, the kernel, Firefox, the bootloader and various other packages)
          > > so that you dont have to go online with a vulnerable system ;)

        • clem Nov 18, 2013 16:58

          This isn’t something orchestrated by Canonical against Mint like I’ve seen some people say in the comments. I fully agree and I’m not angry at anyone in particular. This is about a few people who had no clue what they were talking about and whose job titles (one of them being a Canonical dev) got them to make the front page of the magazines. I don’t really care about it and if it wasn’t all over the news I would have never replied to it. My main problem is that while this settles down we can’t work. We need an official statement we can link to to reassure people that what they said was wrong, that the fact that one/some of them are Canonical devs doesn’t mean they understand anything about the topic at hand. This is making the news primarily because somebody at “Canonical” thinks Mint is “unsecure”. It’s not even about what was said, it’s about what’s being sold to readers as the next big controversy. Mint has a great policy on updates, one that reviewed the Ubuntu policy, disagreed with it, improved on it and allowed people to change it via configuration.

          Regarding MATE, it’s the second most popular desktop out there and the successor to the once very dominant GNOME desktop. It’s getting into Debian so that’s really good news to all Debian and Ubuntu users. In an ideal world, that would have made the news.

      • kneekoo Nov 18, 2013 16:33

        https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2013-November/014770.html
        > Oliver Grawert: ogra at ubuntu.com

        http://ograblog.wordpress.com/
        > On behalf of the Ubuntu Engineering team
        > Sincerely yours, Oliver Grawert

        https://plus.google.com/+OliverGrawert
        > Works at Canonical

        You assumed correctly.

      • Benjamin Kerensa Nov 18, 2013 18:28

        Hi Clem,

        “LMDE, which is not based on Ubuntu, uses its own Firefox package. We’ve been slow in updating it by the past in LMDE (and that’s probably what confused the Canonical developer) but we took action and automated that. Firefox 25 was released on the 29th of October and updated in LMDE on the 30th.”

        LMDE is still Linux Mint is it not? It may not be the Ubuntu based spin but it still uses the Linux Mint name and is a Linux Mint official flavor. So my suggestion that Linux Mint ships an outdated version of Firefox which at the time (about six months ago maybe) had multiple CVE’s and was being shipped to LMDE users.

        I don’t think users distinguish LMDE as not being Linux Mint.

        • clem Nov 18, 2013 19:00

          Be careful with your logic here. Oliver ranted on the ubuntu developer list did he not? (it’s mostly him who’s relevant here, not you, he sold the story with his job title). I don’t think users distinguish between the voice of a lone Canonical dev and Canonical itself. You can see I do. I like to be precise. You should try that too.

          Let me explain to you what happened here. You guys went on a rant on the ubuntu devel mailing list. It got blown out of proportion by news websites jumping on the controversy and we lost a full day of work. Well done.

  8. Rüssel Nov 18, 2013 16:04

    Although I do understand what you think of the Ubuntu dev and the media, I don’t think it’s a waste of time to comment on this. It is important for people, so that they don’t get scared away from Mint.

  9. srkelley Nov 18, 2013 16:12

    Thanks for commenting Clem. You and your teams constant transparency and openness is valued. You don’t let things stew and you don’t ignore anything important (even if it was tempting to just ignore the guy this time, you didn’t which is what matters the most). Thank you.

  10. Lilian Nov 18, 2013 16:14

    The sad thing is that the uninformed comments will spread to a wider public while this will be picked up by a considerably lower amount of people. And you will hear for a pretty long time people saying that it’s less secure, even from those that don’t know what’s Linux Mint just because someone from Canonical said it.

    Well, those that love Mint will still use it, most probably.

  11. Michael Tunnell Nov 18, 2013 16:20

    I totally agree with Clem on this…in fact the Linux Mint Updater is one of the selling points for Linux Mint…it makes me feel at ease that I can control exactly what level is being installed on my Mom’s, Neighbor’s, Friend’s, etc computers when they do the updates themselves. I know that they won’t be installing something that will massively crash their computer forcing me to rush to their house to fix it so they can get work done.

    Linux Mint Updater allows me to make the updates very easy for them and then I can set it up to offer the more “unstable” updates when I am there to make sure nothing goes wrong or to fix it if it does.

  12. kneekoo Nov 18, 2013 16:21

    Thanks for the info.

    Cheers! :)

  13. sam Nov 18, 2013 16:34

    Maybe it is time to re-evaluate whether security updates should be held back by default. Ubuntu have made steps to avoid regressions such as Phased Updates.

    Was the xorg update breaking intel graphic back in 2006 the reason for Mint to delay updates? http://www.oreillynet.com/onlamp/blog/2006/08/ubuntu_xorgcore_update_breaks.html Has anything like that happened again?

    • clem Nov 18, 2013 17:08

      I’d be happy to have that discussion and look at the pros and cons post Mint16 release. It’s not a reaction to a particular incident though, it’s a difference in policy. We actually built the tools that would allow us not to make it trivial for people to apply changes blindly. There’s pros and cons to it, and that’s why it’s configurable.

  14. coffee412 Nov 18, 2013 16:35

    Perhaps maybe Ubuntu is feeling the competition from Mint :) . How does it go? “First they ignore you, then they laugh at you, then they fight you, then you win.”

    Clem, I think you won already. You gave the people what they wanted instead of what Ubuntu forces down our throats.

    I have RC16 loaded in a VM and it runs great! Thanks again for all your hard work!

    coffee412

    • clem Nov 18, 2013 17:01

      As Michael Hall outlined and as I said early in my post, this isn’t orchestrated by Canonical, this is a facepalm situation from a Canonical dev which was blown out of proportion by a few Linux news website.

      • TomG Nov 18, 2013 17:40

        Clem, I actually think that OMGUbuntu owes you an apology for that article. It was vague, alarmist FUD and totally failed to mention that the only place things are held back is in the Mint Software Update Tool. I know that people value convenience, but using your Mint SU Tool is completely optional – I’m used to using Synaptic and it works fine for me.

        • clem Nov 18, 2013 17:43

          They’re entitled to report on what they find interesting the way they see fit. You’re entitled to not have them in your RSS reader if they cover topics you don’t care about and pass on exciting news.

      • Alexi Nov 18, 2013 17:53

        Hey Clem,

        Nice work with the distro, I’m running RC mate and it works without a issue.
        Never had an error popup like on other distros, with nothing than the base system installed and this is on the release candidate.
        I’m really glad that you guys have decided to make a DE that doesn’t require the latest hardware to run.
        Maybe ‘devs’ should look in their own backyard and improve their product before talking about other developers choices.
        Regarding news sites, when you see ‘OMG’ in the title you can be sure it’s not biased.
        Happy coding on a distro that just works!!

  15. BruceB Nov 18, 2013 16:44

    All I need to feel secure is a little bit of mint. :-)

  16. Daniel4x Nov 18, 2013 17:01

    Thanks Clem for this detailed explanation, so that everyone should know.

  17. Ryo Nov 18, 2013 17:30

    Thanks for the statement.
    I know it’s distracting for any Dev to care about others FUD.
    But it was necessary to reveal this as a statement based on too few information and possible try to win back users that flee to Mint lately.

    Have fun and success for your great work.

  18. rhY Nov 18, 2013 17:32

    Mint > Ubuntu. Always has been, always will be.

  19. phantom Nov 18, 2013 17:34

    I am noticing a trend lately
    first the letter from connical’s legal department asking a site to go down in violation of copyright laws because they didn’t say nice things about connical
    (and since then blamed on a new hired person)

    now this?
    wonder what games they are going to do next?

    thanks for all the good work you do !
    i am not a mint ( mate) expert but keep 7 seniors computers up and running so they can talk to their families all over the usa.

    the ubuntu unity way was “just a bit too confusing” for them ( and me)
    so all are running mint 13 LTS and loving it and are able to do things they could not do with commercial operating systems ( begins with M)

    • clem Nov 18, 2013 17:39

      Keep in mind that this is not coming from Canonical. It was blown out of proportion by some websites because one/some devs involved were working at Canonical. You can argue things were similar in the copyright violation story… only here Oliver never spoke “in the name of” Canonical.

  20. Miftahgeek Nov 18, 2013 17:46

    Makes me wanna try Mint and clean my hand from Ubuntu.

  21. West Nov 18, 2013 18:25

    Joey is Canonical’s little puppy so of course they love controversy that makes Ubuntu look good.

  22. Orbmiser Nov 18, 2013 18:30

    Thanks for the explanations and nipping this in the bud.
    Have given my response anywhere I’m seeing this with.

    Clem’s responses:

    Doesn’t Knee jerk and lash back at Canonical seeing conspiracies.
    Explains how things are being distorted and reported falsely
    Stays Civil and thoughtful and doesn’t jump to conclusions.

    Enemy of the titillate & sensationalizing knee-jerk reporting on the Internet.

    And a non-participate in being one of the ingredients for Stir the Pot Media reporting.

    Class Act Clem! Keep up the great works. .

  23. Rimas Kalpokas Nov 18, 2013 18:33

    Clem,

    I think that this may be not a problem of X.org or Linux kernel security patches per se, but rather difficulties in recognizing an upstream update to said packages as a security or functionality update.

    Security patches should not be considered destabilizing, on the other hand – security patches are to be deemed crucial.

    I would not recommend running Linux Mint without security updates to the kernel while I could do without functionality updates.


    Rimas

    • clem Nov 18, 2013 19:13

      Hi Rimas,

      Ubuntu is frozen so for the most part we’re talking about bug fixes and security updates. Things break and are fixed constantly. Regressions happen, not more in Ubuntu than anywhere else, but it’s up to the user to understand that and to configure things as he/she sees fit. A policy which says “Always keep everything up to date” without warning users is not something we want to follow, especially on core components such as the kernel or xorg where novice users can find themselves in situations they can’t solve.

      I’m happy you’re looking at the policy though and not the controversy. We can talk about this post Mint 16 release. I’d be delighted to engage in design discussions about this once all the hype has settled down.

Comments are closed.