Security

Linux Mint 18 improves security, but at a cost

Linux Mint 18 brings version 3.0 of the Cinnamon desktop, and major architectural changes intended to harden the security of the popular distribution. But, some challenges remain.

Image: iStockphoto/alexaldo

Version 18 of the popular Ubuntu derivative Linux Mint was released in late June, bringing with it a much-needed emphasis on security, and a refocusing of organizational resources to deliver a more polished distribution. While Linux Mint 18 moves in a positive direction overall, the direction that founder and project leader Clement Lefebvre envisions is likely to raise some eyebrows.

Security and Linux Mint: a brief history

In February, the Linux Mint website was hacked. In addition to capturing the entire forum database, the hacker replaced the download link for Linux Mint with a compromised version that contained a backdoor. In response to the hack, the Linux Mint website was restored from a backup, which itself was compromised shortly thereafter. The website was subsequently taken offline to properly address the vulnerability.

SEE: Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads (ZDNet)

This issue led to increased scrutiny of the Linux Mint distribution itself. The default update settings of Linux Mint would not update the Linux kernel or notify the user when security updates and bug fixes were published upstream (from Ubuntu, which Mint is directly based on, or Debian, which is the basis of Ubuntu). This default behavior left users vulnerable to root exploits, and potential hardware issues for which patches were issued alongside security fixes. Other upstream updates were also blacklisted from Linux Mint for conflicting with the design of the Cinnamon desktop.

Security improvements in Linux Mint 18

The update manager in Linux Mint provides the ability to update the kernel independent of other updates, and without needing to resort to using the command line. While this is a much-needed improvement, the explanation of this change on the Linux Mint website is baffling. The website claims that kernel updates "aren't really updates, but the availability of packages for newer kernels." Aside from the fact that this is literally the definition of an update, this appears to be an attempt at minimizing the importance of kernel updates. In Linux Mint 18, users are only notified of kernel updates, but they are not installed by default. Actually attempting to install a new kernel results in a verbose and frightening warning dissuading users from performing the upgrade.

Theoretically, fewer security updates will be held back in this version than before, as changes have been made to mitigate the need to hold back updates that conflict with the Cinnamon desktop environment. Part of this change relies on the introduction of X-Apps, which take the place of the previously-included default applications. While not holding back security updates is always a positive change, the means by which this goal is achieved is less than inspiring.

X-Apps: Forking the past to fix the future

Linux Mint's showcase Cinnamon desktop was introduced in 2011 as a reaction to the usability mess of GNOME Shell 3.0. Ubuntu also switched to Unity in 2011, which caused a similar uproar over usability issues. As a result of this, Linux Mint became the refuge of Linux users wanting to avoid what was effectively beta-quality software.

Since that time, Unity and GNOME have both improved, implementing changes based on user feedback. Cinnamon has continued development as a desktop environment aiming to preserve the functionality of the past, while introducing a visual style that still looks fresh—a task made more challenging by default GNOME desktop apps using GTK3, as the structure of Cinnamon created situations where Mint shipped packages that were years old, but were patched to conform to the visual style of Cinnamon. (Ubuntu has historically done the same thing, though the packages were moderately newer.)

The solution to this problem is X-Apps, which are forks of existing GNOME applications (or MATE applications, which are themselves forks of GNOME applications). In a blog post, Lefebvre states that the goal of X-Apps is "To provide generic, desktop-agnostic and distro-agnostic [applications with] the functionality users already enjoy" in GTK3. He also noted that the impetus for creating X-Apps was that "You can write 'GNOME apps' or 'Ubuntu apps' using specific techniques or following specific concepts which make them look awesome in their specific environments... as apps become desktop-specific or distro-specific they need to be replaced in environments they no longer properly support."

SEE: LibreOffice 5.1: Sweet, subtle, and necessary polish (TechRepublic)

This rationale almost sounds reasonable, but is severely lacking in certain aspects. First, this is an obvious case of attempting to develop a standard to cover all use cases. Second, this plan will not scale well in maintenance or through time. Solus, a Linux distribution that also showcases their own custom desktop (Budgie), is able to produce a modern desktop covering many (though, not all, in fairness) of the same goals using the latest version of GNOME desktop apps. This is a problem that only exists because Cinnamon-KDE has Plasma and Qt apps, and GNOME has GNOME Shell and GTK apps. Presently, GTK apps look a little better on KDE systems, but a lot of work has recently taken place for Qt on GNOME.

Final thoughts and a comment on Linux Mint's raison d'être

In an article in February regarding the website hack, I contended that Mint exists in its current form to showcase the Cinnamon desktop. Cinnamon is as integral to Mint as Unity is to Ubuntu, but both distributions predate the desktop environments for which they are now primarily associated with. Some users correctly commented that Mint originally was created for the purpose of bundling codecs out of the box, which other distributions refrain from doing due to patent issues. Starting with this release, Mint ISOs no longer contain codecs, leaving users to install codecs as on any other distro.

That being said, while Linux Mint 18 at least attempts to give the user informed consent about security decisions, packaging a desktop environment as a full distribution still seems unadvisable. Cinnamon is available as a download for Ubuntu, and as an official desktop spin for Fedora.

See also

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox