On February 20th, a hacker working under the handle “Peace” took control of the website of Linux Mint, a popular Linux distribution derived from Ubuntu (and Debian) targeted toward non-technical users and power users unhappy with modern desktop environments like GNOME 3, KDE Plasma 5, and Unity 7. The hacker replaced the download link for Linux Mint with one which contained a backdoor called Tsunami-an attack which put “several hundred” systems with a fresh installation of Linux Mint in the hacker’s control, according to an interview with ZDNet’s Zach Whittaker.

SEE: Has your Linux Mint desktop been backdoored? (ZDNet)

The same hacker gained control of the Linux Mint user forum, grabbing copies of the entire database twice, copies of which are now for sale on a dark web marketplace for 0.197 bitcoin ($85) per download. The user forum, which was powered by phpBB, used PHPass to hash passwords, which is possible to crack. At the time of this writing, the forum remains down while the main Linux Mint website was reinstated and compromised again shortly thereafter.

While these attacks are regrettable, and part of an infrastructure problem rather than a problem with the distribution itself, it increasingly appears that the Linux Mint team, led by project leader Clement Lefebvre, is spread too thin when it comes to security.

The problem with security in Linux Mint

The architectural design of Linux Mint inherits a great deal from its upstream sources Debian and Ubuntu (which is itself based upon Debian). Unfortunately, it lacks any sort of security advisories–Linux Mint evangelists insist that referring to the Ubuntu or Debian advisories is sufficient. Not every package in Linux Mint is available in Ubuntu or Debian, and this argument is further complicated by the fact that updates that work perfectly in Ubuntu or Debian are blacklisted by the Linux Mint team due to compatibility issues.

Linux Mint has the somewhat peculiar design decision of not updating the kernel using the graphical update manager. Users must run apt-get dist-upgrade in a terminal in order to receive updates, when users of Ubuntu receive the same kernel updates automatically. This leaves users vulnerable to potential root exploits and hardware issues. Additionally, there is an issue with shifting release cadences–with version 17, the underlying base moved from standard releases to Long-Term Support (LTS) releases of Ubuntu. Consequently, the packages incorporated are older, on average, than in previous releases, and if blacklisted are both old and insecure.

What exactly constitutes a ‘Linux distribution?’

Linux Mint, when considered as the sum of its parts, is the Cinnamon desktop environment (DE), mintTools (software installer, update manager, backup too, welcome screen, etc.) and GNOME extensions built on top of an LTS version of Ubuntu. The repositories contain packages compiled for Ubuntu, without modification or recompilation. As outlined above, security patches and updates that work perfectly in Debian and Ubuntu are blacklisted as needed to not break under Mint–the only differentiation Mint provides is Cinnamon, thereby breaking security so that it “just works.”

This is not a Linux distribution and this is completely backwards from the way things are supposed to work. The code produced and value added by the Linux Mint team is in Cinnamon, which is available as a default DE in properly designed distributions such as Debian, Fedora, and openSUSE–all of which have security advisories. The task of maintaining and securing it is not a trivial task, and it requires more infrastructure and resources than the Linux Mint team possesses. Creating a pseudo-fork of an existing distribution to showcase a DE, while blacklisting updates–some of which are security updates–because it interferes with the DE is staggeringly irresponsible and tantamount to security malpractice.

The troubling trend of desktop showcase distributions

This is not an isolated issue. Elementary OS is a similar Ubuntu fork that exists as a showcase of the Pantheon desktop environment. Either from being more focused as a single distribution (Linux Mint has spins for MATE, KDE, and Xfce, as well as an alternate distribution based directly on Debian, rather than Ubuntu), better packaging policies, or lower user base, it has less structural issues than Linux Mint. However, it still lacks a dedicated security advisory system.

SEE: Information security policy template (Tech Pro Research)

The Solus Project exists as a minimalist, desktop-only OS to showcase the Budgie desktop, though this does not rely on any other distribution as an upstream source. It has a unique packaging system for apps, and has a much smaller repository of apps available presently. It has a better claim than Linux Mint and Elementary OS do for justifying the creation an entire, separate OS, though it lacks a dedicated security advisory system–hopefully, that will grow with the project as it matures. Budgie is officially available from the project developers for Fedora and openSUSE users, and a community-supported AUR for Arch users is also available.

A troubling conclusion

Linux distributions as pet projects or showcases of a particular technology should not be advertised as stable, secure, production-ready operating systems. The multitude of Linux distributions that are functionally technical demonstrations, advertised as stable, and exist as a hobbyist project make the entire ecosystem look unprofessional. The attack against Mint is troubling due to the impression that it is the most popular Linux distribution based on websites that track clicks like Distrowatch.

The problem with this scenario is that the fault lies with practically everyone. The impetus for the creation of Cinnamon, and the rise of Mint’s popularity, is due to the poor reception of early versions of GNOME 3, KDE 5, and Ubuntu Unity. Generally speaking, these were pushed to end-users well before they were ready for primetime, thereby driving users away. For a time, Linux Mint “just worked” in a way that other distributions struggled to do. Fortunately, reforms such as Fedora.next, and the maturation of the new generation of DEs have largely brought stability and sanity back to the desktop.

What’s your view?

Did you move to Linux Mint following the introduction of the new generation of development environments? How important is security in your distribution selection? Share your thoughts in the comments.