Is Linux Mint a crude hack of existing Debian-based distributions?

Is Linux Mint a “crude hack” of existing Debian-based distributions?

The news about the Linux Mint site getting hacked has caused many Linux users to question the quality of the distribution. One user on LWN.net took the Linux Mint developers to task for a number of things that he felt made the distribution a bad choice for desktop users.

Glaubitz posted his thoughts about Linux Mint:

Well, Linux Mint is generally very bad when it comes to security and quality.

First of all, they don’t issue any Security Advisories, so their users cannot — unlike users of most other mainstream distributions [1] — quickly lookup whether they are affected by a certain CVE.

Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a “FrankenDebian” which results in system updates becoming unpredictable [2]. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.

Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 “mdm” which supposedly means “Mint Display Manager”. However, the problem is that there already is a package “mdm” in Debian which are “Utilities for single-host parallel shell scripting”. Thus, on Mint, the original “mdm” package cannot be installed.

Another example of such a hi-jack are their new “X apps” which are supposed to deliver common apps for all desktops which are available on Linux Mint. Their first app of this collection is an editor which they forked off the Mate editor “pluma”. And they called it “xedit”, ignoring the fact that there already is an “xedit” making the old “xedit” unusable by hi-jacking its namespace.

Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.

To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.

I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.

More at LWN.net

Other LWN.net readers shared their thoughts about Linux Mint:

H2: “…thanks for noting many of the things bad and wrong with Mint. Your list is quite good. I’ve suffered directly from Mint deciding to make one of my tools the default in Mint, for a while, until the flood of Mint users who were in general totally incompetent forced me to drop all support for them, permanently. Mint is totally non supportable by any downstream source because of their ridiculously broken, by design, update/packaging decisions.

Clem had never once thought it necessary to talk to me about his decision, nor would he ever admit that his FrankenDebianBuntu ( unique creature in the world, managing to break fundamentally not just one, but TWO source distributions at once) is in fact totally unsupportable by any sane person.

Not to mention his monstrosity, LMDE, which is not at all Debian, at least it’s not since the primary dev of that left in disgust at the absurd garbage clem was forcing into lmde.”

Flussence: “The root cause of that issue is that they’ve built their distro atop one that doesn’t namespace packages sanely (or at all). Debian also has had the same dilemma internally with ack, chromium, dolphin, etc. but they choose to work around it by changing the name, sometimes the binary, of one of the two programs; the end result is that the one on the losing side of the deal ends up harder to find.

Everything else you’ve said is valid, but this one is squarely Debian’s fault.”

Job: “Thank you for that. At least it shows that I’m not the only one dumbfounded by the apparent insanity here.

It’s one thing that this is a hobbyist project, but when real people are actually put at risk because of your hobby, it is not unfair to demand at least some accountability.”

Beolach: “Linux Mint is *NOT* a desktop environment – it is a Linux Distribution. As part of their distribution they also created their own desktop environment, but the name of the DE is Cinnamon, not Linux Mint. And Cinnamon is IMO one of the good things Linux Mint has done – I strongly agree w/ their design goal of a traditional desktop UI. Fortunately, Cinnamon can be & is packaged in other distributions, including Debian.

But Linux Mint is a full Distribution, not just the Cinnamon DE, and as such has a *much* larger scope, and in that larger scope has made decisions that I strongly disagree with. In addition to glaubitz’s list, the issue that turned me off of Linux Mint is their very old kernel versions – 3.19 in their latest release. And it’s not even an older LTS kernel release; it’s a no-longer supported kernel. 3.18 would have been better (assuming they kept up w/ the LTS minor updates, of course).

There are how-to guides out there for upgrading Linux Mint to a more recent kernel, but they’re all just about grabbing an Ubuntu or Debian kernel. So it’s back to the Frankendebuntu situation, make-your-own monster this time.”

Johannbg: “All these distributions are fundamentally the same thing with their greatest collaborated achievement being collectively making upstream life miserable about the needless deviation they all do to distinguish themselves from each other. “

Leoluk: “The quality of Linux Mint (the distribution) is questionable. Their applications (Cinnamon and MATE) are, however, of very high quality. Both are packaged by many other distributions nowadays and work just as well as in Linux Mint itself.”

Welinder: “It would probably be more productive if you (Debian, …) asked yourself the question, given all the shortcomings you see, why is Linux Mint so popular? For me, the answer is that Linux Mint protects the users against what I will be nice and call misguided innovation on the desktop. The fads of the day.”

Glaubitz: “One of the main reasons for being popular is the fact that they do not care about licensing issues. They ship their ISO files with pre-installed Adobe Flash, Oracle Java packages as well as multimedia codecs (which people want) which violate intellectual copyrights and patents. Unless the maintainers of a distribution want to violate copyright laws intentionally and make themselves attractive targets for lawyers, there is nothing they can do to alleviate that. Debian and other aren’t not shipping those packages because they want to make life hard for their users, it’s because they cannot, legally speaking.

Canonical – as a company – was able to negotiate contracts with companies like Skype or Adobe, so they can offer the software packages of these companies in their third-party repositories, but it would still be illegal to ship software like libdvdcss2 in most countries. However, there are no companies behind distributions like Arch, Gentoo or Debian and they therefore cannot negotiate such contracts.

Again, the stance of the Mint developers – namely Clement Levebfre – is simply that they don’t care about such issues which is already very dubious in the first place, not even mentioning the security issues they have.”

Welinder: “I have yet to encounter a situation where a cve report has had Debian and Ubuntu responses, but no patch for Mint has shown up in my patch queue immediately or very soon thereafter. (I know about the “banned” packages and I have flipped the switch so I can see them and decide; I am not worried over local attacks, so grub can wait.)

Now, compare that non-situation to Debian’s years of dragging feet regarding fixing the package management’s trust in the network and its resultant vulnerability to man-in-the-middle attacks — including those unintentional ones known as captive portals — which would *disable* security updates entirely. (Debian 710229; Launchpad 1055614; and many others.)”

Glaubitz: “You may be aware of blacklisted package updates, but many users are not. I’m sorry, but making security updates *optional* is not up for discussion, on any operating system. Period.

And, as I have explained before, Linux Mint does not issue security advisories, so you – as a Linux Mint user – have no immediate and easy way to quickly verify whether your particular version of Linux Mint is affected by a certain CVE.

On Debian, I open up Google and type “Debian CVE-2015-7547″ and I am immediately presented with a website which shows me which versions of Debian are affected by the recent glibc vulnerability and which are not. You *cannot* do that on Linux Mint which therefore disqualifies itself for any professional use. End of discussion.”

More at LWN.net

Has Linux become too dumbed down?

Many people have expressed the desire for Linux to be as easy to use as possible, to help increase its share of the desktop market. But has it become too dumbed down in recent years? One writer at Datamation recently explored this question.

Matt Hartley reports for Datamation:

Over the years, I’ve heard some people claim that Linux is finally ready for the masses. I would suggest that outside of a completely locked down OS such as ChromeOS (which is Linux powered), no OS is genuinely ready for the masses. Instead, it has been my experience that the masses should stick to tablets and Chromebooks.

I can see how my view of most computer users would seem a bit harsh. But I’d also be the first to point out that using smartphones have made all of us “dumb” in the sense that our complacency is at an all time high. Comparatively speaking, the difference between smartphones and PCs in terms of root access is night and day.

On a computer, running Linux…root is a mere command away from any terminal. With iOS or Android, you must gain access to a deeper level of the phone in order to have this sort of power. It’s not nearly as simple and therein lays the comparative difference.

Most people believe their smartphones are completely safe from exploits and other malicious behavior because they have never experienced it on these devices. Mind you, I didn’t claim this was a valid point of view. Rather, this is simply a widespread interpretation of how safe smartphones are. These devices also present a minimal learning curve for most people, so there is little to no reason to learn anything new about them.

More at Datamation

Cyanogen’s “MOD” platform lets developers integrate their apps directly into Android

Companies like Google and Apple often have an advantage over third parties by being able to integrate their apps into their mobile operating systems. Now Cyanogen has launched its “MOD” platform that will give other companies the same access to Android as Google when it comes to app integration.

Chris O’Brien reports for VentureBeat:

…the Palo Alto-based company has announced a new version of its Android-based operating system called MOD that will give developers an ability — normally reserved for Google — to integrate their apps into a phone’s OS.

MOD is the latest salvo from a company that has raised $110 million in venture capital to develop a distinctly different version of Android — one that undercuts Google’s advantage in giving away the free operating system. While Google doesn’t directly make money from Android, many of its own apps (Gmail, Google Now, Search, etc.) are embedded in each version of the OS at a deep level.

…with the MOD platform, developers will be able to go one step further and build their apps directly into the Androids OS, rather than having them sit on top as separate program.

In the initial version, for example, Cyanogen has partnered with Microsoft so that Skype and Cortana can be built right into the phone. That means, in the case of Skype, that a user doesn’t have to tap on a Skype app button to launch the service. Instead, Skype is built into the phone’s main caller, so a call may happen through Skype or through the regular phone itself.

More at VentureBeat

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.