Linux Mint users in hot water for being slow with security updates, running old versions
Linux Mint founder Clem Lefebvre has complained that too many users are slow to apply updates or run unsupported versions of the operating system.
Lefebvre used Firefox as an example. Mozilla’s browser is frequently updated and has fixes for security vulnerabilities described by the firm as critical, which it defined as “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” The latest such update is dated 5 February 2021 (though it is a Windows-only problem).
“If you’re not running the latest version, check which version of Firefox you’re using and count the number of critical (red) patches you’re missing,” he said.
Linux Mint does not collect telemetry data from users, but used Yahoo! users as a sample to inspect the user agent of Linux Mint traffic – information sent from the browser with every request. “We were able to observe that only 30 per cent of users updated their web browser in less than a week,” he said.
Lefebvre also noted that some users of Mint do not apply updates at all, and that “between 5 per cent and 30 per cent of users run Linux Mint 17 [which] reached end of life in April 2019. In other words, it stopped receiving security patches for almost two years now!”
The exact statistics are uncertain, but appear to have been based on users with the default browser start page and usage of the Mint APT (Advanced Package Installer) repositories. “It really doesn’t matter to us if the real number is 10 per cent or 15 per cent. It needs to be 0 per cent,” said Lefebvre. The team is so concerned about these users that they “decided to send an emergency update to upgrade your Firefox.”
The Linux Mint update manager includes system snapshots, intended to reassure users that there is a route back
Microsoft, Apple and Google have also wrestled with getting users to update. The solution with most editions of Windows 10, for example, is that updates are compulsory, though they can be deferred. Google’s Chrome OS automatically downloads updates and prompts the users to restart to update. Such approaches would not be possible in the free software community, but the necessity of updates for security remains.
In the case of Linux Mint, Lefebvre feels that features such as TimeShift, which snapshots the system so that rollback is possible in the case of a bad update, should give users reassurance that they are safe. It also has an update manager which can be set to make snapshots automatically.
Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges
Why are so many users not upgrading? There are several reasons, and it is not just a simplistic belief that Linux is somehow always secure. “It’s naive in itself to assume that all the users yet to upgrade to Linux Mint 20.x are doing so because they are novice or uninformed. There are a plethora of reasons, compatibility and stability being big ones. I haven’t done it because of serious issues with video drivers going on between releases 19.x and 20.x versions of Linux Mint,” said a user – though this at least is 19.x and not 17.x. Another user said they had an older machine and needed 32-bit Mint, which is not available in version 20.
“I’m gonna be radical (and maybe controversial) here, and say that Microsoft got this right,” said another user.
There are pros and cons, said Lefebvre, but updating automatically by default seems a reasonable option since those who dislike it can easily opt out. He promised to return to the topic in a future post and said that the team has “ideas to improve this.”
There is no perfect solution. The idea of leaving something alone if it works seems attractive, but in computing it is not safe – especially for internet-connected machines. Equally, automatic updates can break systems or simply make them perform worse over time; keep an Apple iPhone or iPad up to date, for example, and while it probably will not break anything, it does become more sluggish, as this owner of a 2013 iPad Air can confirm. ®
READ MORE HERE