[nycticorax]

Could you elaborate on this? I know many people have security concerns about Mint, but I've never found their arguments entirely convincing. the opinion of the Mint devs seems to be that there's a stability vs. security tradeoff, and that Ubuntu chose one point on the spectrum, while Mint chose another. And that for a typical desktop machine sitting behind a router without a lot of ports open (or behind a corporate firewall), the tradeoff Mint chose is a reasonable one. I've seen several attempts to explain why Mint should not be trusted, but they seem (to me) to eventually reduce to arguments that more security is always better, no matter the cost in stability or convenience.

[Aldo_MX]

This has been thoroughly discussed when the website was compromised.

https://lwn.net/Articles/676664/

https://news.ycombinator.com/item?id=11149839

https://news.ycombinator.com/item?id=11142986

[nycticorax]

Yeah, I know about that. Certainly, not a proud moment in Mint's history, but it got resolved quickly. But I'm not going to rule out Mint just because they got hacked once. kernel.org got hacked, after all.

[nickpsecurity]

They basically had no effort in their security, no idea how long they were compromised, and couldnt even respond effectively. I was a big fan of Mint usability who reluctantly had to ditch it.

[nycticorax]

None of these statements are correct.

[nickpsecurity]

These are the statements of the security people here that were going tgrough the data. The level of severity and recovery time supported thrur claims a bit.

[nycticorax]

> They basically had no effort in their security,

This is clearly hyperbole. "no effort"? C'mon.

> no idea how long they were compromised, and couldnt even respond effectively.

The hacked .iso was up for less than 24 hrs, so that puts a hard limit on the worst part of the compromise. The forum issues they fixed in a couple of days. This seems like a reasonably effective response to me.

> I was a big fan of Mint usability who reluctantly had to ditch it.

Did you really have to ditch it? Or did you just decide to go with a distro that emphasizes security over convenience? (Which is, of course, a completely reasonable thing to do, but others may make other (also reasonable) choices.)

[Aldo_MX]

You are failing to read the "thoroughly discussion", the hack was just the tip of the iceberg.

Also, kernel.org was hacked because a rootkit gained access to their servers, not because they used a weak password like `upMint`, so you shouldn't compare both incidents.

[nycticorax]

No, I read all of the "thorough" discussion. I found it unconvincing.

[symtos]

stability /or/ security? because a box running code with bugs that may result in a thwarted control flow is the pinnacle of stability?

your firewall won't help against socket re-use; and most configs won't stop connect-backs since they allow unfiltered outbound access to quite a few destination ports

[nycticorax]

Certainly, lack of security can lead to lack of stability. But sometimes Ubuntu makes changes that can render your machine unbootable, in the name of security. And in some cases the Mint devs chose not to make those changes. There's nothing obviously wrong about this, it's just a different trade-off.

Your points about socket re-use and connect-backs may well be true, but they miss the larger point. How much security is enough? Your computer is less vulnerable if you air-gap it. Do you do this? Likely not, because that's inconvenient. The Mint devs sacrifice some (not much, it seems to me, but some) security for convenience. Maybe you don't like the tradeoffs they made. Fine. But saying some blanket statement like "Mint is insecure" is just silly. It's like saying "Connecting your computer to the Internet is insecure." Yeah, there's some truth to it, but it also ignores the fact that sometimes it makes sense to trade some security for convenience.