Linux Mint downloads (briefly) compromised

I&#x27;ve used Mint in the past, and it was my go-to distro for family members who aren&#x27;t so technical.<p>I&#x27;m not bothered by the licensing issues mentioned, and I&#x27;m ambivalent about the namespace issues, but I&#x27;ve been increasingly uneasy for some time now about Mint&#x27;s security practices. Serving downloads over http and not providing GPG signed SHA hashes like every other distro is fairly irresponsible in this day and age.<p>This recent security issue, and the poor response to it, are basically the straw that breaks the camel&#x27;s back for me. I&#x27;m moving on to Ubuntu-Mate, since frankly Mate was the primary reason I was using Mint anyway. Serving downloads of the most popular Linux distro from the same machine as is running WordPress is cringeworthy, and failing to take the compromised machine totally offline until it&#x27;s 100% sure the compromise has been mitigated (through reformatting, including boot sector) shows really poor judgment.<p>I&#x27;m a bit sad to be so critical, since I recognize that Clem has done a lot for the Linux world, and as a Mint user I&#x27;ve benefited personally from his work. But when you&#x27;re distributing operating systems to so many users, you have to take security seriously. To do otherwise, even on a &quot;hobby&quot; project (although I&#x27;m fairly sure it&#x27;s his full-time job now) is pretty irresponsible.<p>In many ways, I&#x27;d like to pitch in, but based on other interactions I&#x27;ve seen and read about, I&#x27;m not sure my input would be welcome, particularly wrt security issues.<p>Edit: I&#x27;m also playing around with FreeBSD for my development environment, since I can use Mate on there. To be honest, I don&#x27;t really need a DE these days anyway, since I only use terminal and a web browser. I should look into just using a Windows Manager.<p>Edit 2: Apparently they <i>do</i> provide GPG signed hashes. I&#x27;ve been looking for them each time I&#x27;ve downloaded Mint distros, but never came upon them. So I stand corrected.

&gt; Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.<p>Seriously, with the rotten-ness of the US patent&#x2F;copyright&#x2F;political system, it&#x27;s better for mankind to just say &quot;ok, US users can&#x27;t get this, but everyone else can&quot;.<p>E.g. many European banks do this for &quot;US persons&quot; - they simply cannot get accounts because the legal risks are just too high.<p>Edit: It&#x27;s not just banks. E.g. BMW Group (and likely other huge non-US corps with US subsidiaries) refuse to allow US persons to look at financial statements, again due to regulatory hassle.

&gt; Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.<p>Hmm, that was actually one of major selling points for Mint around me - it was the distro that &quot;worked&quot;, with relevant software, codecs and drivers being preinstalled and not crippled due to strange laws on the other side of the ocean.

I remember installing it when it was relatively new and people were gushing over it. A few weeks later a new version came out. I tried upgrading when I found there was no upgrade path. Upgrading Mint means reinstalling Mint.<p>I remember the days before apt-get when there was only dpkg. Before Debian I used Slackware so I&#x27;m all too familiar with package management (or lack of).<p>The idea that someone would release a new distribution, based on Debian of all things, and it <i>not</i> be able to upgrade was repelling to my mind. Re-install Mint to upgrade? No thanks I&#x27;ll install Ubuntu over it.<p>Cinnamon is nice but I never understood why it needs its own distribution. I should be able to apt-get install cinammon-desktop or whatever and it work like any other package.

Hmm; I&#x27;m puzzled by a contradiction between this and another recent article. From this article we learn that we shouldn&#x27;t do this:<p>&quot;Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a &quot;FrankenDebian&quot; which results in system updates becoming unpredictable &lt;<a href="https:&#x2F;&#x2F;wiki.debian.org&#x2F;DontBreakDebian#Don.27t_make_a_FrankenDebian&gt;" rel="nofollow">https:&#x2F;&#x2F;wiki.debian.org&#x2F;DontBreakDebian#Don.27t_make_a_Frank...</a>. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.&quot;<p>while from &lt;<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11131081&gt;" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11131081&gt;</a>:<p>&quot;Nobody else requires that you rebuild every package before you can redistribute it in a modified distribution - such a restriction is a violation of freedom 2 of the Free Software Definition, and as a result the binary distributions of Ubuntu are not free software.&quot;<p>I appreciate that the latter one is discussing a hard requirement as a result of Canonical&#x27;s IP licensing. But the former seems to indicate that it would be bad practice to just copy all of Ubuntu&#x27;s (or Debian&#x27;s) binary packages and build a new derivative distribution on top of it. Is the latter piece arguing in part for a freedom that would be a really bad idea in practice?

I realize they have not taken security seriously in designing their delivery mechanisms. However I do not care. Linux Mint solves <i>all</i> my problems of configuration. It is configured so nicely and with Cinnamon it comes with so many useful bells and whistles, I&#x27;m not moving anywhere. It&#x27;s great. Mint will be back after this blow and I am sure it will not happen again. I use it daily and I am super productive on it as my desktop. My family uses it also, on new and old computers, and it is perfect.

&gt; Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a &quot;FrankenDebian&quot; which results in system updates becoming unpredictable<p>This is interesting because Debian itself encourages derivative projects to use their binary packages[1]:<p>&gt; For those derivatives that re-use Debian binary packages, add some source packages and modify some source packages, where possible we encourage them to use standard Debian mirrors and add a second repository containing only the source and binary packages that have been added or modified.<p>Or maybe they don&#x27;t encourage that behaviour but still give guidelines in case you want your derivative to work that way? I&#x27;m not 100% sure.<p>[1] <a href="https:&#x2F;&#x2F;wiki.debian.org&#x2F;Derivatives&#x2F;Guidelines" rel="nofollow">https:&#x2F;&#x2F;wiki.debian.org&#x2F;Derivatives&#x2F;Guidelines</a>

I had to quit using Mint because a lot of packages in their repo are really, really, old. Just to give example that made me install Manjaro on friends PC is ownCloud client for file syncing. It&#x27;s a few years old, contains a lot of security bugs and doesn&#x27;t work with HTTPS. You need to add repo with opensuse in URL address. Mint developers were contacted by ownCloud developers to resolve the issue, a few years ago, and they ignored it.

Fucking bang on point. Mint has a nice out of the box experience but after using it for a while you begin to see all the shit they stuffed in the cracks. It is a shame as Cinnamon is a lovely DE, I wish there were an official Ubuntu build with Cinnamon as the default DE similar to Xubuntu with Xfce.

There&#x27;s something interesting to be said here. &quot;They make {{ package }} unusable by hijacking it&#x27;s name space&quot;, well who gave them that name space? I understand the whole first come first serve and all but if we played that way things could get messy real fast.<p>There was recently an article on HN about the &quot;Web of Hashes&quot; and this article got me thinking about it. Why not give each application an UUID and let that be it&#x27;s name space? Give the user an option to still use- they&#x27;re example- xedit while having another xedit installed along side?<p>I can see how this could also get messy. Just spit balling here.

Mint&#x27;s HiDPI is simply the best experience on Linux these days, not to mention it just works. But let&#x27;s attack it because it doesn&#x27;t conform to some autistic standards of ours. Way to go friendly Linux community! Let&#x27;s make all distros unusable, super complex, require all people to wear their own personal TPMs and certificates so that they can feel finally <i>secure</i>. Let&#x27;s blame Mint for not having DNA real-time sequencers for confirming package authenticity! Let&#x27;s force my grandma to compile all her packages - she must be upgraded as well or she won&#x27;t make it during singularity, right? &#x2F;s<p>You are blaming Mint for things that are wrong in some context with Debian&#x2F;Ubuntu or Linux or even unsolved in computing as such. And the small team of developers simply can&#x27;t respond to every single issue within minutes as you wish, they have their plate full.

An yet, it just works, looks nice, is fast on old hardware, mounts everything out of the box, controls your audio from the volume icon and gets out of your way in general. 17.3 is one the best out of box experiences imo.

Never let a good security breach not be an opportunity to air a bunch of unrelated greviences, apparently.

Every once in a while, I get difference error in &#x2F;etc&#x2F;issue*. I really hate all of these. I use Mint only because I like its GUI interface. I really cannot stand Ubuntu desktop for a moment

As a super happy user of Linux Mint - guys, please keep doing what you are doing! Thank you so much for giving us a proper desktop Linux! You have my (financial) support! Don&#x27;t get pressured by some random loud Internet criticism and change for worse! Please don&#x27;t do Win7-&gt;Win8 or iOS6-&gt;iOS7 regression in Mint as well because of a few unhappy voices trying to acquire power over you!

So, functionally, is there any real difference between using Mint&#x27;s ISO to install-from-scratch versus using you&#x27;re preferred distro of choice (Ubuntu&#x2F;Fedora&#x2F;FreeBSD, etc.) and installing the Cinnamon Mint desktop on top of it?<p>I&#x27;ve been playing with Mint for the past few weeks and experimenting with full-Mint-on-a-VM versus Ubuntu-with-Cinnamon-desktop, and I don&#x27;t really notice much of a difference. After reading about all of Mint&#x27;s problems this morning, I&#x27;m tempted to stick with Cinnamon exclusively as a DE unless someone offers a compelling reason to use the full distro.

I see a lot of people asking for alternatives. I spent 12 months trying almost every distro I could get my hands on and have some recommendations for those interested.<p>This was my shortlist at the end of all my adventurism and testing.<p>1. Linux Mint<p>2. Ubuntu MATE<p>3. Antergos Cinnamon<p>Pretty short list but those are what I found I settled on as possible choices for my own use. If the goal is getting down to business and getting work done rather than fiddling with the system I think those 3 would fit most people&#x27;s needs. I was a longtime Xubuntu user prior to this adventurism, and IMO there are just better alternatives though it would probably be #4 if I had one, but I&#x27;m just not a fan any longer. MATE man handles XFCE.<p>I leave Mint at the top because other than these security concerns, it remains the best distro for me. I love their LTS update policy, continually delivering updates to Mint during the entire support span of Ubuntu LTS. Their desktop env is also just better IMO than alternatives.<p>Ubuntu MATE is pretty good and for the type of person like myself who is drawn to Mint, would be a really good alternative. It&#x27;s missing a few features of Cinnamon, which is superior in general for me to MATE. But overall this is what I&#x27;ll install if I decided to ditch Mint.<p>Antergos is just Arch with a nice installer. I didn&#x27;t spend a long time testing this but it would be my choice for a rolling distro. Many people I know want that and they offer Cinnamon as a main, supported environment. Might be the best of every world for some. I prefer the slower updates of LM and UM, and install newer packages through PPAs or compiling it.<p>As an aside, I have completely given up installing other desktop environments onto distros that didn&#x27;t originally ship with them. I see people recommending that, and it may work out but it&#x27;s a mess if you want to switch back in my experience. I prefer to pick a distro that ships with the DE of your choice. I would not run for example, &#x27;sudo apt-get install cinnamon-desktop-environment&#x27;, anywhere at any point. :)<p>Hopefully this helps someone out there looking to migrate off of Mint. I&#x27;m still using it (on 17.2 here) but may move to UbuntuMATE or Antergos Cinnamon, depending on Clem&#x27;s response.

Starting a post with &quot;I know this is voluntary work, pitch in or shut up and all that ...&quot; doesn&#x27;t make the quote you&#x27;re attacking untrue.<p>For what I&#x27;m paying for Mint ($0.00) and what I get out of it in terms of productivity, I find it quite a decent distribution.

I guess this is what you get when you try to make a cathedral out of the bazaar

People I understand your criticism, but may I suggest donating to them too if you&#x27;ve used Mint? Once his bills are paid off, maybe he&#x27;ll spend more time worrying about Mint?

Is there a way for me to get the Mint Cinnamon experience with Ubuntu under the hood?<p>The last time I tried I couldn&#x27;t get it to work in a painless&#x2F;reliable way.

ironically, by not caring about copyrights and such, they provide a better User Experience!

I&#x27;ve tried Mint. It&#x27;s basically Ubuntu + a bunch of bugs. The quality is seriously sub-par, I&#x27;d much rather use any &#x27;official&#x27; Ubuntu derivative.

There are way less Mint developers than others, and it is mainly user driven. - So of course it less likely to be professional, at the same time it is more user driven.

I thought this was about mint.com... Relieved.

This post is pretty damning. I was considering using Mint at some point but after this I will stay away.

Whos using Mint these days anyway ?

I&#x27;ve been using Mint for the past month or so, should I be using something else?

When I read the title I thought this was about Mint.com... perhaps it should be changed to &quot;Linux Mint&quot; or something?

Could [Linux] be added before Mint? I thought it was about Mint.com