by Swapnil Bhartiya

Linux Mint, please stop discouraging users from upgrading

Dec 21, 2016
LinuxOpen SourceSecurity

Instead encourage users to keep their systems up-to-date.rn

The new version of Linux Mint has been released so I went ahead and downloaded it and reviewed it on my latest Dell XPS 13 Kaby Lake machine. That’s when I came across the persistent Linux Mint messaging to its users that discourages software updates. That spreads a very dangerous notion that once you get everything working, you shouldn’t touch it.

Linux Mint has experienced some security breaches lately, so they should not be encouraging such behavior. Linux Mint project leaders seem to undermine the value of updates and upgrades. Clement Lefebvre, the founder and project leader of Linux Mint wrote in a blog post:

Upgrade for a reason

“If it ain’t broke, don’t fix it”.

You might want to upgrade to 18.1 because some bug that annoys you is fixed or because you want to get some of the new features. In any case, you should know why you’re upgrading. As excited as we are about 18.1, upgrading blindly for the sake of running the latest version does not make much sense, especially if you’re already happy and everything is working perfectly.

I am not sure about the target audience of Linux Mint, but I am assuming these are not necessarily developers and sysadmins who often keep themselves informed about security bugs.  A majority of these users may not be reading security advisories; there are no centralized advisories for desktop Linux. Different distros have their own advisories. And I don’t recall if Linux Mint even publishes any such advisories.

A few days ago there was a bug in Ubuntu apport that allows anyone to hijack Ubuntu based systems, including Linux Mint. There was another 0-day bug in Ubuntu and Fedora that compromised a system. Every month we come across new vulnerabilities in Linux that are patched by the kernel community or the upstream projects immediately. However, I have never seen any vulnerability reports on the Linux Mint site.

I am not sure if Linux Mint users really keep an eye on such bug reports. You can’t really keep up with them unless it’s a focus area for you.

Security is not an “If it ain’t broke, don’t fix it” problem.

I recall a meeting with Greg Kroah Hartman, the leading Linux kernel developer, where he talked about the importance of keeping your system updated: “We make a lot of changes, and we’re not just making changes because we like to, because that’s more work. We’re really lazy. We’re making changes because we have to. We’re making changes because the world changes. The model of ‘you make a box and you make it static and you throw it in the corner’ doesn’t work, because that box has to touch the world and the world changes. Everything interacts, so you have to evolve. If your operating system does not change, it is dead. It’s that simple. If your device does not change based on the world it interacts with, it is dead. It’s that simple. So look at operating systems that don’t change, nobody uses them anymore.”

Linux Mint doesn’t have an automatic update mechanism like Chrome OS or Ubuntu Snappy, and discouraging updating systems puts users at risk.

My advice to every Linux Mint user out there is to always run the latest version of your software. Developers are not ‘wasting’ their time making release after release. They are fixing something; they are improving something. Take advantage of that work. By staying on latest packages you will also be giving back to the projects that you use. If you come across any bugs, you can file a bug report and help developers fix them.

My advice to Linux Mint developers is to:

1) Build Linux Mint in a way that it is upgrade proof.

2) Build mechanisms and move LM toward an automatic updating system

3) Stop discouraging users from upgrading their systems and encourage them to stay updated.

Don’t wait for it to break; protect it from breaking by staying updated. All the time.