At BSides last weekend, I attended a talk by Matthew Arnold about the relative security of various Linux distributions. One of the focus points of the talk was Linux Mint, which I have been using on my personal machines for several years.
At first I assumed that the reason for that focus was the tie-in with this story from February about how the Mint download site had been compromised. That intrusion resulted in a brief time – several hours – where the .ISO files you’d get to install or try Mint were Trojaned. Since the web page sending you to those files was itself defaced, MD5sums were also published that “validated” the malicious files. Good times.
Arnold, however, presented an argument that this issue, however serious, was merely a visible manifestation of some much more fundamental issues with how “smaller distributions” (his term) such as Mint are managed. Now, if you’re wondering how the most popular Linux download in the world qualifies as a “smaller distribution,” welcome to the club: that was my exact question. It turns out that what is “small” about Mint is the scope of the organization running it, and its IT operation. Specifically, they have a single server that hosts builds, downloads of distribution .ISOs, package repositories and the public-facing website. So once the attackers had the web server, they had the entire thing. Game over.
Larger Linux distributions have an elaborate hierarchy – especially when you consider these are primarily volunteer organizations. When there’s an emergent security issue, people respond and start working on it within hours, since someone is awake and available, somewhere in the world, at all times. Mint is much smaller in this respect, too. One source told me “three people” are the whole team. Even if that is not exact, we’re probably not talking about hundreds or thousands. The amount of attention that can be focused on any one issue is necessarily lessened by running a Linux distribution on a shoestring, or as a hobby. This TechRepublic article gets deeper into this issue.
As for me, I will be rebuilding our two remaining Mint machines this weekend: one on Ubuntu 16.04 LTS and the other on Debian 8. If I feel any further hankering for Mint, I will get a box of Altoids.