Is Linux Mint a "crude hack" of existing Debian-based distributions?
The news about the Linux Mint site getting hacked has caused many Linux users to question the quality of the distribution. One user on LWN.net took the Linux Mint developers to task for a number of things that he felt made the distribution a bad choice for desktop users.
Glaubitz posted his thoughts about Linux Mint:
Well, Linux Mint is generally very bad when it comes to security and quality.
First of all, they don't issue any Security Advisories, so their users cannot -- unlike users of most other mainstream distributions [1] -- quickly lookup whether they are affected by a certain CVE.
Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable [2]. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.
Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.
Another example of such a hi-jack are their new "X apps" which are supposed to deliver common apps for all desktops which are available on Linux Mint. Their first app of this collection is an editor which they forked off the Mate editor "pluma". And they called it "xedit", ignoring the fact that there already is an "xedit" making the old "xedit" unusable by hi-jacking its namespace.
Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.
To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.
I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.
Other LWN.net readers shared their thoughts about Linux Mint:
H2: "...thanks for noting many of the things bad and wrong with Mint. Your list is quite good. I've suffered directly from Mint deciding to make one of my tools the default in Mint, for a while, until the flood of Mint users who were in general totally incompetent forced me to drop all support for them, permanently. Mint is totally non supportable by any downstream source because of their ridiculously broken, by design, update/packaging decisions.
Clem had never once thought it necessary to talk to me about his decision, nor would he ever admit that his FrankenDebianBuntu ( unique creature in the world, managing to break fundamentally not just one, but TWO source distributions at once) is in fact totally unsupportable by any sane person.
Not to mention his monstrosity, LMDE, which is not at all Debian, at least it's not since the primary dev of that left in disgust at the absurd garbage clem was forcing into lmde."
Flussence: "The root cause of that issue is that they've built their distro atop one that doesn't namespace packages sanely (or at all). Debian also has had the same dilemma internally with ack, chromium, dolphin, etc. but they choose to work around it by changing the name, sometimes the binary, of one of the two programs; the end result is that the one on the losing side of the deal ends up harder to find.
Everything else you've said is valid, but this one is squarely Debian's fault."
Job: "Thank you for that. At least it shows that I'm not the only one dumbfounded by the apparent insanity here.
It's one thing that this is a hobbyist project, but when real people are actually put at risk because of your hobby, it is not unfair to demand at least some accountability."
Beolach: "Linux Mint is *NOT* a desktop environment - it is a Linux Distribution. As part of their distribution they also created their own desktop environment, but the name of the DE is Cinnamon, not Linux Mint. And Cinnamon is IMO one of the good things Linux Mint has done - I strongly agree w/ their design goal of a traditional desktop UI. Fortunately, Cinnamon can be & is packaged in other distributions, including Debian.
But Linux Mint is a full Distribution, not just the Cinnamon DE, and as such has a *much* larger scope, and in that larger scope has made decisions that I strongly disagree with. In addition to glaubitz's list, the issue that turned me off of Linux Mint is their very old kernel versions - 3.19 in their latest release. And it's not even an older LTS kernel release; it's a no-longer supported kernel. 3.18 would have been better (assuming they kept up w/ the LTS minor updates, of course).
There are how-to guides out there for upgrading Linux Mint to a more recent kernel, but they're all just about grabbing an Ubuntu or Debian kernel. So it's back to the Frankendebuntu situation, make-your-own monster this time."
Johannbg: "All these distributions are fundamentally the same thing with their greatest collaborated achievement being collectively making upstream life miserable about the needless deviation they all do to distinguish themselves from each other. "
Leoluk: "The quality of Linux Mint (the distribution) is questionable. Their applications (Cinnamon and MATE) are, however, of very high quality. Both are packaged by many other distributions nowadays and work just as well as in Linux Mint itself."
Welinder: "It would probably be more productive if you (Debian, ...) asked yourself the question, given all the shortcomings you see, why is Linux Mint so popular? For me, the answer is that Linux Mint protects the users against what I will be nice and call misguided innovation on the desktop. The fads of the day."
Glaubitz: "One of the main reasons for being popular is the fact that they do not care about licensing issues. They ship their ISO files with pre-installed Adobe Flash, Oracle Java packages as well as multimedia codecs (which people want) which violate intellectual copyrights and patents. Unless the maintainers of a distribution want to violate copyright laws intentionally and make themselves attractive targets for lawyers, there is nothing they can do to alleviate that. Debian and other aren't not shipping those packages because they want to make life hard for their users, it's because they cannot, legally speaking.
Canonical - as a company - was able to negotiate contracts with companies like Skype or Adobe, so they can offer the software packages of these companies in their third-party repositories, but it would still be illegal to ship software like libdvdcss2 in most countries. However, there are no companies behind distributions like Arch, Gentoo or Debian and they therefore cannot negotiate such contracts.
Again, the stance of the Mint developers - namely Clement Levebfre - is simply that they don't care about such issues which is already very dubious in the first place, not even mentioning the security issues they have."
Welinder: "I have yet to encounter a situation where a cve report has had Debian and Ubuntu responses, but no patch for Mint has shown up in my patch queue immediately or very soon thereafter. (I know about the "banned" packages and I have flipped the switch so I can see them and decide; I am not worried over local attacks, so grub can wait.)
Now, compare that non-situation to Debian's years of dragging feet regarding fixing the package management's trust in the network and its resultant vulnerability to man-in-the-middle attacks -- including those unintentional ones known as captive portals -- which would *disable* security updates entirely. (Debian 710229; Launchpad 1055614; and many others.)"
Glaubitz: "You may be aware of blacklisted package updates, but many users are not. I'm sorry, but making security updates *optional* is not up for discussion, on any operating system. Period.
And, as I have explained before, Linux Mint does not issue security advisories, so you - as a Linux Mint user - have no immediate and easy way to quickly verify whether your particular version of Linux Mint is affected by a certain CVE.
On Debian, I open up Google and type "Debian CVE-2015-7547" and I am immediately presented with a website which shows me which versions of Debian are affected by the recent glibc vulnerability and which are not. You *cannot* do that on Linux Mint which therefore disqualifies itself for any professional use. End of discussion."