Is MX less secure than a larger distros like Ubuntu or Debian bc backdoors could slip in Mint style? [Solved]
-
LearningMX
- Posts: 15
- Joined: Fri Feb 11, 2022 1:03 pm
Is MX less secure than a larger distros like Ubuntu or Debian bc backdoors could slip in Mint style?
One would think that larger, more corporate distros have certain processes in place to avoid malicious code slip into a release. Since Mint had it's own issues: https://www.techrepublic.com/article/wh ... r-problem/ how can users of MX rest assured no backdoor slips into a MX release or update?
-
SwampRabbit
- Posts: 3602
- Joined: Tue Jun 14, 2016 2:02 pm
Re: Is MX less secure than a larger distros like Ubuntu or Debian bc backdoors could slip in Mint style? [Solved]
That is an extremely old article (TechRepublic at that) and it doesn't highlight the root cause of how the compromise occurred, which was through using outdated WordPress at the time.
There were several other issues like some lack of ISO verification methods, etc, etc.
Malicious code or a backdoor wasn't "slipped" into their release, it was that whole ISO download link on the website was replaced to direct to a modified ISO that included remote access botnet malware. Their actual release and repos were not compromised from what I remember.
While ultimately the issue was the Mint site being compromised, anyone that didn't do their due diligence verifying that when they went download Mint that it was actually downloading the ISO from absentvodka.com, really can't say anything. Back then Mint only used MD5 for ISO verification, Mint and the world in general has moved (at least tried) on from that (or should have), and typically ISOs are signed using public/private key pairs.
Want to verify our releases are good... https://mxlinux.org/wiki/system/signed-iso-files/
As far as updates, MX consists of Debian packages and ones we build ourselves. Packages come from the MX Team which does its best to only build off of official or vetted sources, provided packages are also signed, verified when they are added to the repo, etc, etc. This is no different than "more corporate distros" as the mechanisms are the same really.
If someone adds random repos to their install we can't control what comes from those.
There were several other issues like some lack of ISO verification methods, etc, etc.
Malicious code or a backdoor wasn't "slipped" into their release, it was that whole ISO download link on the website was replaced to direct to a modified ISO that included remote access botnet malware. Their actual release and repos were not compromised from what I remember.
While ultimately the issue was the Mint site being compromised, anyone that didn't do their due diligence verifying that when they went download Mint that it was actually downloading the ISO from absentvodka.com, really can't say anything. Back then Mint only used MD5 for ISO verification, Mint and the world in general has moved (at least tried) on from that (or should have), and typically ISOs are signed using public/private key pairs.
Want to verify our releases are good... https://mxlinux.org/wiki/system/signed-iso-files/
As far as updates, MX consists of Debian packages and ones we build ourselves. Packages come from the MX Team which does its best to only build off of official or vetted sources, provided packages are also signed, verified when they are added to the repo, etc, etc. This is no different than "more corporate distros" as the mechanisms are the same really.
If someone adds random repos to their install we can't control what comes from those.
NEW USERS START HERE FAQS, MX Manual, and How to Break Your System - Don't use Ubuntu PPAs! Always post your Quick System Info (QSI) when asking for help.
-
LearningMX
- Posts: 15
- Joined: Fri Feb 11, 2022 1:03 pm
Re: Is MX less secure than a larger distros like Ubuntu or Debian bc backdoors could slip in Mint style?
thanks for the clarification 
Re: Is MX less secure than a larger distros like Ubuntu or Debian bc backdoors could slip in Mint style?
@LearningMX It would be great if you could click the check mark to mark it "Solved"
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Personal: Lenovo X1 Carbon with MX-23 Fluxbox
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin