Breaking: Update Manager in 19.2 will no longer feature a protective level system

[DAMIEN1307]

hi there Night Wing, im hoping you are taking into account that kernel updates in the same series kernel such as the 4.15.0-xx LTS series, are bug fixes and security updates that SHOULD be updated mostly for security reason...they are not "re-inventing the wheel", they are maintaining the integrity of that kernel series is all...without those updates within the same series, you are compromising the security of your entire OS...just a thought to share with you...DAMIEN

[smurphos]

When I install a new Mint version, I always use the kernel provided by default..

Sometimes I wish developers, when things are running like a well oiled machine, would just leave things alone.

Can I suggest you review
https://usn.ubuntu.com/releases/ubuntu-18.04-lts/ noting that kernel updates are frequently patching known vulnerabilities and consider whether your update policy might need review

[MrGrimm]

I want only to say that Mint will not have any formal competitive advantages after that. On my second disk I have already installed MX Linux which most probably will become the my production system.

I want only to say that Mint will not have any formal competitive advantages after that.

Well, there are more nifty tools.... Like mintstick, mintsources and mintbackup. And of course Cinnamon. Stuff you won't find in the *buntu's....

Apart from this feature loss, in other respects mintupdate has been improved noticeably.

For me, it's a loss. But not enough of a loss to consider a switch to another distro.

personally i think it's time to actually install makulalinux and see how it stacks up to mint cinnamon, especially since it does have a few extra preinstalled apps i felt should of been in mint from the first boot.

[michael louwe]

Can I suggest you review
https://usn.ubuntu.com/releases/ubuntu-18.04-lts/ noting that kernel updates are frequently patching known vulnerabilities and consider whether your update policy might need review

.
Yes, they have also been well known to occasionally bork or crash the computers. ...
https://news.softpedia.com/news/canonic ... 4816.shtml - Canonical Patches Linux Kernel Regression in Ubuntu 18.04 LTS,
https://news.softpedia.com/news/canonic ... 4892.shtml - Canonical Apologizes for Boot Failure in Ubuntu 18.10 & 18.04, Fix Available Now

Level 4 updates in LM 19.0 means dangerous or risky to the computer system. The default setting in LM 19.0 installs all Level 1-4 updates, including those for the Linux kernel = some computers going borked or crashing, especially newbies'.

[michael louwe]

The present trend is for OS software developers to take away control from computer operators/users over the updating process and changing selective individual updates to non-selective "Patch Rollups". I do not get this new mentality that it is OK for software developers to regularly crash computers with their buggy security updates = the computer operators/users just need to do a system restore with Timeshift or System Restore, which sometimes does not work.

The BIG question is, who will have final control of the updating process, the computer operators/users or the LM software developers, and what will be their results, eg for LM 20, LM 21, etc.? - bearing in mind the big difference between home-users and enterprise-users.

As an average home-user, my personal trend is to completely not install any future "Patch Rollups" in Linux ala operating Win XP post EOL in 2014. I do not need the hassle of buggy security updates regularly crashing MY computer and needing to do system restores/recoveries. I'd rather my unpatched computer system gets infected through security bugs/vulnerabilities and then do a system recovery, which so far has never happened to my "unpatched" LM systems = I have been operating LM 16 and LM 17 smoothly for the past few years without installing any Level 4-5 updates.
....... Similarly, I have been operating Win 7 online smoothly since stopping all security updates from April 2016 onward when M$ introduced her aggressive GWX KB3035583 update/upgrade campaign and monthly Patch Rollups in Oct 2016. Of course, I also practice safe-browsing, has AV real-time protection, etc.
.
.
P S - Linux systems are well known to be not very vulnerable to viruses/malware, eg no need Anti-Virus protection. Correct.? If so, I do not get why this new trend of LM developers being so insistent on all security updates "must" be installed by users/operators asap or immediately. Maybe, the "must" is for enterprise users.

[smurphos]

Level 4 updates in LM 19.0 means dangerous or risky to the computer system. The default setting in LM 19.0 installs all Level 1-4 updates, including those for the Linux kernel = some computers going borked or crashing, especially newbies'.

Why would the users experience level influences the likelihood of their hardware having issues with specific kernels? It doesn't. A less experienced user may just need more guidance in how to deal with an issue should one ever occur.

Dangerous and risky are strong and emotive words and in my opinion and experience, hyperbolic when applied to updates in Ubuntu based distros. Yes some updates may have more scope to cause issues but that doesn't make them inherently dangerous. And for any given update that patches a security vulnerability there is a risk level attached to not applying it. Not updating may reduce the risk to stability, but the risk to security accumulates over time and doesn't go away and at some point enters territory where the descriptor dangerous might be merited. And sometime not updating some components for long periods introduces risks to stability as new OS components find themselves inhabiting a system with old ones.

The level system could have played a useful role in educating users so they could make informed decisions as to these relative levels of risk and I think it could still do so it's a shame that it is going in that regard. Personally I'd be quite happy if the level label stayed but the ability to blacklist by level went which would hopefully have the effect of encouraging users new and old to educate themselves about what updates they are applying so they can make informed decisions as to what and when to update.

Anyway as gm10 has made clear the updater will still include tools to give end users enhanced control of their updates, what to update and when as per their personal risk assessment and not someone else's. I hope that it also continues to improve in it's ability to help users new and old understand what they are updating and why to assist them in that decision making process. I think that improvements to date have been a step in the right direction..

On that note...gm10 as you are likely watching this thread......what are the chances of security updates having a hyperlink to their respective USN - clickable from within update manager?

P S - Linux systems are well known to be not very vulnerable to viruses/malware, eg no need Anti-Virus protection. Correct.?

Updated Linux systems are well known to be not very vulnerable to viruses/malware. An important distinction.

[michael louwe]

Dangerous and risky are strong and emotive words and in my opinion and experience, hyperbolic when applied to updates in Ubuntu based distros

.

Level 5 is extremely rare and not used by default. This level is dedicated to flagging dangerous or broken updates.

https://www.linuxmint.com/rel_sonya_kde_whatsnew.php

Level 4 in LM 19.0 is formerly Level 4 & 5 in LM 18.1 or older.
viewtopic.php?t=243592

[smurphos]

Michael - you are taking that quote of of context. One might say trolling.

Level 5 in 18.1 and prior meant something different to level 5 in 18.2.

18.2 release notes.

Policies and level definitions were refined to better filter updates depending on their level of impact on the operating system and without worrying about their origin. Most updates are now level 2. Application updates which do not impact the OS are level 1. Toolkits and desktop environments or libraries which affect multiple applications are level 3. Kernels and sensitive system updates are level 4.

Level 5 is extremely rare and not used by default. This level is dedicated to flagging dangerous or broken updates.

And to my knowledge nothing was ever flagged as level 5 after the release of 18.2. The only globally dangerous update after the release of 18.2 (a level 2 BTW) was handled by a mandatory update to mint-update to make the dangerous update conflict with mint-update and force uninstall / prevent the update.

[catweazel]

For those of you who feel a sense of loss over this decision, now you have at least a small taste of what us former Mint KDE users felt

[gm10]

sorry for OT but since I was asked:

On that note...gm10 as you are likely watching this thread......what are the chances of security updates having a hyperlink to their respective USN - clickable from within update manager?

Interesting idea, but probably zero. There's no API to query them that I'm aware of, so I'd have to parse the website, and that means every single USN back to the time of release of the distro, since I don't know when a user is going to apply them. For Ubuntu 14.04 LTS there's currently 1347 USN listed, you can imagine the resource cost on both ends of crawling all of that, even assuming I'd be caching the results after the first run. I don't think that's worth it for something most users probably won't read, anyway. We already have the classification as a security update and the changelog for the technical details, that must be good enough.

I could do something generic like a CVE tracker link like we do for the kernels, but that would confuse more than it would help.

[smurphos]

Fair enough but perhaps a link to the USN with some explanation for what is it in the update manager help documentation might be good.

[michael louwe]

Michael - you are taking that quote of of context. One might say trolling.

Level 5 in 18.1 and prior meant something different to level 5 in 18.2.

.

.

.
There is no Level 5 in LM 18.2 or LM 19.0.
Level 4 & 5 in LM 18.1 and earlier became Level 4 in LM 18.2 and later.

https://sites.google.com/site/easytipsf ... -explained
https://easylinuxtipsproject.blogspot.c ... pdate.html

[Pjotr]

Well, anyway, to get back on topic again: this feature loss is not such a big deal, because we can simply solve it ourselves. As said, by copy/pasting one single command line:
https://easylinuxtipsproject.blogspot.c ... html#ID3.1

So there's no reason to become overly emotional about it.

[Night Wing]

@ DAMIEN1307, @ smurphos

I've read both of your replies and looked at the links. But, from my first hand experience with a security kernel update in a previous version of Mint, I'll tell you what happened to me when I did one of those Level 4 "security" updates for a kernel.

When I did the update and the update was installed, after that, I "did not" have a cursor. It just disappeared. To say I was "ticked off to the MAX" is to put it mildly. Do you know how hard it is to work a computer screen with no cursor?

With no cursor, one cannot just go to Timeshift to fix the problem because without a cursor on the screen, there is no navigation to anywhere which includes navigating to Timeshift.

This move is on the drawing board for 19.2 and speaking just for myself, it should "never" make it off the drawing board. To the developers who want this move, I hope they read my comment here or maybe by chance this could happen to them (no cursor) and then they would understand why I do not like doing Level 4 updates.

And since there will be no levels anymore, this is akin to what Microsoft is doing with their updates with regards to Windows 10. The only difference, I can still ignore a bad update, in Mint, which has the ability to severely cripple my system whereas with Windows 10, one can only defer a bad KB update and hope Microsoft gets off it's "backside" (for the want of a better term) and fixes the problem Microsoft created with one of their sorry KB updates.

So given the choice of not installing a Level 4 update and being attacked (after reading all those links) with the "an attacker may or an attacker could do this", with having a no cursor after installing a bad security kernel update.............I'll take the attacker because I don't mind re-installing the system, finding the bad update and ignoring it.

And I don't use TImeshift in Mint 19.1 because for me, I find it confusing.

[Moem]

I don't use TImeshift in Mint 19.1 because for me, I find it confusing.

Boom! And there we have it.
You are not alone in that! But surely the interface can be improved?

[Pjotr]

I don't use TImeshift in Mint 19.1 because for me, I find it confusing.

Boom! And there we have it.
You are not alone in that! But surely the interface can be improved?

But how? Personally, I find the current interface really simple already....

[MrGrimm]

michael louwe is 1,000,000% correct in ask "who will have final control over updating". us the end users should, it's one of the main reasons for switching from windows. take the resent stunt with windows updates and how they will be handled after the spring update in april.

"Dangerous and risky" are apt terms regardless of believe otherwise. for years millions of us refused to allow windows to install any drivers via windows update cause they had a nasty habit of borking things up more times than not. millions on windows still do not allow windows to install drivers, hence why microsour went out of their way to give the end user the choice if they wanted windows to check for and install driver updates when checking for other updates.

Well, anyway, to get back on topic again: this feature loss is not such a big deal, because we can simply solve it ourselves. As said, by copy/pasting one single command line:
https://easylinuxtipsproject.blogspot.c ... html#ID3.1

So there's no reason to become overly emotional about it.

thanks for that.

I don't use TImeshift in Mint 19.1 because for me, I find it confusing.

Boom! And there we have it.
You are not alone in that! But surely the interface can be improved?

Boom! there is PART of it, as i stated in this thread and shortly after i gave my entire ssd over to mint i got shafted by timeshafter. i used parted magic to reset the ssd, popped in the mint live media, boot into the live media, clicked install, let mint auto partition the drive, once on the desktop and the welcome screen was up selected to use timeshift, got told it did not like my partition setup AFTER mint itself did the partitioning. i know i'm far from the only one that ran into this issue.

[Hoser Rob]

This is idiotic, it's actually the best thing about Mint and the ONLY reason I'm still using it.

[karlchen]

"who will have final control over updating". us the end users should

In an ideal world the end users would be capable of making educated decisions on which software updates to accept and install and which ones not.
In real life the end users have got no chance of making any such educated decisions, because they neither have got the needed expertise, nor do they have got the time to test each software update thoroughly on a test system in order to identify regressions and newly introduced bugs, before installing the software updates on their (productive everyday) systems. Even those users, who are long time Linux users and who do not take pride in being life long "newbies".

So we are in a plight.

The Linux Mint Update Manager protective level system was an attempt at simplifying a very complex challenge by sorting available updates into 5 seemingly simple and easy to understand stability levels so that even the majority of inexperienced Linux Mint users seemed to be able to make an educated decision on which levels of updates to install and which ones to ignore.
This whole stability versus security approach was an invalid approach from the very start, however. (Because you need both, security and stability.)
Next applying catchy labels and suggestive colours to the 5 levels (from green over yellow to dark red) did not lead to educated decisions on the users side. Instead it helped spread some irrational update phobia, which prevented users from keeping their systems up-to-date and ironically gave them the (unjustified) feeling they were acting extra smart by doing so.
In brief, the Mint update level system is a sad example how a good intention turned out to be counter-productive in the end.

In brief, I am not quite sure whether I should shed an artificial tear that the Update Manager level system is going to leave us.

On discontinuing the level system:

This is idiotic, it's actually the best thing about Mint and the ONLY reason I'm still using it.

From my perspective: Quite honestly and truthfully, the level system has been switched off on my Mint systems by making all 5 levels visible and marking them as "safe for installing", since roundabout August 2012 (Mint 13).
During the whole 9 years of using Ubuntu / 7 years of using Mint, I have had
+ to revert to a previous kernel version (in the same series) twice, because the new kernel introduced a nasty regression (read "bad bug")
+ to fiddle around quite a bit, because a regression in a level 4 update (proprietary NVidia driver) caused unpleasant visual side effects with my old Nvidia card

[BigEasy]

This whole stability versus security approach was an invalid approach from the very start, however. (Because you need both, security and stability.)

Update manager already allows me what you think I need: I can ckeck every checkboxes.
Next. How can I call a situation when I need to restore from snapshot due buggy secure update? Return to unsecured or return to stability?