Along with the helpful, "no, not the lts releases."
I've seen a few threads recently that suggest there's widespread confusion on this point, so we probably need to say this more often: LTS systems are less secure than regular release. If you've come to Linux for privacy or security, use a regular release system and avoid LTS systems for desktop use cases
I'll note that I've been developing software for GNU/Linux systems and managing production networks for about 30 years now. A lot of my work is security related... After the XZ utils attack, I wrote a debugger that examined a running process to look for signs of namespace tampering like the exploit involved in that attack. I've done a lot of SRE work, including very large networks including Google.
Most professionals that I know... most people with an infosec background and most people with lots of production network management experience, take for granted that regular release systems are more secure than LTS systems, and more importantly I think we take for granted that everyone KNOWS that. And on the latter point I think we're wrong. People don't know that, even though they should.
If you want secure software, then you want software that's actively maintained by its developers. That much should be obvious. Most developers maintain their software for around a year, so releases like Fedora are much easier to secure... Fedora can simply ship the bug fixes directly from the upstream projects. LTS systems might do the same thing for the first 6-12 months of their maintenance window. But beyond that point, the distribution's work gets real, REAL hard. Once upstream maintenance ends, they have to backport and test code on their own, and they're doing that with FAR fewer maintainers than the total of all of the developers upstream. It's not a trivial difference either. There are more security flaws published than distributions are capable of backporting on their own. They have to prioritize and triage. A lot of lower priority flaws don't make the cut and never get fixed.
And, actually, a lot of high severity flaws don't get fixed if they're in low priority packages. And that's a thing that's often overlooked. Very important though.
LTS systems will have more unpatched security vulnerabilities than regular release distributions. They'll have more vulnerabilities discovered during the maintenance window of any given release. They'll be the furthest behind on deploying security improvements and hardening. No matter how you measure it, LTS systems always lose against regular release systems from a security perspective, because THAT'S NOT WHAT LTS SYSTEMS ARE FOR.
LTS systems exist to provide better compatibility with the ecosystem of software that existed at approximately the same time as the LTS release. That's their purpose. That's the thing they do better than regular release systems. They're definitely better at that. But not at security.
Wouldn't that suggest that the majority of servers are also more vulnerable than your standard desktop machine, in which case? Since as to the best of my knowledge, they all run on LTS machines due to the work involved in migrating to newer package bases.
I get that there are limited resources for patching exploits and bugs, but if this were true then it seems like it would be a big problem for a lot of people.
Wouldn't that suggest that the majority of servers are also more vulnerable than your standard desktop machine
The world is a lot more complex than that.
Sometimes production networks use LTS systems and dedicate engineers to patching code. Sometimes they use LTS systems for some components but build the software that's most security sensitive from source to follow upstream development. Surprisingly, a lot of advanced networks actually do run regular or even rolling release systems. I can't tell you a lot about how Google systems work, but I would remind you that Google's sre publications emphasize minimizing the friction between writing code and deploying code.
And yes, a lot of the time desktop systems simply have fewer vulnerabilities than many servers do.
See my reply to the earlier comment. I'm not saying they're INSECURE, per se. But they are LESS SECURE than regular releases.
No one with any non-trivial experience in the industry will dispute that. I'm actually really surprised to learn that this isn't more widely understood.
Asking “what Linux distro should I use” to a search engine, an AI, or YouTube returns a veritable graveyard of bad advice, link-spam blog posts, and interactive “help me choose a distro” websites that will steer you wrong 100% of the time.
Ah yes, the entire Internet is spam and dumb, except for me and my blog post.
Absolute elitist behavior, not weird coming from a Fedora lover.
I mean, Kcalc has scientific, statistical, and numeral system modes as well as the basic calculator, so I'm not sure what it might be missing as a desktop calculator app that's not trying to be SpeedCrunch
It's okay for button use, not as good as competitors for typing. For example, it doesn't recognise alternate syntax like ** for exponentiation, or functions like sqrt(x) in the text field.
This is especially strange because this functionality IS supported in the calculator search plugin.
It supports only 6 constants which are only defined in an external settings menu, whereas GNOME's calculator allows you to define variables in the main calculator interface. (e.g. x=8 or x=sqrt(2)/2)
The UI isn't responsive, which leads to the buttons stretching wildly if you want a tall or wide calculator. (GNOME's calc uses that extra space to add more functionality: more buttons when wide, more history space when tall)
I use calculators a lot. It might actually be my most used keybind on my desktop. So you can probably tell I'm very passionate about this stuff. (And I'd love to see it get better!)
gordonmessmer@reddit
Along with the helpful, "no, not the lts releases."
I've seen a few threads recently that suggest there's widespread confusion on this point, so we probably need to say this more often: LTS systems are less secure than regular release. If you've come to Linux for privacy or security, use a regular release system and avoid LTS systems for desktop use cases
whosdr@reddit
How exactly do you figure that?
gordonmessmer@reddit
I'll note that I've been developing software for GNU/Linux systems and managing production networks for about 30 years now. A lot of my work is security related... After the XZ utils attack, I wrote a debugger that examined a running process to look for signs of namespace tampering like the exploit involved in that attack. I've done a lot of SRE work, including very large networks including Google.
Most professionals that I know... most people with an infosec background and most people with lots of production network management experience, take for granted that regular release systems are more secure than LTS systems, and more importantly I think we take for granted that everyone KNOWS that. And on the latter point I think we're wrong. People don't know that, even though they should.
If you want secure software, then you want software that's actively maintained by its developers. That much should be obvious. Most developers maintain their software for around a year, so releases like Fedora are much easier to secure... Fedora can simply ship the bug fixes directly from the upstream projects. LTS systems might do the same thing for the first 6-12 months of their maintenance window. But beyond that point, the distribution's work gets real, REAL hard. Once upstream maintenance ends, they have to backport and test code on their own, and they're doing that with FAR fewer maintainers than the total of all of the developers upstream. It's not a trivial difference either. There are more security flaws published than distributions are capable of backporting on their own. They have to prioritize and triage. A lot of lower priority flaws don't make the cut and never get fixed.
And, actually, a lot of high severity flaws don't get fixed if they're in low priority packages. And that's a thing that's often overlooked. Very important though.
LTS systems will have more unpatched security vulnerabilities than regular release distributions. They'll have more vulnerabilities discovered during the maintenance window of any given release. They'll be the furthest behind on deploying security improvements and hardening. No matter how you measure it, LTS systems always lose against regular release systems from a security perspective, because THAT'S NOT WHAT LTS SYSTEMS ARE FOR.
LTS systems exist to provide better compatibility with the ecosystem of software that existed at approximately the same time as the LTS release. That's their purpose. That's the thing they do better than regular release systems. They're definitely better at that. But not at security.
whosdr@reddit
Wouldn't that suggest that the majority of servers are also more vulnerable than your standard desktop machine, in which case? Since as to the best of my knowledge, they all run on LTS machines due to the work involved in migrating to newer package bases.
I get that there are limited resources for patching exploits and bugs, but if this were true then it seems like it would be a big problem for a lot of people.
gordonmessmer@reddit
The world is a lot more complex than that.
Sometimes production networks use LTS systems and dedicate engineers to patching code. Sometimes they use LTS systems for some components but build the software that's most security sensitive from source to follow upstream development. Surprisingly, a lot of advanced networks actually do run regular or even rolling release systems. I can't tell you a lot about how Google systems work, but I would remind you that Google's sre publications emphasize minimizing the friction between writing code and deploying code.
And yes, a lot of the time desktop systems simply have fewer vulnerabilities than many servers do.
DoubleOwl7777@reddit
no, lts is not less secure. lts gets security updates too, just not feature updates frequently.
gordonmessmer@reddit
See my reply to the earlier comment. I'm not saying they're INSECURE, per se. But they are LESS SECURE than regular releases.
No one with any non-trivial experience in the industry will dispute that. I'm actually really surprised to learn that this isn't more widely understood.
10MinsForUsername@reddit
Ah yes, the entire Internet is spam and dumb, except for me and my blog post.
Absolute elitist behavior, not weird coming from a Fedora lover.
gordonmessmer@reddit
Are you seriously dismissing the advice of one of the kde desktops most prominent developers as a "Fedora lover"?
10MinsForUsername@reddit
Yes. Mind blowing right?
He can't be wrong, but all the Internet is, yea? 100% the Internet is wrong, but him.
whosdr@reddit
I'd say a few essential applications are a little barebones though. Comparing Kcalc to, say, GNOME Calculator, would be such an example.
Both in the visual design, and the functionality itself. I'm not sure who to talk about that to though..
MrTheCheesecaker@reddit
I mean, Kcalc has scientific, statistical, and numeral system modes as well as the basic calculator, so I'm not sure what it might be missing as a desktop calculator app that's not trying to be SpeedCrunch
whosdr@reddit
It's okay for button use, not as good as competitors for typing. For example, it doesn't recognise alternate syntax like
**for exponentiation, or functions likesqrt(x)in the text field.This is especially strange because this functionality IS supported in the calculator search plugin.
It supports only 6 constants which are only defined in an external settings menu, whereas GNOME's calculator allows you to define variables in the main calculator interface. (e.g.
x=8orx=sqrt(2)/2)The UI isn't responsive, which leads to the buttons stretching wildly if you want a tall or wide calculator. (GNOME's calc uses that extra space to add more functionality: more buttons when wide, more history space when tall)
I use calculators a lot. It might actually be my most used keybind on my desktop. So you can probably tell I'm very passionate about this stuff. (And I'd love to see it get better!)
natermer@reddit
Yes the Linux community is full of incredibly bad advice pointed towards newbies.
Liarus_@reddit
Honestly the random clowning on Linus.S made me chuckle, Nate must have cringed bad watching that video