15

Ubuntu, openSUSE and Fedora can be considered mainstream. In comparison distributions such as Solus, MX Linux, antiX, Void and others could be classed as niche.

Mainstream distributions are typically backed by corporations such as Canonical, IBM or EQT. They may have mature security practices, dedicated teams and infrastructure that's focused on delivering products that pass security, engineering & development standards.

In contrast, niche distributions are supported by groups of like minded people or in some cases individuals. They may lack resources, time and budgets. In contrast, they may offer distributions that support older hardware, choices in init systems and libraries such as musl.

What are the dangers of using niche distributions? Can these be avoided or minimized? If yes, how?

fenixleon
  • 301
  • 2
  • 7
  • 2
    Mainstream distros are most certainly not "typically" backed by a corporation. Apart from Ubuntu and RedHat, I can't think of another that is. Mint, Debian, Arch, Manjaro, Slackware, Kali are all very mainstream and popular and not backed by a corporation. In fact, neither is Fedora or openSuSe both of which are community projects and only sponsored by companies. MX Linux is the most popular distribution out there at the moment, hardly niche. I think you might need to check some of your assumptions here :). – terdon Apr 08 '22 at 13:28
  • @terdon, sponsorship from corporations can be considered as backing. Backing isn't limited to direct support. I don't believe Solus, MX Linux, antiX or Void are backed directly or indirectly by corporations – fenixleon Apr 08 '22 at 18:09
  • @terdon, I didn't suggest Debian, Mint , Arch, Manjaro, Slackware or Kali to be not mainstream. I also used "could be classed niche" rather than "are niche" – fenixleon Apr 08 '22 at 18:09
  • @terdon, the ratings from Distrowatch relate to page views and hits. I don't believe it's a one to one or a direct conversion of widespread adoption & use – fenixleon Apr 08 '22 at 18:09
  • My point is that corporate backing is the exception and not the norm in the Linux world, and certainly in the "mainstream" distros. Only the two you mentioned are corporate products. And of course distrowatch isn't perfect, but it's the only way we have to measure distro popularity. None of the top ones there could be classed as niche, they are the mainstream ones by definition. I am afraid the premise of your question is just wrong. Or rather, the examples are wrong. There are some niche distros out there, but corporate backing is not typical of mainstream ones. At all. – terdon Apr 09 '22 at 11:15
  • @terdon, Corporations of all sizes support distributions in all sorts of different ways. I don't think it can be discounted in its entirety. For example, Debian and similarly Linux Mint. Backing doesn't necessarily translate into corporate built and distributed. By top, if you mean Debian, Linux Mint, etcetera, I didn't suggest that there were. – fenixleon Apr 09 '22 at 17:55
  • So that I understand, is the definition of mainstream "popularity"? Popularity suggests its known but that doesn't always mean it's used. Sure, it may be one of the factors but it isn't the only one. We may be looking at it from different perspectives. – fenixleon Apr 09 '22 at 17:55
  • Well yes, mainstream means popular, commonly used. Linux and other free software tools are, with very few exceptions, not controlled by private entities. That such entities may offer help and support is another matter. Your question seems to assume that if a corporation doesn't own a distribution that makes the distribution unusual when in fact the opposite is true. In any case, this is all irrelevant since the kernel itself is just "supported by groups of like minded people", so if you think that is a security issue, Linux is out. – terdon Apr 10 '22 at 13:53
  • @terdon, I'm unsure why you think backing means "control" or that it's owned by a particular corporation. The question doesn't mention either. Backing can mean direct or indirect support. It can come in various forms. It may be financial or otherwise. Think we're are saying the same thing about mainstream i.e. popularity isn't the only factor. – fenixleon Apr 10 '22 at 19:00
  • @terdon, While the question isn't about the kernel, it's also supported by corporations of all types and sizes. I didn't also suggest that being supported by groups of like minded people is an issue. Some groups may not have any direct or indirect corporate or similar support and this may introduce risks such as resources, time and budgets which may affect security. I appreciate that we may be looking at this from different points of view. We may just have to agree to disagree. – fenixleon Apr 10 '22 at 19:03

2 Answers2

16

Very often, these Linux distributions aren't made from scratch, but rather are derivatives of existing distributions, modified to fit some other purpose better. A prime example for this would be Backtrack, which used to be based on Ubuntu, but was modified to be for penetration testers and other hackers. This later became Kali and was based on Debian, not Ubuntu anymore. While of course Kali isn't "niche" by any stretch of the imagination, it illustrates the "take a big distro and modify it" approach.

Of course, there are also small distributions, which are based on nothing and usually have some goal other than productivity, such as teaching people how to work with a minimal Linux distribution.

But of course, as you mentioned, there are several risks associated with it:

Lack of Updates

Linux isn't free from vulnerabilities - neither the kernel, nor the various bits that make it a useful OS. When such a vulnerability is found and patched by the community, it's usually up to the distro maintainers to package these fixes and ship them out to their users via whichever update mechanism the OS uses.

With a niche distro, it's very much possible that this process never happens, or happens with a substantial delay, leaving you open for attack.

Of course, if the distro you're using is closely tied to another distro, then it's very much possible the maintainers automatically mirror the repositories of the distro they derive from. Though that of course begs the question if you're really using a "niche distro" is it's Ubuntu in all but name anyways.

Lack of Community Attention

When Canonical added spyware to Ubuntu, that was caught relatively quickly by the community, because a lot of people use Ubuntu. The same can't be said for StarOS, GoboLinux, Crux, Parabola, Trillix, Trisquel, Linnix or Ronix (and only some of these names are made up). If one of the maintainers decided to put "unwanted software" into their distribution, it'll likely take a while before anyone notices - solely based on the fact that so few people use these distros.

Lack of Testing

As you said, many of these distros don't have a high budget and their teams are often very small. For example, the repository for GoboLinux has four contributors listed. By comparison, Debian has ~800.

It's only natural that four people can't test every eventuality on every possible hardware. So it may very well be that a distro has a bug that affects integrity or availability on some legacy hardware you're trying to run it on.

Mitigation

But how can this be mitigated? Not in any way, really. Most of these issues stem directly from the fact that these distros are so niche. If you want a niche distro, then you just have to put up with the downsides that that brings.

You could in theory try your best to audit the OS yourself to make sure no malware is present in any of the packages (at the moment) or to ensure packages containing vulnerabilities are patched as soon as possible. But at that point, you're basically contributing to the distro yourself instead of just using it, which may be way more work than would be worth it.

At the end of the day, the community has established a few major distros, which gain support. The further away from these distros you move into "do-it-yourself" territory, the more on your own you are going to be.

  • 1
    Good answers. At the risk of pedantry, Backtrack was originally based on Slackware (with its predecessors based on Knoppix and Slax) before it was rebuilt onto Ubuntu - although that really just serves as more evidence for you point. – Gh0stFish Apr 07 '22 at 21:30
  • 2
    Also, do not think that major LTS distributions (Debian stable, Ubuntu LTS, CentOS) have good security just because they have teams to backport security fixes. Those teams are understaffed and only the most severe CVEs get their patch backported. When you look into the shared libraries, it's worse, their security fixes rarely get backported. – A. Hersean Apr 08 '22 at 09:13
  • "Lack of updates", "lack of community attention" and "lack of testing" of the small distributions are somewhat mitigated by the much smaller codebase in need of updates, community attention or testing. – fraxinus Apr 08 '22 at 10:34
  • 1
    @Gh0stFish Really? Nice, I didn't know that. –  Apr 08 '22 at 10:56
7

To add another point to the ones that @MechMK1 has listed, another thing that you need to consider is the lifecycle of a niche distribution.

If it's just on a personal system then this is much less of an issue. But if you're going to deploy it into a professional environment, then the lack of a clearly defined support lifecycle is a big problem. This isn't just a technical risk, but also a business risk.

If you use Ubuntu or Red Hat, you get a guarantee that it will be supported for a fixed number of years. If you Debian, while you don't necessarily have a fixed date, they have a clear lifecycle and provide support for multiple years. Of course this isn't perfect (as anyone who deployed CentOS 8 will tell you), but it gives you some level of stability.

If you use a smaller niche distro, the developer could decide tomorrow that they don't want to support it any more. Or they could get hit by a bus.

And then you're suddenly running an unsupported operating system, and have to scramble to replace it with something that is supported and will receive security updates. Annoying if it's one system, but if you've deployed it to a hundred servers across your environment, then it becomes a big problem.

Gh0stFish
  • 10,932
  • 2
  • 35
  • 36
  • 2
    Honestly, using some niche distro in an enterprise environment is pretty reckless. Most "niche" distros don't have any professional support whatsoever. –  Apr 08 '22 at 15:54