3

Niche Linux distributions can/may introduce risks such as lack of updates, limited community attention and reduced testing.

Ubuntu, openSUSE and Fedora can be considered mainstream. Mainstream distributions are typically backed by corporations such as Canonical, IBM or EQT. They may have mature security practices, dedicated teams and infrastructure that's focused on delivering products that pass security, engineering & development standards.

What are the dangers of using mainstream distributions? Can these be avoided or minimized? If yes, how?

For example:

  • distribution lock-in (technical expertise, timely updates, robust testing for continued support).
  • increased lifecycle management (regular hardware replacements as mainstream vendors may choose to only support a range of hardware for a period of time which may introduce vulnerabilities to those in the community that continue or are dependent on older equipment).
  • limiting choices (adoption of the direction of the mainstream vendor).
fenixleon
  • 301
  • 2
  • 7
  • Are you not hardening your installs? – Brad Apr 07 '22 at 20:10
  • @Brad - Hardening an install assumes that 1) the user is aware of securing their build. 2) the user has the skills and knowledge of their threat model 3) it address certain types of risk e.g. it doesn't remove the risks associated with vendor lock-in. – fenixleon Apr 07 '22 at 20:50
  • 1
    @fenixleon or it means the user has access to CIS benchmarking scripts and knows how to run a script. That said, that has nothing to do with the risks you're asking about, which seem to have nothing to do with security, so I'm voting to close as off-topic. – Mike Ounsworth Apr 07 '22 at 20:56
  • @MikeOunsworth - That's 1) and 2). The risks I mentioned can have an impact on security. For example, if there is vendor lock-in, there is now a dependency on the practices the vendor has from a security perspective. Increased lifecycle management can lead to vulnerabilities if hardware is no longer supported. Limiting choices means that you can only run certain types of applications and if those applications have a different security model to that of the mainstream vendor, it's a security gap. – fenixleon Apr 07 '22 at 21:01
  • 2
    This is way too broad. It depends entirely on your threat model. As for vendor lock-in, the nice thing about Linux is that anything that works on one distro will work on another. There are no real security issues specific to mainstream distros, although there are mainstream distros with security issues. – forest Apr 07 '22 at 21:19
  • @forest - Most and if not all security considerations depend on a given threat model. This doesn't reduce the value/benefit of a having a baseline similar to CIS benchmarks, NIST guidelines and Security Technical Implementation Guides. Migrating from one Linux distribution to another although an option may not always be financially viable which is as much a security consideration since budgets aren't infinite. Rebuilding entire fleets of servers or CI/CD pipelines for example comes at a cost. If there are mainstream distributions with security issues, that poses a potential threat or danger. – fenixleon Apr 08 '22 at 03:25
  • There's a good reason for third-party risk assessments and audits. – fenixleon Apr 08 '22 at 03:35
  • @forest how come the question about niche distros was not too broad? – user253751 Apr 08 '22 at 11:41
  • @fenixleon I do see where you're coming from, while vendor and hardware lock-in, and complex patching procedures are not directly security issues, they are tangentially related to security issues. That said, there is no way that your question, as asked, can be satisfactorily answered in the 2 - 3 paragraph stack exchange format. If you narrowed it down to a specific distro and a specific problem (ex.: "What security issues arise from a complex RedHat Satelite patching setup?") then maybe it would be answerable in 2 - 3 paragraphs, but even there I'm not convinced ... – Mike Ounsworth Apr 08 '22 at 17:20

0 Answers0