Hopefully both of the people using snaps can recover from this.
Sadly that is not true, see snap vs flatpak usage in debian.
Keep criticizing snap (But do it in a way that is trustworthy and valuable), if somebody wants to use snap due to some advantage that is fine but he should make an informed decision
I’d wager a guess and say Debian is probably used on servers more than desktops. I’d wager another guess and say that for server applications many are actually fine with snap
as such, I bring forth the theory that snapd is a popular package on Debian due to it’s widespread use on servers, not because tons of people are running bare Debian on their desktops and preferring snaps.
We need more data to say anything about the desktop.
Wooow Ubuntu didnt expect that huh…
Having a proprietary store ran by a single Company has nothing to do with Linuxes security model
As much as I despise snap, this instance bring some questions into how other popular cross-linux platform app stores like flathub and nix-channels/packages provide guardrails against malwares.
I’m aware flathub has a “verified” checks for packages from the same maintainers/developers, but I’m unsure about nix-channels. Even then, flathub packages are not reviewed by anyone, are they?
Nixpkgs submissions work through GitHub PRs which have to be reviewed, and packages usually build from source (or download binaries from the official site if no source is available, and verifying it against a checksum). It’s a much safer model since every user has a reproducible script to build the binary, especially if Flathub doesn’t have any reviews as you say.
If you want your Flatpak on Flathub.org, you’ll need to open a pull request and go through review.
Wouldn’t it go noticed quickly if a super popular flatpak distribution app is compromised? I love flatpacks for my 5 desktop apps that I actually use everyday, but it is definitely not suitable for general apps I install on a whim.
What do we learned today, kids?
No user control = more malicious possibilities of infecting/screwing up your PC.
If you’re thinking prompts and permissions, that exists. PolKit handles all of that both on and outside the desktop. Many on servers may use
sudoinstead.You don’t have admin/root priveleges by default unless you’re dumb enough to do
sudo -ior login to therootuser
Fedora > Ubuntu
I wonder if there is a way to spot this, even when vetting an app? Do the Maintainers of most distros manually read the code to discover whether an app is malware? Or do they have automated tools like opensuse’s testing tools which can detect malware. (Not sure if opensuse’s tool can test for malware or only app functionality).
Either way we need to have an automated programme that can checks all apps. It’s simply too much for humans given the massive number of apps, libraries etc.
It’s pretty easy, you make sure the manifest is referencing the upstream project
No one is really doing anything. Repos have been poisoned multiple times over the decades, even original source code repos of big projects have been poisoned. If you don’t check the end binary on your system yourself, you’re at risk.
Do the Maintainers of most distros manually read the code to discover whether an app is malware?
No. At best you get a casual glance over the source code and at worst they won’t even test that the app works. It’s all held together with spit and baling wire, if an malicious entity wanted to do some damage, they could do so quite easily, it just would require some preparation.
The main benefit of classic package maintenance is really just time, as it can take months or even years before a package arrives in a distribution, and even once arrived, it has to still make it from unstable to stable, leaving plenty of room for somebody to find the issue before it even comes to packaging and making it substantially less attractive for any attacker, as they won’t get any results for months.
Ok makes sense. Thank you for explaining that 👍
And from “Ubuntu Software” I don’t see a way to report a suspected app.
