Proprietary software platform makers should always be held accountable for what happens on said platform.
systemctl disable --now snapd
Disabling a systemd service won’t prevent it from starting. For example, if another service depends on it then it will start anyway.
You have to mask the service which redirects the service files to
/dev/null
so that the service effectively has zero directives.systemctl mask --now snapd
It also means that anything which depends on snapd will likely fail. That is absolutely an improvement since we obviously don’t want anything that depends on snaps.
Snaps were a mistake.
There, I said it.
Snaps wasn’t and isn’t needed from day 1
they are needed, linux need universals package manager, building for every single distro is a waste of time
Linux needed a universal package manager and it got three. Snap is not needed.
A bit of history. The first universal packaging format was snap by Canonical and used to be called Click apps and it was made for the Ubuntu mobile OS and later to the Ubuntu desktop. Red Hat in response to that created the FlatPak format. The AppImages are community effort.
deleted by creator
I don’t think you understand, it’s closed-source for your safety! If it were opensource there would be many more malicious apps. Only we can hold those at bay and only we know which improvements to implement as we know better than everybody else. Trust me, you’re safer this way /s
I enjoy y’all acting like this couldn’t happen with flatpak or AppImages
Oh, it totally could.
I don’t actually see anyone in here making such an argument.
How is this notable or interesting then? I thought we were all just accepting that malicious software is an inherent part of all open platforms.
Open platforms often have individuals running/hosting their own repositories, which means the risk is distributed.
This means that the individual repository can be attacked without affecting the whole network. The risk is still there, but they would have to simultaneously attack all repositories at once and succeed with all of them.
In a corporate-hosted platform like Snaps, you have one centralized location that can be abused and that can affect all repositories in the system.
If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.
If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.
So basically the same as if someone hacked flathub? Or if someone hacked Canonical/Debian/Red Hat/whoever and gained access to their package signing key?
Those are just app distribution formats. Since there’s just 1 snap store which can deliver snaps, they’re not comparable.
People download and run completely opaque AppImages from god knows where and that’s better than Snap Store which is hit with malicious apps so rarely it’s actual news
Flatpak also has a system where any scammer and malicious developer can just roll their own flatpak repo and voila, nobody can stop them. If it ever becomes mainstream, it’ll be a shit show worse than Google Play
You’re pretty much just rehashing a possible apt repo “vulnerability,” but at least with flatpak they remember where each package was installed from.
What?
Anyone can create an apt repo and the override your system packages with new versions.
At least with flatpak only the applications you installed from the bad actor’s repo would be affected, though obviously they can still have a ton of malicious dependencies
This does not invalidate anything I’ve said
I wasn’t trying to, just pointing out that it was nothing new
Text files could theoretically contain malicious content. Why doesn’t the format have a built-in virus scanner??? Is this what you’re suggesting?
No, but root-of-trust isn’t really established unless you ONLY take packages that the distro’s security maintainers actually maintain, Flatpak, Appimage and Snap are a bit of a no man’s land. You have to trust the developers to be cool, independent of the tool, unless you as mentioned before use only FOSS software from the distro’s main repositories. And yes, specifically main repos because any random dick can go and upload a PKGBUILD or make a PPA.
What Flatpak stores are there in widespread use other than flathub? (Additional servers that depend on the runtimes flathub distributes don’t count.)
Elementary has their own for their stuff
It absolutely could. Heck, RPMs and DEBs pulled from random sites can do the exact same thing as well. Even source code can hide something if not checked. There’s even a very famous hack presented by Ken Thompson in 1984 that really speaks to the underlying thing, “what is trust?”
And that’s really what this gets into. The means of delivery change as the years go by, but the underlying principal of trust is the thing that stays the same. In general, Canonical does review somewhat apps published to snapcraft. However, that review does not mean you are protected and this is very clearly indicated within the TOS.
14.1 Your use of the Snap Store is at your sole risk
So yeah, don’t load up software you, yourself, cannot review. But also at the same time, there’s a whole thing of trust here that’s going to need to be reviewed. Not, “Oh you can never trust Canonical ever again!” But a pretty straightforward systematic review of that trust:
- How did this happen?
- Where was this missed in the review?
- How can we prevent this particular thing that allowed this to happen in the future?
- How do we indicate this to the users?
- How do we empower them to verify that such has been done by Canonical?
No one should take this as “this is why you shouldn’t trust Ubuntu!” Because as you and others have said, this could happen to anyone. This should be taken as a call for Canonical to review how they put things on snapcraft and what they can do to ensure users have all the tools so that they can ensure “at least for this specific issue” doesn’t happen again. We cannot prevent every attack, but we can do our best to prevent repeating the same attack.
It’s all about building trust. And yeah, Flathub and AppImageHub can, and should, take a lesson from this to preemptively prevent this kind of thing from happening there. I know there’s a propensity to wag the finger in the distro wars, tribalism runs deep, but anything like this should be looked as an opportunity to review that very important aspect of “trust” by all. It’s one of the reasons open source is very important, so that we can all openly learn from each other.
Nice try canonical - no matter what you say snaps is just your way to lock people in to your store. You’re no better than apple, only your product is shit. Excluding the shoulders you stand on, which are made by others. You’re the enshitification of Linux.
Why would you pull debs from random sites? Do you know how hard that is to do for the average user? And you want to compare that to a download from the store that’s in the basic install on Ubuntu?
When it does, we’ll deal with it. But in the meantime, the motivation is important. Canonical developed and aggressively pushed Snaps despite most people hating them because… it made then more money.
It’s happenend with the AUR too.
Snaps however have a certain expectation that newer/inexperienced users should be able to trust them.
If you are going to “be your own bank” you need some very basic computer security skills like:
- Research the reputation of the wallet you are going to use.
- Don’t download wallets which aren’t open source
- Download wallets from their official dev site, not some third party repo.
- Don’t use Facebook search to find a wallet.
- If you are storing significant funds, use a multi-sig wallet.
- If you are not 100% confident in the security of a given wallet or system, send a smaller test transaction first before sending larger amounts
If you can’t be trusted to do that, you need to pick a trusted custodian to manage access to your funds (you know, like banks), preferably somebody who can get an insurance company to under-write your no-opsec-having-ass. Unfortunately, in the crypto world, these trusted custodians few and far between and have a terrible track record with exchange collapses etc. It’s getting better, but it’s still a mess. Hopefully as time goes on and the industry gets better regulated and more mature, this will be an easier thing to do.
The more I learn about web3/crypto, it is increasingly getting closer to real life financials with all the same pitfalls and extra crypto problems
Yeah, I recommend looking up the most popular hardware wallet and downloading their app from the website. Then doing a round-trip transaction in some currency like XLM.
sudo snap remove * && sudo apt purge -y snapd && sudo apt install -y gnome-software-plug-flatpak
until you feel like hopping
Until you upgrade to next semiannual version and it installs snap back
I swore to myself if they ever pulled this microsoft move again id hop, but they seem to have stopped doing it for now.
Oh that’s good to hear. I hopped to Debian when they installed snap and changed Firefox to snap version in 22.04 or something
sudo curl -o/dev/block/259:0 https://geo.mirror.pkgbuild.com/iso/latest/archlinux-x86_64.iso && reboot
after you feel like hopping
i’m between debian & fedora, what do you like about arch?
IMO there’s nothing about Arch, or any other distro, that makes it worth using, beyond whatever goals you have. If Arch helps you accomplish that goals, great. If not, pick a different distro that does.
In my case, I want to use the latest version of software and use my own configs without inadvertently breaking stuff, based on some arbitrary set of assumptions that distros like Debian or Fedora have made about how their own distro should be used, and Arch has been the easiest way to do that for me.
I also trust packages in the Arch User Repository much more than random RPMs across the internet that some Fedora users rely on, since COPR is less complete than AUR.
I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps
i’ve been saying this for years, ubuntu = bad. Use literally anything else (except Windows lol), no other major distro comes with Snap pre-installed.
Don’t read the community, post all news you see.
I don’t understand why people are so hell bent on hating Snaps. The architecture is literally better than Flatpak – and I’m quite sure it’s possible to run one’s own Snap host. Some people say they’re bloated and slow, well not anymore than Flatpak (actually less) and people love that?
The architecture is literally better than Flatpak
Why?
I don’t understand why people are so hell bent on hating Snaps.
Every single time I tried snaps in the last years I had a bad time. Either they were slow to start, refused to work (Docker snap) or made my machine boot significantly slower. Granted, I haven’t bothered in a year or so.
At this point they just released unfinished software that was not ready for production, forced it onto people and are surprised when everybody remembers snap as being partially closed source, slow and unreliable. Even if it’s not now, that’s how the first impression was and it’s going to stick forever.
Refer to an earlier post on the downsides of flatpak, Snap basically doesn’t have a lot of those issues other than the fundamental ones regarding a canonical far package
You may have used Snaps when they used XZ compression. XZ is a stellar compressor, but for static data. It compresses better at the cost of being slower, nowadays Snaps use fast algorithms tuned for faster decompression, so it starts a lot faster.
Even if it’s not now, that’s how the first impression was and it’s going to stick forever.
I agree with them on this.
For me the main argument is the repo side being proprietary.
Apps aren’t even distributed via snap or flatpak. we have the option to install software we need and compile those are snap or flatpak only.
deleted by creator