• manpacket@lemmyrs.org
      link
      fedilink
      English
      arrow-up
      34
      ·
      1 year ago

      Canonical make it hard not to use snaps so only those who took extra steps are not using them.

    • wiki_me
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Sadly that is not true, see snap vs flatpak usage in debian.

      Keep criticizing snap (But do it in a way that is trustworthy and valuable), if somebody wants to use snap due to some advantage that is fine but he should make an informed decision

      • rush@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I’d wager a guess and say Debian is probably used on servers more than desktops. I’d wager another guess and say that for server applications many are actually fine with snap

        as such, I bring forth the theory that snapd is a popular package on Debian due to it’s widespread use on servers, not because tons of people are running bare Debian on their desktops and preferring snaps.

        We need more data to say anything about the desktop.

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Good thing I can just install applications from apt instead…

    user@pc:~$: sudo apt install app
    The following additional packages will be installed:
        snapd
    

    …oh.

    • danielfgom@lemmy.world
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      1 year ago

      This. This is what really pissed me off about Ubuntu. I even uninstalled (or thought I did) the entire snapd system. But then I went to install something and…it reinstalled snapd. 🤦

      So I moved to Linux Mint which was an excellent experience. And just the other day I replaced that with LMDE 6 (Linux Mint Debian Edition) and I couldn’t be happier.

      It’s the ideal distro for anyone who wants apt but not Ubuntu and doesn’t want the pain of manually installing Debian.

      • tallricefarmer@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I did a debian install this weekend, and it seemed pretty mild. It asked if I wanted separate partitions for /tmp and /home and if I wanted to encrypt my lvm. Then I chose my desktop environment from a list and that was it. It even installed grub for me.

        • danielfgom@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yes Debian 12 is easier than Debian has ever been. But your may still need to install the CUPS printing system manually, your machine may not recognise that you’ve attached a printer whereas on Mint it will, and it will install the driver.

          On Debian you’ll probably have to manually install any proprietary drivers (eg WiFi) whereas LMDE did this for me automatically.

          Plus the desktop will be very bland on Debian and you’ll need to take the time to obtain themes, icons etc and make it look nice. Whereas with LMDE they’ve already customised Cinnamon for you, saving lots of time.

          Either way is fine but Debian will need more time to set up and LMDE is ready out of the box

      • Fonzie!@ttrpg.network
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        IMO Linux Mint is a great replacement, too, although it does not come with the default-Gnome desktop layout

          • Fonzie!@ttrpg.network
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Same, I feel at home in the Cinnamon DE and no matter how tech savvy I am, the GUI software installer is so much more convenient than using the terminal

    • Draconic NEO@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Canonical’s changes to apt could be considered malicious in and of themselves because it installs from a source you didn’t request for, sure seems malicious to me.

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Agreed. Switching out .deb packages in the package manager for snap stubs was a bridge too far, and I went back to Debian.

  • duncesplayed@lemmy.one
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    1
    ·
    1 year ago

    This is the major reason why maintainers matter. Any method of software distribution that removes the maintainer is absolutely guaranteed to have malware. (Or if you don’t consider 99% software on Google Play Store the App Store to be “malware”, it’s at the very least hostile to and exploitative of users). We need package maintainers.

    • wiki_me
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      The root of the problem i think is that the store is closed source, i don’t think you will find a lot of people willing to work for a closed source store for some for profit company.

  • inspxtr@lemmy.world
    link
    fedilink
    arrow-up
    32
    arrow-down
    1
    ·
    1 year ago

    As much as I despise snap, this instance bring some questions into how other popular cross-linux platform app stores like flathub and nix-channels/packages provide guardrails against malwares.

    I’m aware flathub has a “verified” checks for packages from the same maintainers/developers, but I’m unsure about nix-channels. Even then, flathub packages are not reviewed by anyone, are they?

    • 2xsaiko@discuss.tchncs.de
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      Nixpkgs submissions work through GitHub PRs which have to be reviewed, and packages usually build from source (or download binaries from the official site if no source is available, and verifying it against a checksum). It’s a much safer model since every user has a reproducible script to build the binary, especially if Flathub doesn’t have any reviews as you say.

    • Sparking@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Wouldn’t it go noticed quickly if a super popular flatpak distribution app is compromised? I love flatpacks for my 5 desktop apps that I actually use everyday, but it is definitely not suitable for general apps I install on a whim.

  • Amy :3@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    30
    ·
    1 year ago

    As a snap package maintainer i find it weird that there weren’t any guardrails in place to avoid situations like this, considering that the main snap consumer are Ubuntu users and Ubuntu is from canonical.

    I guess I should’ve set my expectations a bit lower

      • Amy :3@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        It’s not that they don’t work better in conjunction, it’s canonical’s lack of moderation in the snapcraft store.

        This could’ve avoided day one by adding a manual review process (like what they are temporarily doing right now)

        I don’t know how flathub handles new package submissions, but I think that they definitely need to have a process similar to what other distros have in place for native packages (heck, even Ubuntu’s own repos have a review process)

    • SALT@lemmy.my.id
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      4
      ·
      1 year ago

      you confuse canonical with fedora or rhel standard… which… is sad… but at least flatpak is the savior in the end. haha…

      • OsrsNeedsF2P
        link
        fedilink
        arrow-up
        10
        arrow-down
        1
        ·
        1 year ago

        Red Had has 20x the employees as Canonical, I hope their product is better

      • Amy :3@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Yeah, my bad 😅

        I’ve forgotten that Canonical is not like Fedora or Red Hat

        …but at least flatpak is the savior in the end.

        Flatpak definitely has a potential, I use them daily. Haven’t had any issues so far

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    Wooow Ubuntu didnt expect that huh…

    Having a proprietary store ran by a single Company has nothing to do with Linuxes security model

  • GustavoM@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    2
    ·
    1 year ago

    What do we learned today, kids?

    No user control = more malicious possibilities of infecting/screwing up your PC.

    • rush@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      If you’re thinking prompts and permissions, that exists. PolKit handles all of that both on and outside the desktop. Many on servers may use sudo instead.

      You don’t have admin/root priveleges by default unless you’re dumb enough to do sudo -i or login to the root user

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    This is the best summary I could come up with:


    Stemming from reports of several fake crypto apps appearing in Canonical’s Snap Store that aimed to steal user funds, temporary restrictions have been put in place while Canonical investigates the security matter.

    A temporary manual review requirement has also been put in place on new Snap registrations.

    This manual review is intended to thwart bad actors from registering names of legitimate applications (or at least legitimate sounding names) and using that as an avenue for pushing malicious Snaps to users.

    "If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”.

    Upon a successful manual review from the Snap Store staff, the name will be registered.

    We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.


    The original article contains 240 words, the summary contains 150 words. Saved 38%. I’m a bot and I’m open source!

  • danielfgom@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    I wonder if there is a way to spot this, even when vetting an app? Do the Maintainers of most distros manually read the code to discover whether an app is malware? Or do they have automated tools like opensuse’s testing tools which can detect malware. (Not sure if opensuse’s tool can test for malware or only app functionality).

    Either way we need to have an automated programme that can checks all apps. It’s simply too much for humans given the massive number of apps, libraries etc.

    • Aux@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      No one is really doing anything. Repos have been poisoned multiple times over the decades, even original source code repos of big projects have been poisoned. If you don’t check the end binary on your system yourself, you’re at risk.

    • lloram239@feddit.de
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      1 year ago

      Do the Maintainers of most distros manually read the code to discover whether an app is malware?

      No. At best you get a casual glance over the source code and at worst they won’t even test that the app works. It’s all held together with spit and baling wire, if an malicious entity wanted to do some damage, they could do so quite easily, it just would require some preparation.

      The main benefit of classic package maintenance is really just time, as it can take months or even years before a package arrives in a distribution, and even once arrived, it has to still make it from unstable to stable, leaving plenty of room for somebody to find the issue before it even comes to packaging and making it substantially less attractive for any attacker, as they won’t get any results for months.

    • OsrsNeedsF2P
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      It’s pretty easy, you make sure the manifest is referencing the upstream project