Question about Snaps

Oliver Grawert ogra at ubuntu.com
Sun Oct 9 02:52:12 UTC 2016 

hi,
On Sa, 2016-10-08 at 23:36 +0200, Ralf Mardorf wrote:
> On Sat, 08 Oct 2016 16:13:29 -0500, Chris wrote:
> > 
> > Some keywords are 'an application with its dependencies', 'secure,
> > sandboxed, containerized'
> 
> Several security experts consider them as less secure. If everything
> links against the same library version, it's easy to keep track with
> vulnerabilities, https://www.ubuntu.com/usn/ , if several snaps use
> different releases of the same library, it becomes a mess.
> 
except that the handfull of the bigger desktop apps on linux do exactly
this today already, firefox, thunderbird, chrome/chromium, skype, steam
all build, link and ship their complete set of depending libs today
inside their deb, libreoffice does this partially ... 

what i find interesting is that you seem to not consider the ubuntu
security team to be experts (despite using (and obviously trusting)
their distro and even quoting one of their pages above), note that over
the last two years quite a big part of their work time went into the
security design of snaps (and into solutions to issues like the one you
describe above).

> For a desktop computer there seems to be no advantage when using
> snaps.

well, see above ...

and beyond this, actual desktop users don't care what gets installed
when they pick an app in the software center for installation ... 

ask a mac user what the package format of the apps is that he has
installed ... 

the same mac user will tell you that he *does* care to have this years
photoshop edition though, even if his MacOS install is from two years
ago.

> Since Ubuntu provides LTS releases, snaps theoretically could work
> around issues, if new software is required, but then OTOH to chose a
> LTS is wrong in the first place. Perhaps a rolling release distro
> would
> be the better way to go, if new software is more important, than the
> advantages of a LTS release.

LTS releases have exactly one single purpose, enterprise/company usage
...

normal users want the ability to use newer apps on their OS and dont
want to be stuck for five years with a missing feature in their office
suite (that has been implemented 6 months after the LTS came out but
will only work on the new version of the app). feel free to ask our
libreoffice team for download statistics of the libreoffice PPA, it is
probably one of the most used package archives on old LTS installs
(next to the firefox nightly builds) ... 

maintaining that PPA is a massive pain though.
while creating a snapcraft.yaml that you can ship in the libreoffice
git tree after you created it to have your package auto-rebuilt as soon
as one of the upstream branches of the libs changes (i.e. if it gets a
security fix) is a one time thing. snaps take a massive burden off the
developers while at the same time giving users complete independence
from the underlying distro/release.

> 
> Communication among different apps is an issue, if each app runs
> inside
> its own sandbox/container alike thingy, let alone that until
> now permissions to use hardware could be tricky, too.

you might want to read up about snappy's interfaces system, it solves
such issues in a very elegant and secure way ;)

> 
> IOW some of us consider snaps either due to the state of development
> or
> in general as bad.

what exactly qualifies you to make such a judgement ? (given the level
of knowledge about snaps you expose above)

ciao
	oli

PS: feel free to move on with this discussion on [1], i think it gets
off topic for ubuntu-users

[1] https://lists.ubuntu.com/mailman/listinfo/snapcraft
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20161009/3ba52eac/attachment.sig>

More information about the ubuntu-users mailing list