Question about Snaps

Ralf Mardorf silver.bullet at zoho.com
Sun Oct 9 03:15:15 UTC 2016


On Sat, 8 Oct 2016 18:25:54 -0400, Peter Silva wrote:
>I don't think snaps are a mess, it is just different, putting the onus
>on security patches on the snap maintainers, rather than the distro.

As an user I could take a look at
  https://www.ubuntu.com/usn/
to be aware of vulnerabilities on my system.

It's the same for all distros, they have security teams taking care
about this. Arch not only has got a websites as Ubuntu has got, but
also a command line tool to check all installed packages from official
repositories against known vulnerabilities.

Often there are no fixes to get rid of vulnerabilities, so we
especially need to be aware of those vulnerabilities.

How could we be aware about all unfixed vulnerabilities introduced by
snaps? Is there an Ubuntu security team maintaining websites providing
lists of all snaps with vulnerabilities?

How do security updates work? Is it impossible to keep a vulnerable
snap, or does a security upgrade enforce replacement?

We also need to consider that security is granted by chance discovery,
if a huge community does use shared libraries, instead of multiple
duplicates of libraries, provided by several maintainers. It makes it
much easier for intelligence agencies, to manipulate source code, as
soon as chance discovery becomes more unlikely.

Regards,
Ralf





More information about the ubuntu-users mailing list