Portability and security of snaps - Was: Question about Snaps

Peter Silva peter at bsqt.homeip.net
Mon Oct 10 15:20:26 UTC 2016 

dependencies are not a problem for apt.   when you do:

apt-get install

it knows what the dependencies of the package are, and installs them for you.

Dependency resolution uses less bandwidth and disk space using debs
than snaps, because all packages share their dependencies, instead of
reproducing them.

The lack of robust dependency management is one of the things that
drove me to Debian and Ubuntu many years ago.  RPM-based distros
didn't do a good job of that (they may do better now, been a decade
since I checked.)  If you have dependency problems with a deb package,
then the package isn't built right.

Here's a puzzle:  There are lots of cases where there is a case of
non-hard dependencies (not necessary to work) but adding functionality
when included.  taking a look at libreoffice... The "recommends"
dependency list is a mile long and apt-cache show libreoffice,
indicates about two dozen packages that are optional, but provide
enhanced functionality.   Examples:
java-6-jre, iceweasel, gstreamer, lib-sane...

So will the snap for libreoffice contain firefox and java ?   Will
that add a little to the size of the package?

Java-6, for example, is completely deprecated as a security problem.
So the snap can either be "Complete" in that all the functionality is
enabled, or "secure" but drop any functionality that libreoffice
requires java-6 to implement.  It can't be both.

In Snaps, the container default model is very positive in putting the
load of getting security to work on the publishers, in that they need
to document what their application needs access to in a fine-grained
way.   That's really a step forward from unworkable schemes where
distros or packagers have to do a mini-audit to fit them into the
security framework.

I'm seeing a lot of pros and cons.   The "Security" argument for snaps
is a bit of a wash because I don't have faith that application devs
will issue as many snaps as they really need to keep up with the
security flow unless their QA is completely automated, and I don't
know how many software publishers are at that point.

It's different... unclear whether it is better or not at this point,
but it is the new shiny.










On Sun, Oct 9, 2016 at 4:19 PM, Chris <cpollock at embarqmail.com> wrote:
> On Sun, 2016-10-09 at 20:56 +0200, Oliver Grawert wrote:
>> hi,
>> On So, 2016-10-09 at 20:21 +0200, Ralf Mardorf wrote:
>> >
>> > On Sun, 09 Oct 2016 20:04:26 +0200, Oliver Grawert wrote:
>> > >
>> > >
>> > > you also forgot to change the mailing list, lets please take this
>> > > to
>> > > the snapcraft list if you want to go on ....
>> > No, while I agree that users could use snaps, I guess mentioning on
>> > this list, that the old faithful official Ubuntu DEB repositories
>> > have
>> > advantages over snaps is very important.
>> well, exactly the opposite is the case, debs give the maintainer of
>> the
>> package full root access to your system ... while debs from the
>> ubuntu
>> archive might be trustworthy to some extend for the set of supported
>> debs, there is the whole universe archive where most packages get
>> just
>> synced from debian (or even other sources), only snaps solve this
>> problem in a clean and safe way...
>>
>> so please stop saying that debs are having advantages.
>> while being a different type of fish, they do not have advantages in
>> many areas (security, dependencies, painful to package, not portable
>> etc) and a big amount of canonical developers has worked hard over
>> the
>> last few years to solve these issue by implementing snaps.
>>
>> snaps *will* replace debs in many high level app areas on Ubuntu,
>> *especially* on the desktop.
>>
>> telling people to not use them is not helpful or constructive,
>> telling
>> people to use them and file bugs to find remaining possible drawbacks
>> is though.
>>
> I've been using Linux since the Mandrake 9 days. Before snaps when
> installing an application I'd quite often run into dependencies
> problems where either I'd need a lib => Foo.1 or lib => Foo.1 and Bar.2
> and so forth. That is the main reason I like snaps, everything is
> there, no libs to search for and attempt to install and FWIW I run a
> desktop, have as I said above for many years.
>
> Just my 2cents
>
> Chris
>
> --
> Chris
> KeyID 0xE372A7DA98E6705C
> 31.11972; -97.90167 (Elev. 1092 ft)
> 15:01:55 up 12 days, 7:25, 1 user, load average: 0.10, 0.24, 0.25
> Ubuntu 16.04.1 LTS, kernel 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

More information about the ubuntu-users mailing list