Snap and modern software (was: Remove /snap directory)

rikona rikona at sonic.net
Thu Dec 15 19:40:01 UTC 2022 

On Wed, 14 Dec 2022 14:04:54 -0600
Keith <keith at caramail.com> wrote:

> On 12/14/22 11:43 AM, rikona wrote:
> > On Tue, 13 Dec 2022 23:56:32 -0600
> > Keith <keith at caramail.com> wrote:
> > 
> > <BIG snip>  
> >> And of course snaps also allows you to run closed source,
> >> proprietary software which cannot be included in Ubuntu
> >> distributions.  
> > 
> > Perhaps also malware, tracking stuff, etc. Perhaps also easier to
> > make it harder to find such stuff in the package?
> > 
> > How do you protect yourself from bad snaps?
> > 
> >I think there's some level of review, but I don't know how extensive
> >it   
> is. Right now you can use the command-line snap tool to see if a snap
> is verified to some degree. Green checks by the publisher name
> confirms they have been verified by Canonical. From my observation, a
> green check usually means the publisher is also the developer of the
> software program, or a contributor to the project. Yellow/black star
> badges by a publisher's name I believe indicates the publisher is a
> verified snap packager.
> 
> But really your concern is equally applicable to any source of
> software distribution. How you do protect yourself from bad packages
> hosted in an anonymous PPA?  How do you protect yourself from bad
> Android apps that are in Google's PlayStore? For that matter, how do
> you protect yourself from any bad packages in the Ubuntu archives?
> There's literally thousands of packages in the combined repos. Can
> you ever be sure that a few of those don't contain malware/spyware or
> just badly written pre/post install scripts that can trash your
> system because they're executed with root privileges? Do you vet
> every package that you install on your system to make sure its not
> doing anything weird? Do you trust your kernel?

Overall, a tough problem, as you point out. In part, I tend to trust
completely open source stuff that is popular, with the idea that you
code experts may spot something suspicious. And, the compiled code was
produced from THAT source. Snaps seem to be much less transparent. Did
they use some library from country X just because it was more
convenient? Or some call-home Google tracking code because it is faster?

Perhaps I need to understand the 'verified' process better, to know
what exactly has been verified.

Thanks,
Rik

More information about the ubuntu-users mailing list