Snap and modern software (was: Remove /snap directory)

[Keith]

On 12/16/22 12:05 PM, rikona wrote:
> On Thu, 15 Dec 2022 17:18:17 -0600
> Keith <keith at caramail.com> wrote:
> 
>> On 12/15/22 1:40 PM, rikona wrote:
>>> On Wed, 14 Dec 2022 14:04:54 -0600
>>> Keith <keith at caramail.com> wrote:
> 
> <BIIIG snip> :-)

Heh, I'll strive to more concise in this post. No guarantees, though!

> 
>> And where to begin to do that? The kernel, obviously as the linked
>> articles above would mandate. Maybe that big ol' linux-firmware
>> package full of unauditable binary blobs that makes your hardware
>> devices work. I guess you trust hardware vendors from foreign
>> countries like China to provide non compromised firmware, right?  Of
>> course, there's the cpu and chipset microcode to consider, especially
>> with Spectre and other exploits of mostly Intel cpu vulnerabilities
>> out there.  Oh, and if you plugged in any usb devices into your
>> system, you'll probably want to check to see if they've
>> surreptitiously flashed the usb controller firmware, or hard drive
>> firmware, or whatever else is flashable on your system to load
>> undetectable spyware on bootup. Bad, bad USB.
>>
>> Trust is the key here. Who do you trust?
> 
> Thanks for the interesting list. I know about many of those, but it's
> always nice to hear about a few more.
> 
> I trust nobody 100%. Trust is not binary - I just try to get the
> highest number. :-) Some, like China, get low estimated trust levels,
> and don't get used at all if possible. Back a bit I had the firewall
> block calls to China - and some seemingly innocuous devices refused to
> work at all. And Comcast refuses to work unless I use their DNS
> servers. Problems everywhere. And there's also privacy, which is a bit
> different but still important.
> 
> So, what do YOU do to keep 'secure', given all the problems? Or do you
> just accept that you're NOT secure?
> 

Oh, I was responding to what you posted in your reply:

"In part, I tend to trust completely open source stuff that is popular, 
with the idea that you code experts may spot something suspicious."

I guess took "trust completely" a little too literally. Whoops! :)

But yeah, you accept that perfect security is an illusion, and the best 
you can do is mitigate your risks and get on with it. Kinda like driving 
your car on a busy highway. You know in your mind that driving can be a 
deadly activity, but if you thought about all the ways that you could 
easily end up in a fatal car accident through no fault of your own, you 
probably would take the train to commute anywhere. Best you can do is 
make sure your car is in good working order, obey traffic laws, an be 
alert to the other crazy drivers out on the highway. Although, taking a 
defensive driving course wouldn't hurt, either.

That's what my outlandish riff in the last half of my post was about: 
falling down a rabbit hole of security/safety paranoia. It just leads to 
decision-making paralysis Educating yourself on *reasonable* risks and 
mitigations will keep you from falling down that hole.

And when you reach the limits of your knowledge and ability to assess 
and mitigate your risks, then that's where trust comes in. Trusting in 
other individuals and people in communities who have more knowledge, 
ability, and experience in assessing the risks and coming up with 
solutions to mitigate them, or even eliminate them entirely. I run 
Ubuntu, and therefore I have trust in Canonical, the Ubuntu community of 
volunteers, and by extension Debian and its developers. Because snaps 
are a technical initiative that is part of a list of services and 
products that will benefit Ubuntu users and  Canonical customers and 
lead to increased revenues for the company, I trust that Canonical is 
going to make the snap system more secure, easier to use, and increase 
its performance. Why? Because its in their interest to make that happen. 
Will they succeed? I hope so.

Hmm. Conciseness, it eludes me!

-- 
Keith