Snap and modern software (was: Remove /snap directory)

rikona rikona at sonic.net
Sat Dec 17 03:38:44 UTC 2022


On Fri, 16 Dec 2022 18:08:40 -0600
Keith <keith at caramail.com> wrote:

> On 12/16/22 12:05 PM, rikona wrote:
> > On Thu, 15 Dec 2022 17:18:17 -0600
> > Keith <keith at caramail.com> wrote:
> >   
> >> On 12/15/22 1:40 PM, rikona wrote:  
> >>> On Wed, 14 Dec 2022 14:04:54 -0600
> >>> Keith <keith at caramail.com> wrote:  
> > 
> > <BIIIG snip> :-)  
> 
> Heh, I'll strive to more concise in this post. No guarantees, though!
> 
> >   
> >> And where to begin to do that? The kernel, obviously as the linked
> >> articles above would mandate. Maybe that big ol' linux-firmware
> >> package full of unauditable binary blobs that makes your hardware
> >> devices work. I guess you trust hardware vendors from foreign
> >> countries like China to provide non compromised firmware, right?
> >> Of course, there's the cpu and chipset microcode to consider,
> >> especially with Spectre and other exploits of mostly Intel cpu
> >> vulnerabilities out there.  Oh, and if you plugged in any usb
> >> devices into your system, you'll probably want to check to see if
> >> they've surreptitiously flashed the usb controller firmware, or
> >> hard drive firmware, or whatever else is flashable on your system
> >> to load undetectable spyware on bootup. Bad, bad USB.
> >>
> >> Trust is the key here. Who do you trust?  
> > 
> > Thanks for the interesting list. I know about many of those, but
> > it's always nice to hear about a few more.
> > 
> > I trust nobody 100%. Trust is not binary - I just try to get the
> > highest number. :-) Some, like China, get low estimated trust
> > levels, and don't get used at all if possible. Back a bit I had the
> > firewall block calls to China - and some seemingly innocuous
> > devices refused to work at all. And Comcast refuses to work unless
> > I use their DNS servers. Problems everywhere. And there's also
> > privacy, which is a bit different but still important.
> > 
> > So, what do YOU do to keep 'secure', given all the problems? Or do
> > you just accept that you're NOT secure?
> >   
> 
> Oh, I was responding to what you posted in your reply:
> 
> "In part, I tend to trust completely open source stuff that is
> popular, with the idea that you code experts may spot something
> suspicious."
> 
> I guess took "trust completely" a little too literally. Whoops! :)

I should have written that differently. :-) "In part" should be in
upper case bold to emphasize it. :-) And the word pairing/connectivity
should be "completely open source" NOT "trust completely". :-) Makes a
big difference...

> But yeah, you accept that perfect security is an illusion, and the
> best you can do is mitigate your risks and get on with it. Kinda like
> driving your car on a busy highway. You know in your mind that
> driving can be a deadly activity, but if you thought about all the
> ways that you could easily end up in a fatal car accident through no
> fault of your own, you probably would take the train to commute
> anywhere. Best you can do is make sure your car is in good working
> order, obey traffic laws, an be alert to the other crazy drivers out
> on the highway. Although, taking a defensive driving course wouldn't
> hurt, either.
> 
> That's what my outlandish riff in the last half of my post was about: 
> falling down a rabbit hole of security/safety paranoia. It just leads
> to decision-making paralysis Educating yourself on *reasonable* risks
> and mitigations will keep you from falling down that hole.

Agreed. But for non-pro software folks like me, even that can be a lot
of work. I rely largely on multiple security/privacy reviews, but one
has to trust those too. [There's that word again. :-) ]

> And when you reach the limits of your knowledge and ability to assess 
> and mitigate your risks, then that's where trust comes in. Trusting
> in other individuals and people in communities who have more
> knowledge, ability, and experience in assessing the risks and coming
> up with solutions to mitigate them, or even eliminate them entirely.
> I run Ubuntu, and therefore I have trust in Canonical, the Ubuntu
> community of volunteers, and by extension Debian and its developers.
> Because snaps are a technical initiative that is part of a list of
> services and products that will benefit Ubuntu users and  Canonical
> customers and lead to increased revenues for the company, I trust
> that Canonical is going to make the snap system more secure, easier
> to use, and increase its performance. Why? Because its in their
> interest to make that happen. Will they succeed? I hope so.

So do I!

> Hmm. Conciseness, it eludes me!

That's OK. "The Devil's in the details" as the saying goes....

Rik





More information about the ubuntu-users mailing list