Hopefully both of the people using snaps can recover from this.
Sadly that is not true, see snap vs flatpak usage in debian.
Keep criticizing snap (But do it in a way that is trustworthy and valuable), if somebody wants to use snap due to some advantage that is fine but he should make an informed decision
As a snap package maintainer i find it weird that there weren’t any guardrails in place to avoid situations like this, considering that the main snap consumer are Ubuntu users and Ubuntu is from canonical.
I guess I should’ve set my expectations a bit lower
Wooow Ubuntu didnt expect that huh…
Having a proprietary store ran by a single Company has nothing to do with Linuxes security model
As much as I despise snap, this instance bring some questions into how other popular cross-linux platform app stores like flathub and nix-channels/packages provide guardrails against malwares.
I’m aware flathub has a “verified” checks for packages from the same maintainers/developers, but I’m unsure about nix-channels. Even then, flathub packages are not reviewed by anyone, are they?
What do we learned today, kids?
No user control = more malicious possibilities of infecting/screwing up your PC.
I wonder if there is a way to spot this, even when vetting an app? Do the Maintainers of most distros manually read the code to discover whether an app is malware? Or do they have automated tools like opensuse’s testing tools which can detect malware. (Not sure if opensuse’s tool can test for malware or only app functionality).
Either way we need to have an automated programme that can checks all apps. It’s simply too much for humans given the massive number of apps, libraries etc.
No one is really doing anything. Repos have been poisoned multiple times over the decades, even original source code repos of big projects have been poisoned. If you don’t check the end binary on your system yourself, you’re at risk.
It’s pretty easy, you make sure the manifest is referencing the upstream project
Do the Maintainers of most distros manually read the code to discover whether an app is malware?
No. At best you get a casual glance over the source code and at worst they won’t even test that the app works. It’s all held together with spit and baling wire, if an malicious entity wanted to do some damage, they could do so quite easily, it just would require some preparation.
The main benefit of classic package maintenance is really just time, as it can take months or even years before a package arrives in a distribution, and even once arrived, it has to still make it from unstable to stable, leaving plenty of room for somebody to find the issue before it even comes to packaging and making it substantially less attractive for any attacker, as they won’t get any results for months.
Ok makes sense. Thank you for explaining that 👍
And from “Ubuntu Software” I don’t see a way to report a suspected app.
