Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.

  • moose@reddthat.com
    link
    fedilink
    arrow-up
    58
    ·
    1 year ago

    I stopped using the Snap Store the moment I realized the majority of the Snaps were uploaded by totally random people who have zero relationship with the app itself.

    For example: https://snapcraft.io/publisher/kz6fittycent

    You’re telling me this guy is personally involved with all 43 snaps he’s published? You want me to believe he’s going to dutifully maintain all 43 of them?

    Yeah. Okay. Sure. Totally.

    It’s like, there’s a man on the street corner selling chicken nuggets he swears he got from McDonalds. Do you want to buy nuggets from him or just walk around the corner and get them from McDonalds yourself?

    • cmhe@lemmy.ml
      link
      fedilink
      arrow-up
      38
      arrow-down
      6
      ·
      1 year ago

      I dislike the snap store as well, but what you describe is how packaging works on Debian as well. Anyone can make, maintain a package. And there are people there that maintain even more packages.

      However, there is a difference when uploading it to the repos, you either have to be a Debian developer or find one to sponsor your package first. After a while of doing good work, you can also request becoming one yourself.

      This additional burden makes it more difficult for malicious people to go through.

      Personally I prefer this separation of software developer and package maintainer, because that makes it a bit more difficult for malicious devs to push packages directly or for them to not package them the optimal way for the distro.

      • wiki_me@lemmy.ml
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        I think that in practice it prevents them completely, i never heard of any type malware uploaded to debian or nix and flathub for that matter.

    • BitingChaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      After realizing the Godot package in Ubuntu was terribly outdated, I checked their snap store.

      There are half a dozen Godot packages on Snapcraft, uploaded by random people. There is no indication of which a user should actually get, as none are “official”. The one package that has a “verified” check also has a full description of just the word “blah”, so it’s clear it’s not the real one and the “verified” checkmark means nothing.

      Anyone that wants to upload something can. Non-functional, non-tested apps, others’ work, abandoned apps, malware, etc.

      And then the system ties your hands behind your back and refuses to let you control things like updates.

      Snaps are an abortion and it has been turning people off to Ubuntu like crazy.

  • Doc Blaze@lemmy.world
    link
    fedilink
    arrow-up
    36
    arrow-down
    2
    ·
    edit-2
    1 year ago

    ahem attention Walmart shoppers. PSA.

    Do NOT. ever. EVER. use the snap store.

    EVER.

    Other responsible distros like mint have gone as far as disallowing it for good reason.

    Alright now, have a good day, kiddies.

  • Lvxferre@lemmy.ml
    link
    fedilink
    arrow-up
    24
    ·
    1 year ago

    At those times I’m glad that I ditched Ubuntu for Mint. Less stupid shit to deal with. (That was partially motivated by snaps. I’ve seen bored snails in alcoholic stupor running faster than snaps.)

    • entropicdrift@lemmy.sdf.org
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      As someone who’s daily driven more than a dozen distros over the past 18 years or so, I used to always go back to Ubuntu because “it just works” and I’ve never had it break from a standard update, unlike Manjaro and (once or twice) Arch. Once the Snap store started being actively pushed, e.g. the Firefox apt package just being an alias for the snap, I jumped ship to Mint permanently for all of my main PCs. Well, also Armbian for my ARM mini PCs, and Asahi for the Mac mini, but yeah.

      Fuck Snap and especially fuck the snap store

  • TheAnonymouseJoker@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    3
    ·
    edit-2
    1 year ago

    I find the shitting on Snap technology itself unreasonable. I left Ubuntu LTS for Debian Stable partly due to Snaps (and Debian is supreme distro), but the technology itself has a massive advantage over Flatpak if it became more adopted – system integration.

    Malicious actors being able to upload Snaps and them being less vetted is moreso a weakness of FOSS infrastructure underfunding, and not because “snap bad”.

    • Fisch@lemmy.ml
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      Big issue with snaps for me has always been the proprietary backend and that they try to make a new standard instead of improving flatpak which most distros have alrady adopted

      • setVeryLoud(true);@lemmy.ca
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Canonical loves reinventing the wheel instead of using and improving something that already exists. It’s also either source-available (not OSS, as no contributions are possible) or closed-source. Examples are Mir (Wayland), Snaps (flatpak) and Unity (GNOME 3).

        • Fisch@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Unity wasn’t FOSS? And they tried to make a non-FOSS window manager as well?

  • VisuallyHuman@lemmy.world
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    1 year ago

    ༼ つ ◕_◕ ༽つ ANDDD this is why I use Fedora with Flatpak/Flathub. I like my Open Source-ness “sauce” in my packages, they’re also sandboxed, but they’re lightweight(and easier to review), they share dependencies when needed and it keeps me away from Canonical.

  • StarkillerX42@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    I don’t know anything about this hack because I just heard of it, but I look forward to finding out how it’s actually much worse than meets the eye. I know this is how it will end because this is how every deep dive into snap issues ends.

    • Affine Connection@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I look forward to finding out how it’s actually much worse than meets the eye. [emphasis added]

      It this schadenfreude because you hate Canonical and their Snap system?

      • TeddE@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Yes. Absolutely 100%. Canonical has a pretty solid track record of acting like a corporation.

        Can’t speak for @[email protected], but I was happy with Ubuntu when they first started - they took the best of open-source, put it in a nice package and then put money into improving it. It’s just over the years they’ve drifted away from that and slowly have been replacing stuff with their own in-house stuff. At this point, they’re sorta Microsoft light. Maybe harmless today, but only because they want to look better than the competition.

        If that alone weren’t sufficient reason to be skeptically pessimistic, enshitification is trending, all corporations seem to feel that now is the time to turn the screws. Can’t blame a guy for expecting bad news generally in this environment.

      • StarkillerX42@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I left Ubuntu after they apt install firefox became a hidden alias to snap install firefox. Every time Canonical does something worse, I’m reassured I made a good choice.