Snap and modern software (was: Remove /snap directory)

Thu Dec 15 20:05:39 UTC 2022

On Thu, Dec 15, 2022 at 2:41 PM rikona <rikona at sonic.net> wrote:
>
> On Wed, 14 Dec 2022 14:04:54 -0600
> Keith <keith at caramail.com> wrote:
>
> > On 12/14/22 11:43 AM, rikona wrote:
> > > On Tue, 13 Dec 2022 23:56:32 -0600
> > > Keith <keith at caramail.com> wrote:
> > >
> > > <BIG snip>
> > >> And of course snaps also allows you to run closed source,
> > >> proprietary software which cannot be included in Ubuntu
> > >> distributions.
> > >
> > > Perhaps also malware, tracking stuff, etc. Perhaps also easier to
> > > make it harder to find such stuff in the package?
> > >
> > > How do you protect yourself from bad snaps?
> > >
> > >I think there's some level of review, but I don't know how extensive
> > >it
> > is. Right now you can use the command-line snap tool to see if a snap
> > is verified to some degree. Green checks by the publisher name
> > confirms they have been verified by Canonical. From my observation, a
> > green check usually means the publisher is also the developer of the
> > software program, or a contributor to the project. Yellow/black star
> > badges by a publisher's name I believe indicates the publisher is a
> > verified snap packager.
> >
> > But really your concern is equally applicable to any source of
> > software distribution. How you do protect yourself from bad packages
> > hosted in an anonymous PPA?  How do you protect yourself from bad
> > Android apps that are in Google's PlayStore? For that matter, how do
> > you protect yourself from any bad packages in the Ubuntu archives?
> > There's literally thousands of packages in the combined repos. Can
> > you ever be sure that a few of those don't contain malware/spyware or
> > just badly written pre/post install scripts that can trash your
> > system because they're executed with root privileges? Do you vet
> > every package that you install on your system to make sure its not
> > doing anything weird? Do you trust your kernel?
>
> Overall, a tough problem, as you point out. In part, I tend to trust
> completely open source stuff that is popular, with the idea that you
> code experts may spot something suspicious. And, the compiled code was
> produced from THAT source. Snaps seem to be much less transparent. Did
> they use some library from country X just because it was more
> convenient? Or some call-home Google tracking code because it is faster?
>
> Perhaps I need to understand the 'verified' process better, to know
> what exactly has been verified.

As far as I know, there's no guarantee the distro is overseeing the
build and packaging process. There's no guarantee the folks creating
the package are actually associated with the project. There's no
guarantee the package is being configured to align with the project's
best practices for mass consumption. There's no guarantee the
unadulterated package sources are being used to build a package.

We already know how that's going to end: NPM.
https://threatpost.com/malicious-npm-packages-web-apps/178137/,
https://duo.com/decipher/dozens-of-malicious-data-harvesting-npm-packages-found
and friends. And more generally,
https://www.google.com/search?q=npm+javascript+malicious+packages.

Jeff