• haui@lemmy.giftedmc.com
    link
    fedilink
    arrow-up
    84
    ·
    9 months ago

    Proprietary software platform makers should always be held accountable for what happens on said platform.

      • inetknght@lemmy.ml
        link
        fedilink
        arrow-up
        37
        ·
        9 months ago

        Disabling a systemd service won’t prevent it from starting. For example, if another service depends on it then it will start anyway.

        You have to mask the service which redirects the service files to /dev/null so that the service effectively has zero directives.

        systemctl mask --now snapd

        It also means that anything which depends on snapd will likely fail. That is absolutely an improvement since we obviously don’t want anything that depends on snaps.

        • Oisteink@feddit.nl
          link
          fedilink
          arrow-up
          11
          ·
          9 months ago

          What’s wrong with just removing snap? When ever I am forced to install Ubuntu I will remove snap and the “advantage-tools” (the part trying to sell you support)

          First I’ll snap remove —purge all snap packages Then apt purge —auotoremove snapd ubuntu-advantage-tools

          • caseyweederman@lemmy.ca
            link
            fedilink
            arrow-up
            9
            ·
            9 months ago

            Leaves behind a bunch of stuff. You have to manually remove each Snap individually, plus the snapshots they take and then hide, and then use Snap to remove itself (it doesn’t let you), then you can apt purge snapd.
            There’s several levels of “we know better than you so we’ll just keep this here for when you inevitably change your mind” and it is exhausting.
            I don’t even know if the above would also clean up all the dev/loop cruft. It was an unpleasant surprise to discover that apt remove alone didn’t at least disable all the systemd .mount units.

            • Oisteink@feddit.nl
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              There’s like one directory left after my uninstall - I don’t do this by hand though so I’ll have to look up the playbook.

              My first line was the snap remove

              Might need an autoremove —purge at the end to clean up.

      • Vilian@lemmy.ca
        link
        fedilink
        arrow-up
        8
        ·
        9 months ago

        they are needed, linux need universals package manager, building for every single distro is a waste of time

          • coolmojo@lemmy.world
            link
            fedilink
            arrow-up
            11
            ·
            9 months ago

            A bit of history. The first universal packaging format was snap by Canonical and used to be called Click apps and it was made for the Ubuntu mobile OS and later to the Ubuntu desktop. Red Hat in response to that created the FlatPak format. The AppImages are community effort.

              • dan@upvote.au
                link
                fedilink
                arrow-up
                3
                ·
                9 months ago

                almost every time Ubuntu goes off and does its own thing, not including the rest of the Linux community in its decisions, it ends up designing stuff that never gets adopted

                This is something I like about Debian… They don’t make changes unless it’s really necessary. I run it on all my servers, except an Unraid server. Network config is still in /etc/network/interfaces in the same format it was in 20 years ago. When they adopted systemd, they still had full backwards compatibility with SysV init, and even today I think you can still uninstall systemd. It just keeps working.

              • lengau@midwest.social
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                Remember Upstart?

                Yeah, the worst implementation of it I had to deal with was a CentOS 6 system.

                The best implementation I’ve used is probably my Chromebook.

            • leopold@lemmy.kde.social
              link
              fedilink
              English
              arrow-up
              12
              ·
              edit-2
              9 months ago

              AppImages long predate Snaps, but yes, Snaps do predate Flatpaks by a few months. There’s also Nix packages, which predate all three. Of course, this all matters very little compared to the merits of all four technologies. The heavy dependence on proprietary technology for repositories makes Snap clearly unsuitable to become the universal Linux package format.

            • Bezier@suppo.fi
              link
              fedilink
              arrow-up
              10
              ·
              edit-2
              9 months ago

              I don’t think that matters at this point. Flatpak is widespread and Canonical can’t possibly expect the linux crowd to choose the proprietary alternative. I could see snap being the one, had they just handled it differently.

          • Vilian@lemmy.ca
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            true, appimage is not exactly a package manager, so we have flatpaks so win in the end btw supporting flatpak and snap is 10x easir than old .rpm .deb and support more distros

    • Snot Flickerman
      link
      fedilink
      English
      arrow-up
      33
      ·
      edit-2
      9 months ago

      Oh, it totally could.

      I don’t actually see anyone in here making such an argument.

      • clearleaf@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        How is this notable or interesting then? I thought we were all just accepting that malicious software is an inherent part of all open platforms.

        • Snot Flickerman
          link
          fedilink
          English
          arrow-up
          24
          ·
          9 months ago

          Open platforms often have individuals running/hosting their own repositories, which means the risk is distributed.

          This means that the individual repository can be attacked without affecting the whole network. The risk is still there, but they would have to simultaneously attack all repositories at once and succeed with all of them.

          In a corporate-hosted platform like Snaps, you have one centralized location that can be abused and that can affect all repositories in the system.

          If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.

          • lengau@midwest.social
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.

            So basically the same as if someone hacked flathub? Or if someone hacked Canonical/Debian/Red Hat/whoever and gained access to their package signing key?

    • jbk@discuss.tchncs.de
      link
      fedilink
      arrow-up
      27
      ·
      9 months ago

      Those are just app distribution formats. Since there’s just 1 snap store which can deliver snaps, they’re not comparable.

      • cybersandwich@lemmy.world
        link
        fedilink
        arrow-up
        10
        ·
        9 months ago

        Most people get their flatpaks from the same handful of places though, right? Flathub and ??

        This isn’t a snap specific issue is what he is saying. It could happen to other stores.

        Also, my snap nextcloud is amazing and was the easiest to set up and maintain.

        • jbk@discuss.tchncs.de
          link
          fedilink
          arrow-up
          4
          ·
          9 months ago

          Flathub has manual submission verification though, which includes the steps to build flatpaks. Reviewers (currently) would definitely catch fishy looking apps.

          They’ve also implemented manual reviews in case of metainfo or flatpak permission changes, another thing for additional safety.

      • AMDIsOurLord@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        9 months ago

        People download and run completely opaque AppImages from god knows where and that’s better than Snap Store which is hit with malicious apps so rarely it’s actual news

        Flatpak also has a system where any scammer and malicious developer can just roll their own flatpak repo and voila, nobody can stop them. If it ever becomes mainstream, it’ll be a shit show worse than Google Play

        • Gamma@beehaw.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          9 months ago

          You’re pretty much just rehashing a possible apt repo “vulnerability,” but at least with flatpak they remember where each package was installed from.

            • Gamma@beehaw.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              9 months ago

              Anyone can create an apt repo and the override your system packages with new versions.

              At least with flatpak only the applications you installed from the bad actor’s repo would be affected, though obviously they can still have a ton of malicious dependencies

        • jbk@discuss.tchncs.de
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Text files could theoretically contain malicious content. Why doesn’t the format have a built-in virus scanner??? Is this what you’re suggesting?

          • AMDIsOurLord@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            No, but root-of-trust isn’t really established unless you ONLY take packages that the distro’s security maintainers actually maintain, Flatpak, Appimage and Snap are a bit of a no man’s land. You have to trust the developers to be cool, independent of the tool, unless you as mentioned before use only FOSS software from the distro’s main repositories. And yes, specifically main repos because any random dick can go and upload a PKGBUILD or make a PPA.

      • lengau@midwest.social
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        What Flatpak stores are there in widespread use other than flathub? (Additional servers that depend on the runtimes flathub distributes don’t count.)

    • IHeartBadCode@kbin.social
      link
      fedilink
      arrow-up
      17
      ·
      9 months ago

      It absolutely could. Heck, RPMs and DEBs pulled from random sites can do the exact same thing as well. Even source code can hide something if not checked. There’s even a very famous hack presented by Ken Thompson in 1984 that really speaks to the underlying thing, “what is trust?”

      And that’s really what this gets into. The means of delivery change as the years go by, but the underlying principal of trust is the thing that stays the same. In general, Canonical does review somewhat apps published to snapcraft. However, that review does not mean you are protected and this is very clearly indicated within the TOS.

      14.1 Your use of the Snap Store is at your sole risk

      So yeah, don’t load up software you, yourself, cannot review. But also at the same time, there’s a whole thing of trust here that’s going to need to be reviewed. Not, “Oh you can never trust Canonical ever again!” But a pretty straightforward systematic review of that trust:

      • How did this happen?
      • Where was this missed in the review?
      • How can we prevent this particular thing that allowed this to happen in the future?
      • How do we indicate this to the users?
      • How do we empower them to verify that such has been done by Canonical?

      No one should take this as “this is why you shouldn’t trust Ubuntu!” Because as you and others have said, this could happen to anyone. This should be taken as a call for Canonical to review how they put things on snapcraft and what they can do to ensure users have all the tools so that they can ensure “at least for this specific issue” doesn’t happen again. We cannot prevent every attack, but we can do our best to prevent repeating the same attack.

      It’s all about building trust. And yeah, Flathub and AppImageHub can, and should, take a lesson from this to preemptively prevent this kind of thing from happening there. I know there’s a propensity to wag the finger in the distro wars, tribalism runs deep, but anything like this should be looked as an opportunity to review that very important aspect of “trust” by all. It’s one of the reasons open source is very important, so that we can all openly learn from each other.

      • Oisteink@feddit.nl
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        Nice try canonical - no matter what you say snaps is just your way to lock people in to your store. You’re no better than apple, only your product is shit. Excluding the shoulders you stand on, which are made by others. You’re the enshitification of Linux.

        Why would you pull debs from random sites? Do you know how hard that is to do for the average user? And you want to compare that to a download from the store that’s in the basic install on Ubuntu?

    • Empricorn@feddit.nl
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      When it does, we’ll deal with it. But in the meantime, the motivation is important. Canonical developed and aggressively pushed Snaps despite most people hating them because… it made then more money.

    • KᑌᔕᕼIᗩ@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      It’s happenend with the AUR too.

      Snaps however have a certain expectation that newer/inexperienced users should be able to trust them.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    42
    ·
    9 months ago

    I don’t think you understand, it’s closed-source for your safety! If it were opensource there would be many more malicious apps. Only we can hold those at bay and only we know which improvements to implement as we know better than everybody else. Trust me, you’re safer this way /s

    CC BY-NC-SA 4.0

  • makeasnek@lemmy.ml
    link
    fedilink
    English
    arrow-up
    20
    ·
    edit-2
    9 months ago

    If you are going to “be your own bank” you need some very basic computer security skills like:

    • Research the reputation of the wallet you are going to use.
    • Don’t download wallets which aren’t open source
    • Download wallets from their official dev site, not some third party repo.
    • Don’t use Facebook search to find a wallet.
    • If you are storing significant funds, use a multi-sig wallet.
    • If you are not 100% confident in the security of a given wallet or system, send a smaller test transaction first before sending larger amounts

    If you can’t be trusted to do that, you need to pick a trusted custodian to manage access to your funds (you know, like banks), preferably somebody who can get an insurance company to under-write your no-opsec-having-ass. Unfortunately, in the crypto world, these trusted custodians few and far between and have a terrible track record with exchange collapses etc. It’s getting better, but it’s still a mess. Hopefully as time goes on and the industry gets better regulated and more mature, this will be an easier thing to do.

    • reflectedodds@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      9 months ago

      The more I learn about web3/crypto, it is increasingly getting closer to real life financials with all the same pitfalls and extra crypto problems

    • Caveman@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      Yeah, I recommend looking up the most popular hardware wallet and downloading their app from the website. Then doing a round-trip transaction in some currency like XLM.

  • umbrella@lemmy.ml
    link
    fedilink
    arrow-up
    18
    ·
    edit-2
    9 months ago

    sudo snap remove * && sudo apt purge -y snapd && sudo apt install -y gnome-software-plug-flatpak

    until you feel like hopping

  • potentiallynotfelix@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    14
    ·
    9 months ago

    I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps

  • Goku@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    9 months ago

    As someone who has been using Ubuntu for 10 years, I am sad that I don’t know more about the intricacies of Linux.

    I know more than I did 10 years ago… But probably would really be uncomfortable running arch.

    I think I will install Debian 24.04 as my desktop (daily driver) this year and be done with Ubuntu. Hopefully I learn some more and eventually try out Arch on my laptop.

    • Oisteink@feddit.nl
      link
      fedilink
      arrow-up
      16
      ·
      9 months ago

      You’d have to wait a while for Debian to reach version 24

      I like Debian - it’s foss and stable

      • Goku@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        Lol yeah, what is their release schedule like? Any speculation on when 13 is coming out?

        I just assumed Ubuntu releases were based off of Debian.

        • lilith267
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          9 months ago

          Ubuntu maintains it’s own package library which is far newer then Debians but less tested/stable. Debian only releases new version when it’s team feels their ready. However Debian does keep up to date with security patches

          If you would like a distro that keeps itself up to date try out Fedora, it’s updated every 6 months and has been super popular lately

          Note that if you use flatpacks they will be up to date no matter what distro you choose, making Debian a very stable option while still getting new features in applications

          Edit: edited to answer the question more clearly

          • dan@upvote.au
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            However Debian does keep up to date with security patches

            Only if you use the stable version. Debian has a security team that handles quickly uploading patched versions of Debian packages, but only for stable. Debian testing and unstable aren’t handled by the security team and instead require the package maintainers to upload security updates (which can lag behind)

          • Oisteink@feddit.nl
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            I would not claim that Ubuntu is anything but stable. We run a bunch of Ubuntu lts servers at work and there’s hardly any issues. Found a 16.x the other day with over 500 days uptime driving signage. That was desktop version.

            I use Debian because of the OSS focus, and stability. And because I know the distro fairly well. They’re conservative in choice of tools and for instance only went full systemd a few years back (5?)

            I don’t mind systemd but I don’t mind sysv init either. Even slackwares scripts worked fine. If it’s not broken don’t fix it.

      • dan@upvote.au
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        I’m considering trying Mint Debian Edition once my new laptop arrives (pre-ordered Framework 16)

    • porl@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      You can also play with it in a virtual machine. It won’t give you quite the same experience for your specific hardware, but you will get a feel for how it works, especially the package manager etc.

    • yianiris@kafeneio.social
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Just last week I was arguing with a bunch of #ubuntu fan boys here about how that system prevents you from learning, how Debian is a tiny bit better, but with arch/based systems you both have a reliable daily runner and be able to learn as much as you can take.

      The more you learn the more aggravating debians (mint-ubuntus) become, forcing their choices on you. Arch respects and rewards people who want to do it their way. They provide the blocks, you build your system.

      @youngGoku @mr_MADAFAKA

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        Arch is unstable and pacman is prone to breakage. That’s not necessarily bad for some people but for people who want everything to be reliable and stable it is problematic

        • yianiris@kafeneio.social
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          And you are either an ubuntu/debian troll or pretending to know something.
          Can you show us some reference of how/when pacman broke last?

          Arch-testing has been more stable than sid ever was, and it was rare that sid ever broke.

          And I haven’t used systemd EVER, unless that is where ALL the instability comes from, and I missed it, from wheezy to arch-testing

          @possiblylinux127

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            6
            ·
            edit-2
            9 months ago

            Arch uses systemd so you haven’t use Arch if you haven’t used systemd. That probably doesn’t change anything. You are welcome to not use systemd I could care less.

            Arch is unstable because it ships packages that are brand new compared to Debian stable (not sid) that ships packages that have been tested for 2 years. Debian also used to only be free software but that has changed as of recently. (Stability and security are the exception)

            Debian sid is the Debian unstable branch which has little to no testing. Software goes from there into the testing branch before finally making it into stable. By the time that happens its unlikely you will ever find a bug as the vast majority of the bugs have been found.

            On the other hand, Arch pulls the packages as soon as possible as its user base prefers newer packages over stability. That’s fine but to say it is somehow more stable is incorrect. For instance, here are some recent issue on Arch:

            https://archlinux.org/news/openblas-0323-2-update-requires-manual-intervention/

            https://archlinux.org/news/incoming-changes-in-jdk-jre-21-packages-may-require-manual-intervention/

            https://www.tomshardware.com/news/linux-kernel-update-kills-laptop-displays

            My point here isn’t to say Arch is bad. My point is that you can’t just leave Arch by itself for years on auto update without issue. Updating Arch often requires reading of changes and manual fixes. Some people enjoy that, others do not.

          • Shareni@programming.dev
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago
            • bad package update, can’t boot (GRUB)

            • didn’t update in a few weeks, update, can’t boot

            • update script on endeavour gave up at some point, and so I couldn’t boot if I didn’t manually mkinitcpio after updating

            I used it for 2+ years on multiple devices, and almost never updated without having a flash drive nearby to arch-chroot. I ran Mint before that for about the same time, it never crashed let alone failed to boot. I’m now on MX+Nix and get the best of both worlds.

  • AMDIsOurLord@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    9 months ago

    I don’t understand why people are so hell bent on hating Snaps. The architecture is literally better than Flatpak – and I’m quite sure it’s possible to run one’s own Snap host. Some people say they’re bloated and slow, well not anymore than Flatpak (actually less) and people love that?

    • Domi@lemmy.secnd.me
      link
      fedilink
      arrow-up
      20
      ·
      9 months ago

      The architecture is literally better than Flatpak

      Why?

      I don’t understand why people are so hell bent on hating Snaps.

      Every single time I tried snaps in the last years I had a bad time. Either they were slow to start, refused to work (Docker snap) or made my machine boot significantly slower. Granted, I haven’t bothered in a year or so.

      At this point they just released unfinished software that was not ready for production, forced it onto people and are surprised when everybody remembers snap as being partially closed source, slow and unreliable. Even if it’s not now, that’s how the first impression was and it’s going to stick forever.

      • AMDIsOurLord@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        Refer to an earlier post on the downsides of flatpak, Snap basically doesn’t have a lot of those issues other than the fundamental ones regarding a canonical far package

        You may have used Snaps when they used XZ compression. XZ is a stellar compressor, but for static data. It compresses better at the cost of being slower, nowadays Snaps use fast algorithms tuned for faster decompression, so it starts a lot faster.

        • Norah - She/They
          link
          fedilink
          English
          arrow-up
          7
          ·
          9 months ago

          Even if it’s not now, that’s how the first impression was and it’s going to stick forever.

          I agree with them on this.

    • GnomeComedy@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      I hate them because they make Ubuntu useless for a desktop in an enterprise environment. Snaps have a bug where they will NOT open with a network home directory, which is common for a business … And now they’ve made Firefox snap only.

      So for a business environment: you can’t even open the included web browser. WTF?

      Do you understand now?

  • scratchandgame@lemmy.ml
    link
    fedilink
    Tiếng Việt
    arrow-up
    2
    ·
    9 months ago

    Apps aren’t even distributed via snap or flatpak. we have the option to install software we need and compile those are snap or flatpak only.