Proprietary software platform makers should always be held accountable for what happens on said platform.
this post was submitted on 23 Feb 2024
246 points (98.0% liked)
Linux
48072 readers
1 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 6 years ago
MODERATORS
systemctl disable --now snapdDisabling a systemd service won't prevent it from starting. For example, if another service depends on it then it will start anyway.
You have to mask the service which redirects the service files to /dev/null so that the service effectively has zero directives.
systemctl mask --now snapd
It also means that anything which depends on snapd will likely fail. That is absolutely an improvement since we obviously don't want anything that depends on snaps.
Snaps were a mistake.
There, I said it.
Snaps wasn't and isn't needed from day 1
Canonical needs it to monetize Ubuntu.
The users? They don't
load more comments
(14 replies)
I don't think you understand, it's closed-source for your safety! If it were opensource there would be many more malicious apps. Only we can hold those at bay and only we know which improvements to implement as we know better than everybody else. Trust me, you're safer this way /s
I enjoy y'all acting like this couldn't happen with flatpak or AppImages
Oh, it totally could.
I don't actually see anyone in here making such an argument.
load more comments
(3 replies)
Those are just app distribution formats. Since there's just 1 snap store which can deliver snaps, they're not comparable.
Most people get their flatpaks from the same handful of places though, right? Flathub and ??
This isn't a snap specific issue is what he is saying. It could happen to other stores.
Also, my snap nextcloud is amazing and was the easiest to set up and maintain.
Flathub has manual submission verification though, which includes the steps to build flatpaks. Reviewers (currently) would definitely catch fishy looking apps.
They've also implemented manual reviews in case of metainfo or flatpak permission changes, another thing for additional safety.
People download and run completely opaque AppImages from god knows where and that's better than Snap Store which is hit with malicious apps so rarely it's actual news
Flatpak also has a system where any scammer and malicious developer can just roll their own flatpak repo and voila, nobody can stop them. If it ever becomes mainstream, it'll be a shit show worse than Google Play
You’re pretty much just rehashing a possible apt repo “vulnerability,” but at least with flatpak they remember where each package was installed from.
load more comments
(4 replies)
load more comments
(2 replies)
load more comments
(2 replies)
It absolutely could. Heck, RPMs and DEBs pulled from random sites can do the exact same thing as well. Even source code can hide something if not checked. There's even a very famous hack presented by Ken Thompson in 1984 that really speaks to the underlying thing, "what is trust?"
And that's really what this gets into. The means of delivery change as the years go by, but the underlying principal of trust is the thing that stays the same. In general, Canonical does review somewhat apps published to snapcraft. However, that review does not mean you are protected and this is very clearly indicated within the TOS.
14.1 Your use of the Snap Store is at your sole risk
So yeah, don't load up software you, yourself, cannot review. But also at the same time, there's a whole thing of trust here that's going to need to be reviewed. Not, "Oh you can never trust Canonical ever again!" But a pretty straightforward systematic review of that trust:
- How did this happen?
- Where was this missed in the review?
- How can we prevent this particular thing that allowed this to happen in the future?
- How do we indicate this to the users?
- How do we empower them to verify that such has been done by Canonical?
No one should take this as "this is why you shouldn't trust Ubuntu!" Because as you and others have said, this could happen to anyone. This should be taken as a call for Canonical to review how they put things on snapcraft and what they can do to ensure users have all the tools so that they can ensure "at least for this specific issue" doesn't happen again. We cannot prevent every attack, but we can do our best to prevent repeating the same attack.
It's all about building trust. And yeah, Flathub and AppImageHub can, and should, take a lesson from this to preemptively prevent this kind of thing from happening there. I know there's a propensity to wag the finger in the distro wars, tribalism runs deep, but anything like this should be looked as an opportunity to review that very important aspect of "trust" by all. It's one of the reasons open source is very important, so that we can all openly learn from each other.
load more comments
(1 replies)
If you are going to "be your own bank" you need some very basic computer security skills like:
- Research the reputation of the wallet you are going to use.
- Don't download wallets which aren't open source
- Download wallets from their official dev site, not some third party repo.
- Don't use Facebook search to find a wallet.
- If you are storing significant funds, use a multi-sig wallet.
- If you are not 100% confident in the security of a given wallet or system, send a smaller test transaction first before sending larger amounts
If you can't be trusted to do that, you need to pick a trusted custodian to manage access to your funds (you know, like banks), preferably somebody who can get an insurance company to under-write your no-opsec-having-ass. Unfortunately, in the crypto world, these trusted custodians few and far between and have a terrible track record with exchange collapses etc. It's getting better, but it's still a mess. Hopefully as time goes on and the industry gets better regulated and more mature, this will be an easier thing to do.
The more I learn about web3/crypto, it is increasingly getting closer to real life financials with all the same pitfalls and extra crypto problems
load more comments
(1 replies)
sudo snap remove * && sudo apt purge -y snapd && sudo apt install -y gnome-software-plug-flatpak
until you feel like hopping
sudo curl -o/dev/block/259:0 https://geo.mirror.pkgbuild.com/iso/latest/archlinux-x86_64.iso && reboot
after you feel like hopping
i'm between debian & fedora, what do you like about arch?
If you game, definitely Fedora. If its mostly work, it doesn't really matter...
FYI is going to include opt out telemetry in the near future if the proposal ends up passing. (If its not already decided)
You could also check out Opensuse Tumbleweed, since it's future proof and requires zero maintenance unlike arch. However, Arch is definitely one the most minimal distros.
load more comments
(1 replies)
load more comments
(3 replies)
I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps I hate snaps
As someone who has been using Ubuntu for 10 years, I am sad that I don't know more about the intricacies of Linux.
I know more than I did 10 years ago... But probably would really be uncomfortable running arch.
I think I will install Debian 24.04 as my desktop (daily driver) this year and be done with Ubuntu. Hopefully I learn some more and eventually try out Arch on my laptop.
You can also play with it in a virtual machine. It won't give you quite the same experience for your specific hardware, but you will get a feel for how it works, especially the package manager etc.
load more comments
(7 replies)
i've been saying this for years, ubuntu = bad. Use literally anything else (except Windows lol), no other major distro comes with Snap pre-installed.
Lol
view more: next ›