Author Topic: does this create a security vulnerability for Ubuntu based distros  (Read 844 times)

Offline dougal

  • Posting Member
  • Full Member
  • *
  • Posts: 120
  • Karma: +0/-0
    • View Profile
I was listening to this video on the upcoming 2019 releases and wondered what others ,perhaps more savvy than I , think about the premise offered around Snap apps no longer being code-line vetted? here's the link and the part I'm referring to is @ 16minutes...there are also a bunch of ideas around this move in the comment section below the video.

https://youtu.be/Xy7v5tdfSZM

here's the links to the referenced articles:

 https://wiki.ubuntu.com/DiscoDingo/ReleaseSchedule

https://blueprints.launchpad.net/ubuntu/+spec/package-management-default-snap

https://www.omgubuntu.co.uk/2018/11/ubuntu-19-04-release-features

https://snapcraft.io/blog/trust-and-security-in-the-snap-store

for someone who has just started migrating to Linux (I've been using the linux mint family depending on the resources of the particular machine) from Windows this creates a decision point on what distro(s) to move to if this premise becomes reality.
 

Offline Jason Wallwork

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 2167
  • Karma: +5/-0
    • View Profile
Re: does this create a security vulnerability for Ubuntu based distros
« Reply #1 on: February 22, 2019, 05:39:31 pm »
A few comments about the video:

I wasn't aware of there not being a alpha for 19.04. However, in a way there are lots of alphas. Do a search on the Ubuntu website right at the top for 19.04 alpha and the top hit leads to the daily build which anybody can download and try out. Though they call it a daily build, it looks like it hasn't changed since February 3 so I suppose it's more like an alpha really. If you go up the file tree, you'll find they also have "pending" which are actual daily builds but haven't yet been automatically tested. I suppose that means they might not have tested that they work (at all) but they'll be more recent.

http://cdimage.ubuntu.com/daily-live/

So I'm a bit surprised this guy didn't look that up before jumping to conclusions about it not being adequately tested. It wasn't a hard search to find this page, took me, 2 seconds.

Regarding Snap, that's interesting what he's talking about but he seems to ignore the entirely of what snapcraft said. I suggest reading the entire section on Software Reviews and not just the paragraph he pulls from it. He says they are going to be just relying on the publisher but the paragraph before says:

"App Stores for iOS, Android and Windows follow some standard patterns for quality and security control automated checkpoints that packages must go through before they are accepted, and manual reviews by a human when specific issues are flagged. The Snap Store implements both of these patterns."

I had problems with snap, but security isn't one of the things I'm worried about. I just find that the few times I've used a snap package it hasn't worked. I hope they don't rely on it for a few more iterations for that reason.

I totally agree with him about silent upgrades. I hate that idea.

I kind of feel like this guy is the Alex Jones of Linux, no, not that he's spouting off lies but that he's a bit of a loud mouth who seems to be making broad statements while ignoring pertinent details and doing it in a mouthy take-no-prisoners way of speaking. Guys like that annoy me to no end.

To sum it up, I don't think there's a huge reason to worry, at least not until we know more, and secondly, Linux Mint has an edition already based on Debian (LMDE). So if Ubuntu started to make more bad design decisions like mentioned, LM would probably base their main edition on LMDE. I wouldn't rush to make any decisions yet, though.
Primary: Dell Desktop i5 - 3.2 GHz w/ Kubuntu 19.04 / Win 10 Pro
Secondary/Test:  Toshiba i3 - 1.4 GHz w/ Windows 10 Pro and Linux Du Jour (Ubuntu 19.10 right now)
Sony Xperia XA1 Ultra ( Android 8 ) on Freedom
Huawei MediaPad T3 10 ( Android 7 ) on Virgin

Offline Jason Wallwork

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 2167
  • Karma: +5/-0
    • View Profile
Re: does this create a security vulnerability for Ubuntu based distros
« Reply #2 on: March 01, 2019, 09:24:30 am »
Forgot to thank you for posting this, Dougal. I'm a bit sad that nobody else also replied to your helpful post. And subject is worth a listening to his video for the part about Snap packages anyway.

After giving this more thought, he might be correct that this will open up Ubuntu to higher security risk (there's always some risk) since software won't necessarily be coming through Ubuntu but through the publisher. Although, this is still subject to the checks mentioned above so it's not as if they're accepting the software with no review at all.
But it's true that Ubuntu may not be testing snaps. If it's software installed by default, I expect they'll be testing it, especially if you're going to rely more on snaps as he quoted Canonical as saying.

You can also turn off Snap packages in your setting or use Synaptic which won't see them. At least I believe that's correct. Can somebody else confirm?

Note that you're taking the same risk happen when you rely on third-party repos (repositories) as I think several of us do. For example, I use repos for Spotify, Chrome, SpiderOak and Timeshift. They come directly from the software publishers and do not through Ubuntu. If those publishers were bad actors, they could slip in malware and I wouldn't know it.
Primary: Dell Desktop i5 - 3.2 GHz w/ Kubuntu 19.04 / Win 10 Pro
Secondary/Test:  Toshiba i3 - 1.4 GHz w/ Windows 10 Pro and Linux Du Jour (Ubuntu 19.10 right now)
Sony Xperia XA1 Ultra ( Android 8 ) on Freedom
Huawei MediaPad T3 10 ( Android 7 ) on Virgin

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 1255
  • Karma: +3/-0
    • View Profile
Re: does this create a security vulnerability for Ubuntu based distros
« Reply #3 on: March 01, 2019, 12:37:58 pm »
So far I have largely avoided snaps and flatpak apps. They are very bloated because they include all the packages needed to run them. I had a snap for SimpleNote once because the newest version wouldn't run without the snap packaging. But eventually this was fixed, so I got rid of the snap and just downloaded the app without it.
Ubuntu 19.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19.2 on "late 2015" 5k iMac
Ubuntu 19.10 and 18.04 on Dell XPS 13 2 in 1

Offline Jason Wallwork

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 2167
  • Karma: +5/-0
    • View Profile
Re: does this create a security vulnerability for Ubuntu based distros
« Reply #4 on: March 02, 2019, 02:09:16 am »
I noticed that Ubuntu of late is using quite a few more snaps. Even thunderbird, which is there by default, is a snap. You won't see them in Synaptic, I don't think so you might not have noticed, but if you look up programs in Software Manager, there are many common programs available as snaps, and not in a special snap section, just there, even among recommended programs. This might be where you say something about synaptic again and I get it, but novice users may not even be aware of Synaptic so this is what they're going to be stuck with more and more in the future.

Check out the links at the blueprint launchpad page for how developers are consider using snaps in the future, perhaps even using it for entire system upgrades.

As far as bloat goes, I don't care a fig that they take up more disk space. Disk space is cheap. But I'd be concerned if their memory footprints increased dramatically as a result, at least until I can afford an upgrade! :-)
Primary: Dell Desktop i5 - 3.2 GHz w/ Kubuntu 19.04 / Win 10 Pro
Secondary/Test:  Toshiba i3 - 1.4 GHz w/ Windows 10 Pro and Linux Du Jour (Ubuntu 19.10 right now)
Sony Xperia XA1 Ultra ( Android 8 ) on Freedom
Huawei MediaPad T3 10 ( Android 7 ) on Virgin