An interesting article regarding some Ubuntu snap packages

Chat about Linux in general
Post Reply
md419
Level 1
Level 1
Posts: 47
Joined: Thu Sep 22, 2011 2:34 pm

An interesting article regarding some Ubuntu snap packages

Post by md419 » Sat May 12, 2018 7:46 pm

Last edited by xenopeek on Sun May 13, 2018 12:48 am, edited 1 time in total.
Reason: as this isn;'t about Linux Mint or a support request, moved it here

User avatar
absque fenestris
Level 5
Level 5
Posts: 536
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris » Sat May 12, 2018 8:30 pm

myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

User avatar
AZgl1500
Level 6
Level 6
Posts: 1377
Joined: Thu Dec 31, 2015 3:20 am
Location: /Home/Desktop
Contact:

Re: An interesting article regarding some Ubuntu snap packages

Post by AZgl1500 » Sat May 12, 2018 9:02 pm

since it asked for opinions, my Opinion is to stay the hell away from that 'store' as it is obviously infiltrated by trash uploaders.

no one monitoring it? bye bye

User avatar
absque fenestris
Level 5
Level 5
Posts: 536
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris » Sat May 12, 2018 9:19 pm

Here, too, good marketing is called for.

Malware? Nonsense - participate in the incomparable Bitcoin community...
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

User avatar
xenopeek
Level 24
Level 24
Posts: 22306
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek » Sun May 13, 2018 1:04 am

The same as goes for Snaps goes for PPAs, Flatpaks, AppStream packages and more: do you trust the persons that compiled and packaged the software for you? Are they officially associated with the project? (as developers, or have the developers named them as official maintainers on their website) Or are they active and visible in the wider free software community? The answer to all of this for Nicolas Tomb is a resounding "no".

This goes back to the article Maintainers Matter that we discussed here 2 years ago. Criticizing the "Cult of App":
App Stores have been a nearly unmitigated disaster for users. Supposedly one of Linux's failings is that there is too much pointless choice, too many K and G versions of things and it divides developer efforts. Why have so many window managers and text editors? App Stores have the same problem. With the traditional FOSS model, there are a hundred different programs and each program is missing a different feature. In the App Store, there are a hundred different programs doing the same thing but each screws the user over in a slightly different way. Spying? Ads? Battery sucking rookie mistakes? Battery sucking bitcoin mining botfarm? Take your pick.
Been there, done that, and now we have another warning about why we should establish trust before installing something from outside the repositories.
Image

rene
Level 7
Level 7
Posts: 1761
Joined: Sun Mar 27, 2016 6:58 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by rene » Sun May 13, 2018 4:54 am

absque fenestris wrote:
Sat May 12, 2018 8:30 pm
myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
The right name/address is probably flatpak@lists.freedesktop.org...

User avatar
xenopeek
Level 24
Level 24
Posts: 22306
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek » Sun May 13, 2018 5:05 am

You're floating the theory that a Flatpak developer published a Snap package with a bitcoin miner to discredit Snaps? While the same lack of governance (by design) on Snaps holds for Flatpaks and the like? Hope you're trying to be funny because that is some next level tin foil hatting.
Image

rene
Level 7
Level 7
Posts: 1761
Joined: Sun Mar 27, 2016 6:58 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by rene » Sun May 13, 2018 5:50 am

I wasn't being completely serious no -- but still a bit. Note that this reflects mostly on the snap store rather than the format; the (more) central snap store is the thing that reaction to snaps from the flatpak community has indeed concentrated on. Quoting the article,
How was this possible? Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users.
which as far as I can see is indeed the case: https://docs.snapcraft.io/build-snaps/publish. In contrast the corresponding page for Flathub, https://github.com/flathub/flathub/wiki/App-Submission explicitly mentions human review (and yes, I know Flathub is as a matter of design less central, but do note the only flatpak source to come with for example Mint 18 in practice).

Even disregarding the specific matter of this reflecting more on stores than format, assuming that "the general public" would not simply rally around anti-Snap sentiment in response to something like this without paying much attention to technical detail is probably too much to ask for. Just wait for an article like that to hit The Register, say.

Snap/Flatpak-like infrastructure is what I personally believe to be the probably best -- or only, or last -- chance Linux systems have on the consumer desktop. Which one gets to lead is in that view quite important for Ubuntu and, primarily, RedHat. Heck, some "community member" who agrees with me on the importance of the infrastructure may have taken it upon his or her confused self to unite the landscape around just one solution; to help kill Snap.

No, no flatpak developer and any of this certainly amounts to conspiracy generally -- but I am afraid I would not so much categorize it as "next level". Plain tin foil hatting at best -- and honestly a bit less than that. This happens right at the start of the infrastructure being deployed? Before the miner could even expect to realistically infect a to the culprit relevant number of systems? Quite possible. But I would in fact say he or she may also have had some ulterior motive without considering myself to be part of general conspiracy theorists.

asinoro
Level 4
Level 4
Posts: 245
Joined: Mon Feb 12, 2018 11:43 am

Re: An interesting article regarding some Ubuntu snap packages

Post by asinoro » Sun May 13, 2018 6:10 am

The question is, if this technology of packages will affect the main system or for example if an auto update of an app like browser will cause big problem without to easily revert to a previous good state.
Off course, the technology of the computers goes towards to be able for self repairing and the interfere of the people to be as less as possible.

Hoser Rob
Level 11
Level 11
Posts: 3855
Joined: Sat Dec 15, 2012 8:57 am

Re: An interesting article regarding some Ubuntu snap packages

Post by Hoser Rob » Mon May 14, 2018 8:41 am

xenopeek wrote:
Sun May 13, 2018 5:05 am
You're floating the theory that a Flatpak developer published a Snap package with a bitcoin miner to discredit Snaps? While the same lack of governance (by design) on Snaps holds for Flatpaks and the like? Hope you're trying to be funny because that is some next level tin foil hatting.
+1. ANd that's saying something here.

User avatar
absque fenestris
Level 5
Level 5
Posts: 536
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris » Mon May 14, 2018 9:25 am

rene wrote:
Sun May 13, 2018 4:54 am
absque fenestris wrote:
Sat May 12, 2018 8:30 pm
myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
The right name/address is probably flatpak@lists.freedesktop.org...
The chosen name is really clever. To see what Google says about Tombs & Niclases...

Well - enemy images are there to dismantle them. Maybe on a more serious substructure :mrgreen:
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

User avatar
michael louwe
Level 8
Level 8
Posts: 2230
Joined: Sun Sep 11, 2016 11:18 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by michael louwe » Wed May 16, 2018 4:04 am

Updated article to the OP ... https://blog.ubuntu.com/2018/05/15/trus ... snap-store (2018/05/15/trust-and-security-in-the-snap-store)

Open or hidden coin-miners inside free apps/programs/software are very much like botnets, ie the surreptitious use of victims' computer resources. They should be considered as malware and illegal. ... https://www.zdnet.com/article/brutal-cr ... iscovered/ (WinstarNssmMiner not only leeches your processing power but will maliciously crash your system if you attempt to remove it.)
....... But I do not mind the display of ads inside free apps/programs/software or the collection of aggregated anonymized user-data for sale to marketers, researchers, etc. I believe many others feel the same.

I believe most LM newbies and average users prefer ...
In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users.
with the newbies only needing to verify untrusted software from 3rd-party PPAs, eg Google Chrome is easily verifiable as trusted by newbies.

Seems, Ubuntu's Snap apps is nothing but a copy of Google's malware-infested apps from Android Play Store, similar to Firefox 57+'s web-extensions being a copy of Chrome's.
Last edited by michael louwe on Fri May 18, 2018 2:56 am, edited 1 time in total.

KBD47
Level 6
Level 6
Posts: 1434
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 » Thu May 17, 2018 7:05 pm

Evil, naive or interesting?

The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
https://blog.ubuntu.com/2018/05/15/trus ... snap-store

God help us if that is the sort of reasoning and standard Ubuntu uses going forward with Snaps!

aes2011
Level 4
Level 4
Posts: 462
Joined: Wed Jul 06, 2011 10:39 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by aes2011 » Fri May 18, 2018 2:31 am

KBD47 wrote:
Thu May 17, 2018 7:05 pm
Evil, naive or interesting?

The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
https://blog.ubuntu.com/2018/05/15/trus ... snap-store

God help us if that is the sort of reasoning and standard Ubuntu uses going forward with Snaps!
A somewhat longer quote has:
The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.

That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetise software published under licenses that allow it, unaware of the social or technical consequences. The publisher offered to stop doing that once contacted.

Of course, it is misleading if there is no indication of the secondary purpose of the application. That’s in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem.
Does the added emphasis (by me) and longer quote make the "reasoning and standard" clearer?

aes2011
Level 4
Level 4
Posts: 462
Joined: Wed Jul 06, 2011 10:39 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by aes2011 » Fri May 18, 2018 2:46 am

rene wrote:
Sun May 13, 2018 5:50 am
Just wait for an article like that to hit The Register, say.
Here you go: http://www.theregister.co.uk/2018/05/16 ... _promised/

User avatar
michael louwe
Level 8
Level 8
Posts: 2230
Joined: Sun Sep 11, 2016 11:18 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by michael louwe » Fri May 18, 2018 2:59 am

https://www.zdnet.com/article/brutal-cr ... iscovered/ (Brutal cryptocurrency mining malware crashes your PC when discovered - WinstarNssmMiner not only leeches your processing power but will maliciously crash your system if you attempt to remove it.)

User avatar
Pjotr
Level 20
Level 20
Posts: 10214
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: An interesting article regarding some Ubuntu snap packages

Post by Pjotr » Fri May 18, 2018 4:33 am

The question arises: should Flatpaks have such a prominent place in Software Manager, nearly indistinguishable from "ordinary" applications? Would it perhaps be a good idea to show a warning / caution for Flatpaks?
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

KBD47
Level 6
Level 6
Posts: 1434
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 » Fri May 18, 2018 10:58 am

Pjotr wrote:
Fri May 18, 2018 4:33 am
The question arises: should Flatpaks have such a prominent place in Software Manager, nearly indistinguishable from "ordinary" applications? Would it perhaps be a good idea to show a warning / caution for Flatpaks?
Good point.
Yes. I don't want anything on my machine auto-updating without my knowledge. I prefer to do, and see my updates. This is not Windows after all :)
My choice would be to avoid flatpacks and snaps altogether. The normal packaging methods have served Linux well for 20 years, let's not throw out a tried and true and secure packaging method.

User avatar
xenopeek
Level 24
Level 24
Posts: 22306
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek » Fri May 18, 2018 12:40 pm

Linux Mint 19's Software Manager should show more information on Flatpaks, like their version. Other work was being done but I can't recall if the update mechanism was changed.

On Linux Mint 18.3 you can always remove the flathub repository with:
flatpak remote-delete flathub

If you later want to add it back you can use:
flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
Image

KBD47
Level 6
Level 6
Posts: 1434
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 » Fri May 18, 2018 1:06 pm

xenopeek wrote:
Fri May 18, 2018 12:40 pm
Linux Mint 19's Software Manager should show more information on Flatpaks, like their version. Other work was being done but I can't recall if the update mechanism was changed.

On Linux Mint 18.3 you can always remove the flathub repository with:
flatpak remote-delete flathub

If you later want to add it back you can use:
flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
xenopeek, thanks for that info!

Post Reply

Return to “Chat about Linux”