An interesting article regarding some Ubuntu snap packages

Chat about Linux in general
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Locked
md419
Level 2
Level 2
Posts: 93
Joined: Thu Sep 22, 2011 2:34 pm

An interesting article regarding some Ubuntu snap packages

Post by md419 »

Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
absque fenestris
Level 12
Level 12
Posts: 4124
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris »

myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: An interesting article regarding some Ubuntu snap packages

Post by AZgl1800 »

since it asked for opinions, my Opinion is to stay the hell away from that 'store' as it is obviously infiltrated by trash uploaders.

no one monitoring it? bye bye
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
User avatar
absque fenestris
Level 12
Level 12
Posts: 4124
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris »

Here, too, good marketing is called for.

Malware? Nonsense - participate in the incomparable Bitcoin community...
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek »

The same as goes for Snaps goes for PPAs, Flatpaks, AppStream packages and more: do you trust the persons that compiled and packaged the software for you? Are they officially associated with the project? (as developers, or have the developers named them as official maintainers on their website) Or are they active and visible in the wider free software community? The answer to all of this for Nicolas Tomb is a resounding "no".

This goes back to the article Maintainers Matter that we discussed here 2 years ago. Criticizing the "Cult of App":
App Stores have been a nearly unmitigated disaster for users. Supposedly one of Linux's failings is that there is too much pointless choice, too many K and G versions of things and it divides developer efforts. Why have so many window managers and text editors? App Stores have the same problem. With the traditional FOSS model, there are a hundred different programs and each program is missing a different feature. In the App Store, there are a hundred different programs doing the same thing but each screws the user over in a slightly different way. Spying? Ads? Battery sucking rookie mistakes? Battery sucking bitcoin mining botfarm? Take your pick.
Been there, done that, and now we have another warning about why we should establish trust before installing something from outside the repositories.
Image
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by rene »

absque fenestris wrote: Sat May 12, 2018 8:30 pm myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
The right name/address is probably flatpak@lists.freedesktop.org...
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek »

You're floating the theory that a Flatpak developer published a Snap package with a bitcoin miner to discredit Snaps? While the same lack of governance (by design) on Snaps holds for Flatpaks and the like? Hope you're trying to be funny because that is some next level tin foil hatting.
Image
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by rene »

I wasn't being completely serious no -- but still a bit. Note that this reflects mostly on the snap store rather than the format; the (more) central snap store is the thing that reaction to snaps from the flatpak community has indeed concentrated on. Quoting the article,
How was this possible? Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users.
which as far as I can see is indeed the case: https://docs.snapcraft.io/build-snaps/publish. In contrast the corresponding page for Flathub, https://github.com/flathub/flathub/wiki/App-Submission explicitly mentions human review (and yes, I know Flathub is as a matter of design less central, but do note the only flatpak source to come with for example Mint 18 in practice).

Even disregarding the specific matter of this reflecting more on stores than format, assuming that "the general public" would not simply rally around anti-Snap sentiment in response to something like this without paying much attention to technical detail is probably too much to ask for. Just wait for an article like that to hit The Register, say.

Snap/Flatpak-like infrastructure is what I personally believe to be the probably best -- or only, or last -- chance Linux systems have on the consumer desktop. Which one gets to lead is in that view quite important for Ubuntu and, primarily, RedHat. Heck, some "community member" who agrees with me on the importance of the infrastructure may have taken it upon his or her confused self to unite the landscape around just one solution; to help kill Snap.

No, no flatpak developer and any of this certainly amounts to conspiracy generally -- but I am afraid I would not so much categorize it as "next level". Plain tin foil hatting at best -- and honestly a bit less than that. This happens right at the start of the infrastructure being deployed? Before the miner could even expect to realistically infect a to the culprit relevant number of systems? Quite possible. But I would in fact say he or she may also have had some ulterior motive without considering myself to be part of general conspiracy theorists.
asinoro
Level 6
Level 6
Posts: 1288
Joined: Mon Feb 12, 2018 11:43 am

Re: An interesting article regarding some Ubuntu snap packages

Post by asinoro »

The question is, if this technology of packages will affect the main system or for example if an auto update of an app like browser will cause big problem without to easily revert to a previous good state.
Off course, the technology of the computers goes towards to be able for self repairing and the interfere of the people to be as less as possible.
Hoser Rob
Level 20
Level 20
Posts: 11806
Joined: Sat Dec 15, 2012 8:57 am

Re: An interesting article regarding some Ubuntu snap packages

Post by Hoser Rob »

xenopeek wrote: Sun May 13, 2018 5:05 am You're floating the theory that a Flatpak developer published a Snap package with a bitcoin miner to discredit Snaps? While the same lack of governance (by design) on Snaps holds for Flatpaks and the like? Hope you're trying to be funny because that is some next level tin foil hatting.
+1. ANd that's saying something here.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
User avatar
absque fenestris
Level 12
Level 12
Posts: 4124
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: An interesting article regarding some Ubuntu snap packages

Post by absque fenestris »

rene wrote: Sun May 13, 2018 4:54 am
absque fenestris wrote: Sat May 12, 2018 8:30 pm myfirstferrari@protonmail.com :mrgreen: :mrgreen: :mrgreen: and if it's the right name. Brilliant.
The right name/address is probably flatpak@lists.freedesktop.org...
The chosen name is really clever. To see what Google says about Tombs & Niclases...

Well - enemy images are there to dismantle them. Maybe on a more serious substructure :mrgreen:
michael louwe

Re: An interesting article regarding some Ubuntu snap packages

Post by michael louwe »

Updated article to the OP ... https://blog.ubuntu.com/2018/05/15/trus ... snap-store (2018/05/15/trust-and-security-in-the-snap-store)

Open or hidden coin-miners inside free apps/programs/software are very much like botnets, ie the surreptitious use of victims' computer resources. They should be considered as malware and illegal. ... https://www.zdnet.com/article/brutal-cr ... iscovered/ (WinstarNssmMiner not only leeches your processing power but will maliciously crash your system if you attempt to remove it.)
....... But I do not mind the display of ads inside free apps/programs/software or the collection of aggregated anonymized user-data for sale to marketers, researchers, etc. I believe many others feel the same.

I believe most LM newbies and average users prefer ...
In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users.
with the newbies only needing to verify untrusted software from 3rd-party PPAs, eg Google Chrome is easily verifiable as trusted by newbies.

Seems, Ubuntu's Snap apps is nothing but a copy of Google's malware-infested apps from Android Play Store, similar to Firefox 57+'s web-extensions being a copy of Chrome's.
Last edited by michael louwe on Fri May 18, 2018 2:56 am, edited 1 time in total.
KBD47
Level 7
Level 7
Posts: 1836
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 »

Evil, naive or interesting?

The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
https://blog.ubuntu.com/2018/05/15/trus ... snap-store

God help us if that is the sort of reasoning and standard Ubuntu uses going forward with Snaps!
aes2011
Level 4
Level 4
Posts: 498
Joined: Wed Jul 06, 2011 10:39 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by aes2011 »

KBD47 wrote: Thu May 17, 2018 7:05 pm
Evil, naive or interesting?

The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
https://blog.ubuntu.com/2018/05/15/trus ... snap-store

God help us if that is the sort of reasoning and standard Ubuntu uses going forward with Snaps!
A somewhat longer quote has:
The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.

That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetise software published under licenses that allow it, unaware of the social or technical consequences. The publisher offered to stop doing that once contacted.

Of course, it is misleading if there is no indication of the secondary purpose of the application. That’s in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem.
Does the added emphasis (by me) and longer quote make the "reasoning and standard" clearer?
aes2011
Level 4
Level 4
Posts: 498
Joined: Wed Jul 06, 2011 10:39 pm

Re: An interesting article regarding some Ubuntu snap packages

Post by aes2011 »

rene wrote: Sun May 13, 2018 5:50 am Just wait for an article like that to hit The Register, say.
Here you go: http://www.theregister.co.uk/2018/05/16 ... _promised/
michael louwe

Re: An interesting article regarding some Ubuntu snap packages

Post by michael louwe »

https://www.zdnet.com/article/brutal-cr ... iscovered/ (Brutal cryptocurrency mining malware crashes your PC when discovered - WinstarNssmMiner not only leeches your processing power but will maliciously crash your system if you attempt to remove it.)
User avatar
Pjotr
Level 23
Level 23
Posts: 19873
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: An interesting article regarding some Ubuntu snap packages

Post by Pjotr »

The question arises: should Flatpaks have such a prominent place in Software Manager, nearly indistinguishable from "ordinary" applications? Would it perhaps be a good idea to show a warning / caution for Flatpaks?
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
KBD47
Level 7
Level 7
Posts: 1836
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 »

Pjotr wrote: Fri May 18, 2018 4:33 am The question arises: should Flatpaks have such a prominent place in Software Manager, nearly indistinguishable from "ordinary" applications? Would it perhaps be a good idea to show a warning / caution for Flatpaks?
Good point.
Yes. I don't want anything on my machine auto-updating without my knowledge. I prefer to do, and see my updates. This is not Windows after all :)
My choice would be to avoid flatpaks and snaps altogether. The normal packaging methods have served Linux well for 20 years, let's not throw out a tried and true and secure packaging method.
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: An interesting article regarding some Ubuntu snap packages

Post by xenopeek »

Linux Mint 19's Software Manager should show more information on Flatpaks, like their version. Other work was being done but I can't recall if the update mechanism was changed.

On Linux Mint 18.3 you can always remove the flathub repository with:
flatpak remote-delete flathub

If you later want to add it back you can use:
flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
Image
KBD47
Level 7
Level 7
Posts: 1836
Joined: Fri Jul 29, 2011 12:03 am

Re: An interesting article regarding some Ubuntu snap packages

Post by KBD47 »

xenopeek wrote: Fri May 18, 2018 12:40 pm Linux Mint 19's Software Manager should show more information on Flatpaks, like their version. Other work was being done but I can't recall if the update mechanism was changed.

On Linux Mint 18.3 you can always remove the flathub repository with:
flatpak remote-delete flathub

If you later want to add it back you can use:
flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
xenopeek, thanks for that info!
Locked

Return to “Chat about Linux”