Ubuntu Snappy

6 replies [Last post]
gaseousness
Offline
Joined: 08/25/2020

One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users. Snaps enable a much more direct path for publishers to deliver their software to users across a wide range of Linux distributions, ensuring that those apps are securely confined.

App Stores for iOS, Android and Windows follow some standard patterns for quality and security control – automated checkpoints that packages must go through before they are accepted, and manual reviews by a human when specific issues are flagged. The Snap Store implements both of these patterns.

Even then, the inherent complexity of software means it’s impossible for a large scale repository to only accept software after every individual file has been reviewed in detail. That’s true whether source code is available or not as no institution can afford to review hundreds of thousands of incoming source code lines every single day. Because of that, the most successful trust model is based on the origin of the software, not its content. In other words, trust the publisher rather than the application itself.

https://snapcraft.io/blog/trust-and-security-in-the-snap-store

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

And never trust the publisher who does not provide access to the source code. The Snap Store is full of proprietary software. And there is no way to configure a different (or additional) repository. The server-side of snapd is proprietary anyway. And to upload a package to the Snap Store, you must sign a Contributor License Agreement. Look at Flatpak for a similar system not suffering from those unacceptable problems.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

Flatpak does have fewer problems than Snap, but it has the same fundamental problem of shifting the responsibility of distributing binaries from maintainers to developers in order to make GNU/Linux more accommodating to proprietary software developers.

Passing through the checks and balances of the maintainer-based approach is slower than shipping binaries directly to users, but worthwhile free software with no problematic dependencies generally makes it through. Most of the software available via Flatpak or the Snap Store is either (a) already available in major distros' repositories, (b) not something enough users are interested in to have motivated anyone to package it, (c) proprietary, or (d) free or mostly free but problematic for the same reasons that it is difficult for distros to package.

There is admittedly also (e) software that is free and worthwhile, but so new that it has not made it through the packaging process. However, that process is in part a QA process, especially in the case of Debian, whose process includes making sure that the package works with the system libs and checking to make sure that every file is under a free license. Users who want to try the software out before it has gone through this process can build it from source.

There is *also* admittedly (f) software that is free and worthwhile, and packaged in major distributions, but not available in Trisquel because Trisquel lags so far behind Ubuntu releases. However, this is a problem with Trisquel, not a problem with the maintainer system in general, and is not the issue that Snap and Flatpak purport to address.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

It is indeed safer to stick with packages in Trisquel's repository. My point is that, as far as I know, and contrary to Snap, nothing prevents the creation of a Flatpak repository only for free software, as in your categories a, b, e (a big one for those who want to test beta versions) and f.

The maintenance cost would be lower than that of a distribution repository: whoever uploads software would have to agree with terms of use forbidding proprietary software, select a free software license in a list, provide a link to the source code, etc. If she uploads proprietary software anyway, that software would only be removed after it is discovered (again: I agree it is safer to stick with packages in Trisquel's repository), and she would be banned.

gaseousness
Offline
Joined: 08/25/2020

Some good points you all have mentioned.

I don't have much personal experience with Ubuntu snaps, but from my understanding they have forced automatic updates, are much slower, and have theming issues.

I'm not sure if there is a thing where it asks you to opt in to possible data collection?
https://snapcraft.io/docs/snap-store-metrics

Also, I'm unaware of Ubuntu explaining how to disable it, for those who'd rather just avoid it.

nadebula.1984
Offline
Joined: 05/01/2018

The main purpose of Snap is to make it easier to install non-free software on GNU/Linux.

But who need non-free software on a free/libre operating system? I've disused Ubuntu/Mint for quite some time.

gaseousness
Offline
Joined: 08/25/2020

true to it helping with the non-free, also appears ubuntu is making like some of the regular apps like calculator to be all slow and annoying now.

gnu/linux mint > ubuntu, in my opinion, ig they have ubuntu snapd off by default.

"A year later, in the Ubuntu 20.04 package base, the Chromium package is indeed empty and acting, without your consent, as a backdoor by connecting your computer to the Ubuntu Store. Applications in this store cannot be patched, or pinned. You can’t audit them, hold them, modify them or even point snap to a different store. You’ve as much empowerment with this as if you were using proprietary software, i.e. none. This is in effect similar to a commercial proprietary solution, but with two major differences: It runs as root, and it installs itself without asking you."

https://blog.linuxmint.com/?p=3906

I read that manjaro has ubuntu snap installed by default.

"Snaps are a distro independent method for packaging and distributing Linux software.

Using software distributed by Snap has a couple of distinct advantages:

Software that is not compatible with current system libraries will still work when packaged as a Snap
Snaps are automatically updated"

appears they are trying to push forced updates as an advantage

https://wiki.manjaro.org/index.php?title=Snap