Malware found in Ubuntu Store Snap app

[KBD]

These pre-packaged apps remind me a lot of Windows apps that anyone can make and ruin the security of an OS:
https://www.bleepingcomputer.com/news/l ... nap-store/

[uncle mark]

These pre-packaged apps remind me a lot of Windows apps that anyone can make and ruin the security of an OS:
https://www.bleepingcomputer.com/news/l ... nap-store/

The good news:

An attentive Ubuntu user has spotted today a cryptocurrency miner hidden in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store.

The open source nature of the code led to it's discovery.

The bad news is that the proliferation of fully packaged "Apps" and PPAs means this is going to be more common as time goes on.

[KBD]

The open source nature of the code led to it's discovery.

The bad news is that the proliferation of fully packaged "Apps" and PPAs means this is going to be more common as time goes on.

I agree. Much more common unless someone is constantly policing it, and even Apple and MS and Google can't manage that with their stores having much greater resources than Ubuntu.

[KBD]

More about this:
https://www.theregister.co.uk/2018/05/1 ... ning_apps/
Don't think I would trust snaps from Ubuntu after this :(

[skidoo]

a reddit discussion containing 450+ posts on the subject
https://old.reddit.com/r/linux/comments ... ntu_snaps/

[KBD]

It is starting to sink in how stupid these snap packs are. If we want Linux to have an app store as "dependable and safe" as Google's app store this is the way to go. I hope wiser minds prevail. Shuttleworth really is a nitwit:

"With snappy Ubuntu, Owncloud can publish exactly what they want you to use as a snappy package, and can update that for you directly, in a safe transactional manner with full support for rolling back. I think upstream developers are going to love being in complete control of their app on snappy Ubuntu Core." --Shuttleworth
http://kmkeen.com/maintainers-matter/

Yes, and every bit as safe as a mobile app store with no serious oversight. I will stick with the apt package maintainers and official repositories thanks.

[asqwerth]

I only venture into flatpaks and appimages where necessary, ie, the program I want cannot be backported to MX and the present version in Debian/MX (if any) just doesn't cut it for some reason. And it should be from the developers themselves.

So I have flatpak Lollypop and VLC3* in MX15/16, but in MX17 I use the ones in the MX repos because the packaging team were able to build them.


* yes, I know appimage might be available but I just wanted to test flatpak in MX15/16. I use appimage for the latest Krita.

[mbooyzen]

My POV, Snaps is one of the reasons I left Ubuntu and now running MX. I used Ubuntu mate for a few years and even systemd was ok for what I do. After reading up on snaps I at first thought it was a great idea but should be up to the end user to use, then seeing that Ubuntu mate had some snaps installed by default I started looking for another distro that sticks to what works until the next thing is ready. According to me snaps should be used with caution, although I like the sandbox idea. The noob user should not use snaps yet until everyone else use them. After I saw this on some news site I confirmed my theory. Many X mswin users use Ubuntu that don't take/need to take time to learn Linux but instead just use writer/spreadsheet programs, email, and a printer. These users unknowingly would have left this unseen for a long time.

[KBD]

My POV, Snaps is one of the reasons I left Ubuntu and now running MX. I used Ubuntu mate for a few years and even systemd was ok for what I do. After reading up on snaps I at first thought it was a great idea but should be up to the end user to use, then seeing that Ubuntu mate had some snaps installed by default I started looking for another distro that sticks to what works until the next thing is ready. According to me snaps should be used with caution, although I like the sandbox idea. The noob user should not use snaps yet until everyone else use them. After I saw this on some news site I confirmed my theory. Many X mswin users use Ubuntu that don't take/need to take time to learn Linux but instead just use writer/spreadsheet programs, email, and a printer. These users unknowingly would have left this unseen for a long time.

Didn't know that about Ubuntu MATE and I used to use that one. I think Canonical would love to only use snaps as it would save them from having to package and maintain very much. And I'm sure it seemed a great idea at first, but in practice it is going to damage the image of Linux as secure, safe, and reliable. What really angered me is the Ubuntu blog/response played it down as no big deal that malware was placed in a snap package. I don't think Ubuntu has been really interested in anything but servers since they dropped the phone/convergence idea.

[KBD]

I only venture into flatpaks and appimages where necessary, ie, the program I want cannot be backported to MX and the present version in Debian/MX (if any) just doesn't cut it for some reason. And it should be from the developers themselves.

So I have flatpak Lollypop and VLC3* in MX15/16, but in MX17 I use the ones in the MX repos because the packaging team were able to build them.


* yes, I know appimage might be available but I just wanted to test flatpak in MX15/16. I use appimage for the latest Krita.

Do flatpacks auto-update like snaps? About the only package of this sort that I would trust would be from a highly trusted source like Firefox, but since it's in the system already I would need to. Debian is quite excellent for everything I need anymore packages wise.