[HN Gopher] Multiple vulnerabilities found in Snap-confine funct... ___________________________________________________________________ Multiple vulnerabilities found in Snap-confine function on Linux systems Author : pdenton Score : 28 points Date : 2022-02-19 08:44 UTC (2 days ago) (HTM) web link (www.zdnet.com) (TXT) w3m dump (www.zdnet.com) | brnt wrote: | Are there any happy users of Snap, 5 years or so in on it? | _joel wrote: | Not me, I moved from Ubuntu to regular Debian because of it. | It's a disaster waiting to happen. | Taniwha wrote: | Nope - any system that imposes on me what my 'home directory' | is inherently broken | 01acheru wrote: | I need to say that I really despise snap apps. I don't get why | I should use them, I never felt the need for a bloated app | package with awful startup times... | | On Ubuntu (last time I used it with a GUI, something like 1.5 | years ago) the calculator app was a snap app. The f*ing | CALCULATOR app! And it took longer to open the calculator than | Firefox or VSCode. | | I started hating Ubuntu for pushing snap so strongly, and this | time I didn't forgave them... | blacksmith_tb wrote: | I am fine with using snaps on my desktop systems (mostly) but | it is not very appealing to me on servers. It would be | interesting to know if there are any big projects using it | successfully, maybe I'm missing out? | akersten wrote: | The certbot let's encrypt agent is unfortunately stuck in a | Snap package, at least last I tried setting it up. | | Always feels like Snap has been pushed by some invisible | proprietary influence, not organic growth due to it being a | good idea. I never saw anything wrong with package managers | or a reason I should like Snap. My experience is that I've | only been forced to use it against my will. | _joel wrote: | microk8s perhaps, oh and they use it on AWS AMI's for | awscli stuff (yuk) | greatgib wrote: | I was also very annoyed by that and supporting legacy | servers with letsencrypt, and then I found acme.sh script | to replace certbot: https://github.com/acmesh- | official/acme.sh | | Simple and light without big dependencies as running in | bash! I would recommend it a thousand times! | sdwolfz wrote: | I am, it has Adobe Acrobat Reader: | | https://snapcraft.io/acrordrdc | | Which I need when I have to declare my taxes in Romania since | it's done via a PDF file that can't be opened and filled in | with any other tool: | | https://static.anaf.ro/static/10/Anaf/Declaratii_R/Aplicatii... | | Firefox made some progress with this lately but it's still not | good enough to allow me to fill it in. | | Apart from this particular package, I use flatpak. So it's not | like I'm "happy" about snaps, but I'm happy that the snap | repository has the tools I need. | enzanki_ars wrote: | In terms of that Adobe Acrobat Reader snap, how am I supposed | to trust that the container is a maintained, trustworthy, and | official version of the application? That looks to me sketchy | to use as to my knowledge Acrobat Reader hasn't be released | on Linux in over 9 years, and shouldn't be used/trusted given | the large number of potential vulnerabilities... | | This is the reason I don't trust snaps, as I have 0 way of | auditing it. I know that there is a "verified" mechanism in | snapcraft, but not all apps that are "official" or "trusted" | have that tag, such as MusicBrainz Picard, published by the | MusicBrainz team, so the only way I know they support it is | going back to the official website, which also offers a more | conventional PPA that is also easier to audit and trust given | the GPG key processes in place there, which _should_ be a bit | more trustworthy. | figgyc wrote: | A little bit of googling suggests that particular snap is a | Wine wrapper: https://github.com/mmtrt/acrordrdc/blob/maste | r/snap/snapcraf... | | Is that code the same as the one the other commenter | linked? Not sure, doesn't seem to be a way to tell, as | you've mentioned. (That was quite a surprise to me, even | Flatpak's Flathub has a little "see details" link to | GitHub.) But it would make sense as Adobe has indeed not | maintained Acrobat for Linux in many years. | silisili wrote: | Negative. I left Ubuntu everywhere because of how it kept | increasingly creeping in. | | They usually give up on their NIH missteps after a year or | two(see upstart, mir, unity, etc), but they're really dug in on | this one. | kd913 wrote: | I'm quite happy with it. | | Never really felt any problems with performance, theming works, | and more confinement > no confinement. Guess what, it's 2020, | it would be nice to have some restrictions for what rogue | desktop apps can access on the desktop. | | From a development experience, it's a million light years | better and safer than setting up ppas, dealing with launchpad. | It directly integrates with CI, and hence can be pushed to all | relevant Ubuntu OSes. Quite nice in particular being able to | get the latest version of Firefox as soon as updates come out. | | Also having actual software from vscode, slack, spotify, | jetbrains stuff is quite nice. Jetbrains especially as they | didn't offer a repo in the past. | | Oh and I especially like multipass, and being able to use | docker. Especially when Docker lags behind supporting the newer | repos. | | I also find it very handy for switching between channels (such | as for firefox and nodejs). | [deleted] | mistrial9 wrote: | we think "snap sucks" at our admin sewing circle, basically.. | avoid when possible, dislike (increasing) required snapd junk | on Ubuntu LTS ___________________________________________________________________ (page generated 2022-02-21 23:01 UTC)