[HN Gopher] Multiple vulnerabilities found in Snap-confine funct...
___________________________________________________________________
Multiple vulnerabilities found in Snap-confine function on Linux
systems
Author : pdenton
Score : 28 points
Date : 2022-02-19 08:44 UTC (2 days ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| brnt wrote:
| Are there any happy users of Snap, 5 years or so in on it?
| _joel wrote:
| Not me, I moved from Ubuntu to regular Debian because of it.
| It's a disaster waiting to happen.
| Taniwha wrote:
| Nope - any system that imposes on me what my 'home directory'
| is inherently broken
| 01acheru wrote:
| I need to say that I really despise snap apps. I don't get why
| I should use them, I never felt the need for a bloated app
| package with awful startup times...
|
| On Ubuntu (last time I used it with a GUI, something like 1.5
| years ago) the calculator app was a snap app. The f*ing
| CALCULATOR app! And it took longer to open the calculator than
| Firefox or VSCode.
|
| I started hating Ubuntu for pushing snap so strongly, and this
| time I didn't forgave them...
| blacksmith_tb wrote:
| I am fine with using snaps on my desktop systems (mostly) but
| it is not very appealing to me on servers. It would be
| interesting to know if there are any big projects using it
| successfully, maybe I'm missing out?
| akersten wrote:
| The certbot let's encrypt agent is unfortunately stuck in a
| Snap package, at least last I tried setting it up.
|
| Always feels like Snap has been pushed by some invisible
| proprietary influence, not organic growth due to it being a
| good idea. I never saw anything wrong with package managers
| or a reason I should like Snap. My experience is that I've
| only been forced to use it against my will.
| _joel wrote:
| microk8s perhaps, oh and they use it on AWS AMI's for
| awscli stuff (yuk)
| greatgib wrote:
| I was also very annoyed by that and supporting legacy
| servers with letsencrypt, and then I found acme.sh script
| to replace certbot: https://github.com/acmesh-
| official/acme.sh
|
| Simple and light without big dependencies as running in
| bash! I would recommend it a thousand times!
| sdwolfz wrote:
| I am, it has Adobe Acrobat Reader:
|
| https://snapcraft.io/acrordrdc
|
| Which I need when I have to declare my taxes in Romania since
| it's done via a PDF file that can't be opened and filled in
| with any other tool:
|
| https://static.anaf.ro/static/10/Anaf/Declaratii_R/Aplicatii...
|
| Firefox made some progress with this lately but it's still not
| good enough to allow me to fill it in.
|
| Apart from this particular package, I use flatpak. So it's not
| like I'm "happy" about snaps, but I'm happy that the snap
| repository has the tools I need.
| enzanki_ars wrote:
| In terms of that Adobe Acrobat Reader snap, how am I supposed
| to trust that the container is a maintained, trustworthy, and
| official version of the application? That looks to me sketchy
| to use as to my knowledge Acrobat Reader hasn't be released
| on Linux in over 9 years, and shouldn't be used/trusted given
| the large number of potential vulnerabilities...
|
| This is the reason I don't trust snaps, as I have 0 way of
| auditing it. I know that there is a "verified" mechanism in
| snapcraft, but not all apps that are "official" or "trusted"
| have that tag, such as MusicBrainz Picard, published by the
| MusicBrainz team, so the only way I know they support it is
| going back to the official website, which also offers a more
| conventional PPA that is also easier to audit and trust given
| the GPG key processes in place there, which _should_ be a bit
| more trustworthy.
| figgyc wrote:
| A little bit of googling suggests that particular snap is a
| Wine wrapper: https://github.com/mmtrt/acrordrdc/blob/maste
| r/snap/snapcraf...
|
| Is that code the same as the one the other commenter
| linked? Not sure, doesn't seem to be a way to tell, as
| you've mentioned. (That was quite a surprise to me, even
| Flatpak's Flathub has a little "see details" link to
| GitHub.) But it would make sense as Adobe has indeed not
| maintained Acrobat for Linux in many years.
| silisili wrote:
| Negative. I left Ubuntu everywhere because of how it kept
| increasingly creeping in.
|
| They usually give up on their NIH missteps after a year or
| two(see upstart, mir, unity, etc), but they're really dug in on
| this one.
| kd913 wrote:
| I'm quite happy with it.
|
| Never really felt any problems with performance, theming works,
| and more confinement > no confinement. Guess what, it's 2020,
| it would be nice to have some restrictions for what rogue
| desktop apps can access on the desktop.
|
| From a development experience, it's a million light years
| better and safer than setting up ppas, dealing with launchpad.
| It directly integrates with CI, and hence can be pushed to all
| relevant Ubuntu OSes. Quite nice in particular being able to
| get the latest version of Firefox as soon as updates come out.
|
| Also having actual software from vscode, slack, spotify,
| jetbrains stuff is quite nice. Jetbrains especially as they
| didn't offer a repo in the past.
|
| Oh and I especially like multipass, and being able to use
| docker. Especially when Docker lags behind supporting the newer
| repos.
|
| I also find it very handy for switching between channels (such
| as for firefox and nodejs).
| [deleted]
| mistrial9 wrote:
| we think "snap sucks" at our admin sewing circle, basically..
| avoid when possible, dislike (increasing) required snapd junk
| on Ubuntu LTS
___________________________________________________________________
(page generated 2022-02-21 23:01 UTC)