Canonical Now Doing Manual Reviews For New Packages Due To Scam Apps (gamingonlinux.com) 37
An anonymous reader quotes a report from GamingOnLinux: After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions. I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher. Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app. Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.
So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name." On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap." Currently all of this is not supposed to be long-term, as it's an evolving situation.
So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name." On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap." Currently all of this is not supposed to be long-term, as it's an evolving situation.
Abandon snaps (Score:4, Insightful)
Re: (Score:2, Troll)
The "snaps" are not the problem. Its the crypto shit.
Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.
Re: (Score:2, Insightful)
The "snaps" are not the problem. Its the crypto shit.
Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.
I disagree. The "snaps" are the problem, because unlike the apt-get flow, "snaps" are uncurated. They also auto update by default, and in fact it's very hard not to have them auto update. This means a vendor can easily push malicious content at a later time without most users (and canonical) noticing, even so called "power users". Even Apple lets users control if and when to update. "snaps" as they are implemented now are not an acceptable distribution solution IMO.
Re: (Score:2)
I completely agree - if only for the environmental advantages. Snap is so prodigiously wasteful of storage and bandwidth - not everyone has it, and for those that do, it's still a waste of money and CO2. We already solved the shared-libraries problem.
Re: (Score:1)
That won't happen. Every release they're pushing more and more proprietary stuff. The snap store in particular is their secret sauce they hope to cash in on.
Snaps are really bad though. They use resources even when not running them. They duplicate stuff the regular package management system does, using more resources. They are bloated and slow. Just terrible all around.
Red Hat/IBM's Flatpak is no better. It litters the system with crypted filenames and duplicate stuff the regular package manager can do.
Sna
Re: (Score:3)
Re: (Score:3)
False dichotomy; OS packages exist.
OS packages do not solve the same problem as snaps and flatpacks. They are just DLL hell without Microsoft's name attached. Every borked Linux system I've ever fixed was the result of someone who wanted to run a package that was newer than their OS package maintainer supported, and ended up fucking up their dependencies.
OS packages in Linux are fantastic if your goal is stable long term releases which don't change. They are not at all suitable for things such as ... internet browsers which get released more
Re: (Score:2)
Re: (Score:2)
Browser is probably a bad example since maintainers go out of their way to provide them quickly. But there is literally countless software that is *not* current in your distro's even more up to date rapidly moving package library, and that even includes the ol' cutting edge compile it yourself distro like Gentoo.
You want the up to date packages on the day of release you need to step outside the OS maintainer's provision. You import other PPAs to get a more up to date release you invite dependency issues at
Re: Abandon snaps (Score:2)
Those problems are almost invariably from installing a second package manager. Instead, compile from source. If you find yourself doing this too often, switch to a distro with more appropriate maintenance schedule.
Re: (Score:2)
Re: (Score:2)
And then you have google chromium, which is 3.4 Gb in xz compressed sources and bundles its own copy of libXNVCtrl from Nvidia-drivers, abseil-cpp, libaom, dav1d, brotli, crc32c, double-conversion, ffmpeg, hardfbuzz, icu, json-cpp, libevent, libusb, libvpx, openh264, openjpeg, libpng, re2, snappy, woff2, zstd, and libcxx (the C++ standard library).
Re: (Score:2)
I suspect snaps aren't a problem in this way simply because they are snaps. If canonical gave up on snaps and adopted something else, scammers would likely follow suit.
Anyway, this isn't a unique problem, other app stores have also been targeted, in the past Apple's App Store and Google's Play Store have both been targeted by this sort of thing.
I'm certain Windows wouldn't have nearly the reputation for being targeted by malware if it weren't as popular.
Linux use is gaining in popularity among desktops in
Re: (Score:2)
Snaps do not have someone responsible for them. The package maintainers of Debian packages are developers trusted by the project. In snap and flathub each software has its own uploader who isn't vetted by anyone.
Steam on Linux and malware (Score:3)
Re: (Score:2)
Re: (Score:2)
Abandon it, for what, .deb?
Automate the system, automate the hacks... (Score:3)
If you care at all about what you're distributing, manual review of the source (as in the origin) and the app is the only way to go.
Automated curating does not work as once the algorithm is known someone will automate the requirements for getting past the algorithm.
If that's too expensive, you can either shut down or accept that you're going to have your collection poisoned by crap and scamware.
Re: (Score:2)
I'm fairly sure thats why Apple has always been a little vague on its app store terms beyond the obvious rules, and has never distributed its static analysis tool. As much as its a massive pain for devs, it does make it a hell of a lot harder for scammers to carefullly hedge their way around it.
supply chain (Score:2)
Should be obvious in 2024 that your supply chain is really important. There are a lot of convenient options for obtaining/installing/running software but they require a lot of trust or an unrealistic amount of sleuthing contents and changes. If you want to be more sure of what you are getting then you need to control your sources.
Pushing the easy button and hoping for the best is a recipe for disaster.
Congratulations and welcome to the club (Score:2)
Re: (Score:2)
Don't be too enthusiastic already, it's only the non-FOSS cryptocurrency app store section of one particular distro... that is finally popular enough to get malware written for it.
Re: (Score:2)
That's why distributions have package maintainers (Score:2)
Package maintainers follow the development of the programs they are packaging and notice if something is fishy. How often did Debian package a malicious software?
The problem is, that Ubuntu tries to establish an Appstore instead of using a package repository and now they get the problems that Appstores have.
Snaps? Ha! I remember when Ubuntu was cool (Score:2)
Re: Snaps? Ha! I remember when Ubuntu was cool (Score:2)
Did you forget about Unity? Canonical has always had a not-invented-here problem.
Re: Snaps? Ha! I remember when Ubuntu was cool (Score:2)
Canonical used Unity for the same reason System76 made the decision to continue using Unity after Canonical dropped it. They had a large installed user base they had to support and weren't happy being exposed to the vagaries of the ever-changing Linux desktop.
Windows (Score:4)
Canonical set out to fix the problem of Linux not being like Windows and really delivered on the promise of downloading and running untrusted dangerous software from random people.
AI will fix it! (Score:1)
Wait, are we saying that automation failed here?
who could have imagined... (Score:2)
Wow! Who could have imagined that having a shitty app store like on android or iphones would result in the same kind of shitty scam apps that they have?
That's inconceivable!
Remember kids: if it's not Free Software from a trustworthy source then don't install it.