Canonical Now Doing Manual Reviews For New Packages Due To Scam Apps

An anonymous reader quotes a report from GamingOnLinux: After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions. I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher. Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app. Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.

So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name." On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap." Currently all of this is not supposed to be long-term, as it's an evolving situation.

Abandon snaps

[Going_Digital]

Hopefully canonical will get fed up with playing cat and mouse withe the scammers and finally give up on the stupid snaps!

Re:

[sg_oneill]

The "snaps" are not the problem. Its the crypto shit.

Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.

Re:

[man machine]

The "snaps" are not the problem. Its the crypto shit.

Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.

I disagree. The "snaps" are the problem, because unlike the apt-get flow, "snaps" are uncurated. They also auto update by default, and in fact it's very hard not to have them auto update. This means a vendor can easily push malicious content at a later time without most users (and canonical) noticing, even so called "power users". Even Apple lets users control if and when to update. "snaps" as they are implemented now are not an acceptable distribution solution IMO.

Re:

[Richard_J_N]

I completely agree - if only for the environmental advantages. Snap is so prodigiously wasteful of storage and bandwidth - not everyone has it, and for those that do, it's still a waste of money and CO2. We already solved the shared-libraries problem.

Re:

[Anonymous Coward]

That won't happen. Every release they're pushing more and more proprietary stuff. The snap store in particular is their secret sauce they hope to cash in on.

Snaps are really bad though. They use resources even when not running them. They duplicate stuff the regular package management system does, using more resources. They are bloated and slow. Just terrible all around.

Red Hat/IBM's Flatpak is no better. It litters the system with crypted filenames and duplicate stuff the regular package manager can do.

Sna

Re:

[K. S. Kyosuke]

False dichotomy; OS packages exist.

Re:

[thegarbz]

False dichotomy; OS packages exist.

OS packages do not solve the same problem as snaps and flatpacks. They are just DLL hell without Microsoft's name attached. Every borked Linux system I've ever fixed was the result of someone who wanted to run a package that was newer than their OS package maintainer supported, and ended up fucking up their dependencies.

OS packages in Linux are fantastic if your goal is stable long term releases which don't change. They are not at all suitable for things such as ... internet browsers which get released more

Re:

[K. S. Kyosuke]

Weird; I've never had problems with running browsers from OS packages. Including rolling releases of browsers.

Re:

[thegarbz]

Browser is probably a bad example since maintainers go out of their way to provide them quickly. But there is literally countless software that is *not* current in your distro's even more up to date rapidly moving package library, and that even includes the ol' cutting edge compile it yourself distro like Gentoo.

You want the up to date packages on the day of release you need to step outside the OS maintainer's provision. You import other PPAs to get a more up to date release you invite dependency issues at

Re: Abandon snaps

[reanjr]

Those problems are almost invariably from installing a second package manager. Instead, compile from source. If you find yourself doing this too often, switch to a distro with more appropriate maintenance schedule.

Re:

[Rujiel]

Snaps being defailt for ubuntu programs (firefox) actively gets in the way of maintaining the progam without using the snap version. Firdfox profiles get messed up every ubuntu version update. I gave up and switched to brave on that machine

Re:

[test321]

And then you have google chromium, which is 3.4 Gb in xz compressed sources and bundles its own copy of libXNVCtrl from Nvidia-drivers, abseil-cpp, libaom, dav1d, brotli, crc32c, double-conversion, ffmpeg, hardfbuzz, icu, json-cpp, libevent, libusb, libvpx, openh264, openjpeg, libpng, re2, snappy, woff2, zstd, and libcxx (the C++ standard library).

Re:

[satanicat]

I suspect snaps aren't a problem in this way simply because they are snaps. If canonical gave up on snaps and adopted something else, scammers would likely follow suit.

Anyway, this isn't a unique problem, other app stores have also been targeted, in the past Apple's App Store and Google's Play Store have both been targeted by this sort of thing.

I'm certain Windows wouldn't have nearly the reputation for being targeted by malware if it weren't as popular.

Linux use is gaining in popularity among desktops in

Re:

[allo]

Snaps do not have someone responsible for them. The package maintainers of Debian packages are developers trusted by the project. In snap and flathub each software has its own uploader who isn't vetted by anyone.

Steam on Linux and malware

[Anonymous Cward]

Thankfully, Valve is working on a security container called pressure vessel which isolates each game and forcibly gives it a traceable parent process name. Unlike the security mess they created on Windows with making a Program Files folder writeable to Everyone by default, they actually seem to care on Linux. At least when they arent nuking your /home with unsafe rm -rf usage.

Re:

[BrendaEM]

I agree!

Re:

[eneville]

Abandon it, for what, .deb?

Automate the system, automate the hacks...

[Baron_Yam]

If you care at all about what you're distributing, manual review of the source (as in the origin) and the app is the only way to go.

Automated curating does not work as once the algorithm is known someone will automate the requirements for getting past the algorithm.

If that's too expensive, you can either shut down or accept that you're going to have your collection poisoned by crap and scamware.

Re:

[sg_oneill]

I'm fairly sure thats why Apple has always been a little vague on its app store terms beyond the obvious rules, and has never distributed its static analysis tool. As much as its a massive pain for devs, it does make it a hell of a lot harder for scammers to carefullly hedge their way around it.

supply chain

[awwshit]

Should be obvious in 2024 that your supply chain is really important. There are a lot of convenient options for obtaining/installing/running software but they require a lot of trust or an unrealistic amount of sleuthing contents and changes. If you want to be more sure of what you are getting then you need to control your sources.

Pushing the easy button and hoping for the best is a recipe for disaster.

Congratulations and welcome to the club

[xack]

Linux is finally popular enough to get malware written for it. 20 years of being the year of the desktop finally broke through.

Re:

[test321]

Don't be too enthusiastic already, it's only the non-FOSS cryptocurrency app store section of one particular distro... that is finally popular enough to get malware written for it.

Re:

[xack]

Now with the xz incident [slashdot.org], I feel that more people are taking the opportunity to go rogue.

That's why distributions have package maintainers

[allo]

Package maintainers follow the development of the programs they are packaging and notice if something is fishy. How often did Debian package a malicious software?

The problem is, that Ubuntu tries to establish an Appstore instead of using a package repository and now they get the problems that Appstores have.

Snaps? Ha! I remember when Ubuntu was cool

[BrendaEM]

The old Ubuntu would have never used Snaps. Apt works, fullstop.

Re: Snaps? Ha! I remember when Ubuntu was cool

[RazorSharp]

Did you forget about Unity? Canonical has always had a not-invented-here problem.

Re: Snaps? Ha! I remember when Ubuntu was cool

[reanjr]

Canonical used Unity for the same reason System76 made the decision to continue using Unity after Canonical dropped it. They had a large installed user base they had to support and weren't happy being exposed to the vagaries of the ever-changing Linux desktop.

Windows

[JThundley]

Canonical set out to fix the problem of Linux not being like Windows and really delivered on the promise of downloading and running untrusted dangerous software from random people.

AI will fix it!

[Tony Isaac]

Wait, are we saying that automation failed here?

who could have imagined...

[cas2000]

Wow! Who could have imagined that having a shitty app store like on android or iphones would result in the same kind of shitty scam apps that they have?

That's inconceivable!

Remember kids: if it's not Free Software from a trustworthy source then don't install it.