422
Oh Snap! Canonical now doing manual reviews for new packages due to scam apps
(www.gamingonlinux.com)
this post was submitted on 31 Mar 2024
422 points (96.9% liked)
Linux
47356 readers
1373 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
People still use Ubuntu?
One of the top most used distros probably
This thread is a good example of just how circlejerky and bubble like lemmy has become.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you'd think the opposite.
Most of us do live in bubbles (not exclusive to lemmy or tech nerds). I first picked up Ubuntu in 2004. It was a massive leap forward at the time as Gnome was moving a lot faster than Debian stable and I was running Sid to keep up. I am genuinely surprised everytime I learn Ubuntu is still "popular" as they have made so many NIH misteps over the years (mir,upstart,unity,snap) and frustrated their users. I moved back to Debian years ago for server/dev as Ubuntu re-packaging wasn't adding any value and once I was on another distro for desktop I lost all interest.
Ubuntu started off with some amazing community building. It felt more like a peoples distro than Canonicals for a time. I felt more invested in it in those days so I can relate to Ubuntu users but I also understand some of the criticism aimed at Canonical and their choices.
True. I've always felt more at home in Ubuntu and its derivatives. Debian is quite nice too.
Like Windows, Ubuntu is installed by default on many computers. In my university, all the computers have a dual boot Ubuntu Windows.
Haha in mine they have Ubuntu stickers on them but no Ubuntu to be found.
I do
why?
Still in the process of moving my server from Ubuntu to Debian.
That should be possible by changing the repos, shouldnt it? I will try this in a VM.
Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.
It works for me, and my tinkering times are behind me.
Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.
Plus, who cares? It's a server. I don't interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That's just asking for headache.
Because its a server. And you want your server to stay online and not get hacked. that's why
What about Ubuntu is more vulnerable? Ubuntu isn't vulnerable to this newly discovered CVE.
Everything downloaded in snap is vulnerable because snap does not cryptographically verify all packages, unlike apt.
Also Ubuntu has newer packages in apt than Debian, which is more dangerous.
This isn't correct. Run
snap download htopfrom your terminal and you'll receive two files: The actual squashfs image that gets mounted in/snap/htop/<revision number>and a.assertfile that cryptographic signature data about this snap file. Modify the squashfs image and snap won't let you install it without passing--dangerousto bypass that check, just like apt-get's--allow-unauthenticated.The problem here exists at a different level: the level of what's getting signed. Conceptually speaking, running
sudo snap install htopis a bit like runningsudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let's Encrypt uses).There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can't just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious
libc6update.These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.
Can you please link to the documentation that describes this?
I'm not sure if there's a single document explaining all of that, but this document talks about snap's assertions. I'm not entirely sure but I believe this file contains the main snapd business logic for actually checking these assertions.
On the PPA side I don't even know whether there is documentation for this - it's just the result of my understanding of how apt works and my own history creating PPAs.
I use it because a class wanted me to either use it in a VM or use WSL but WSL didn't work and I figured it was easier to set up a dual boot than setting up a VM since I've installed Linux quite a few times.
Yes, just not the people who hang out on Linux communities on federated social media.
They're currently number 6 on DistroWatch's Last 6 Months. So people are at least still interested in it.
Which can be manipulated by scripting or setting the browser's home page to the DistroWatch page of a distribution. No way in hell is MX Linux actually popular.
DistroWatch is extremely weird. Who actually uses MXLinux and all these obscure Distros?