Reason #1 Against Snaps: You Have No Idea What’s In Them
May 24, 2018
[Note that, as always, I speak for myself and not my employer.]
Recently it was discovered that someone had put a crypto miner in their snap app, and not bothered to mention it. It really infuriates me that the response taken was "well, it's not illegal or unethical if you tell the user," because that dodges the actual issue - that devs (or spies) can stick whatever they want in an app and you have no way of knowing for sure.
In a distro, each package is separate, and the dev has to figure out what their dependencies are and list them, but they don't have direct control over what is in the libraries they use. This has several positive benefits that are COMPLETELY lost in any "bundled" app:
- The library has been tested and vetted independently, so you can be more confident that it doesn't contain nasty surprises
- it takes up less space
- if you don't like how it works, you can rebuild it yourself
- you can verify that there aren't obviously unnecessary dependencies, which could indicate nasty surprises
- you can more easily break down an app and analyze it when it has to use shared dependencies
Of course, there is nothing physically preventing a malicious app writer from trying to slip surprises into a Deb package, but when a game doesn't build without libblockchain.so, it tends to throw more red flags than when a snap or flatpack is just handed to you.
Categorized as: Linux | Personal | Ubuntu
Leave a Reply