Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Almighty Buck Ubuntu Linux

Canonical's Snap Store Restricts Uploads Following Possible Security Issue (snapcraft.io) 29

Yesterday the "temporary suspension" of automatic Snap registrations was announced on Canonical's Snapcraft forum by developer advocate Igor Ljubuncic, after what was described as a "security incident". On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately...

We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment. We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store. Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.

Some background from the Linux blog OMG Ubuntu: This isn't the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid crypto-mining capabilities unbeknownst to users. Not disclosing this in its description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they're disclosed).

In this instance it appears that folks have uploaded apps purporting to be official apps/tools for crypto ledger tool Ledger and these apps were able to get folks backups codes (which people enter thinking it's legit) and ...the bad actors can use that to extract funds.

This discussion has been archived. No new comments can be posted.

Canonical's Snap Store Restricts Uploads Following Possible Security Issue

Comments Filter:
  • by Going_Digital ( 1485615 ) on Saturday September 30, 2023 @09:43AM (#63889409)
    Snap is the sound made when Canonical broke the camel’s back by forcing this rubbish on us, all 300+ systems now being migrated to Debian. So long canonical, we are not playing in your proprietary walled garden, because it sucks!
  • If you're not compiling from source yourself, the binary has to come from someone you trust,

    • Allow me to second that. I cannot trust the snap packagers, so I cannot trust the snaps. I've been migrating my systems to Debian and will now redouble my efforts because of this lapse. Hopefully Canonical will see the error of its ways and remove snaps, but I'm not waiting around for that. Thankfully, Linux gives me options.
      • by SG83 ( 4420353 )

        Allow me to second that. I cannot trust the snap packagers, so I cannot trust the snaps. I've been migrating my systems to Debian and will now redouble my efforts because of this lapse. Hopefully Canonical will see the error of its ways and remove snaps, but I'm not waiting around for that. Thankfully, Linux gives me options.

        I mean you could have just uninstalled the snaps and use ubuntu without it...

        • I mean you could have just uninstalled the snaps and use ubuntu without it...

          Like I said, Linux gives me options. Since Canonical has broken my trust with snaps, simply removing snaps on my own does nothing to restore that trust. I'm exercising my options, my choices if you will, by leaving Ubuntu behind. Once upon a time, I loved the animal themes and the naked people, but those day are long gone.

        • I mean you could have just uninstalled the snaps and use ubuntu without it...

          Which is basically Linux Mint.

          • >>" you could have just uninstalled the snaps and use ubuntu without it"
            >"Which is basically Linux Mint."

            Well, not exactly. Mint still has even more going for it than just not forcing snaps. It has native Firefox and other packages that don't force ANY container. Better support for Cinnamon (they made it, afterall). Better software manager. Better themes with easier installation. Better selection of default package installation. More long-term support of some desktops. No corporation behind

    • by SG83 ( 4420353 )

      If you're not compiling from source yourself, the binary has to come from someone you trust,

      even if you would compile it by yourself you would have to make sure that the source code hasn't been compromised, sc as well as compiler and rest of the building chain etc. doable? yes. is anyone really doing that? no

    • If you're not compiling from source yourself, the binary has to come from someone you trust,

      Compiling from source is not a panacea. If you don't audit and understand the source, including all dependencies, you are trusting someone else's word that it is clean. It's turtles all the way down, man.

    • If you're not compiling from source yourself, the binary has to come from someone you trust,

      Agree

  • Is a day I will celebrate. This has been nothing but an albatross around the necks of the whole industry since introduction.

  • Because snap is full of shit.

  • The Cinnamon flavor is my favorite: https://linuxmint.com/ [linuxmint.com]
    • The Cinnamon flavor is my favorite: https://linuxmint.com/ [linuxmint.com]

      This is what I run as well. But you can install apps as Snaps but my experiments with doing so to get usable software were uniformly failures. No more.

    • Mint is a great desktop distro. It doesn't seem very adaptable to headless workstation / server use, unfortunately, at least without a massive amount of fiddling.

  • I'm so glad I pivoted to Debian years ago. I love Canonical, don't get me wrong...for helping Debian get better hardware support in the early days. But the mentality has always seemed to be to lock people into Ubuntu specifically. And I get it, they're trying to make money. It just sucks that doing that seems to always end badly for the community at large.

  • trash

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...