SCIENTIFIC-LINUX-USERS Archives

April 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Snaps
From:
Yasha Karant <[log in to unmask]>
Reply To:
Yasha Karant <[log in to unmask]>
Date:
Sat, 25 Apr 2020 10:45:51 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (69 lines) 
 From the snaps website:  Easily find and install new applications or 
remove existing installed applications with the Snap Store snap.  End quote.

Snaps and snapcraft are from Canonical, i.e., Ubuntu.  The site appears 
legitimate, and appears to mostly support "apps" that are not typical on 
an EL machine, but are typical on consumer machines.  I have learned to 
"trust" the standard repos upon which many SL user rely -- SL itself as 
well as epel and elrepo -- for having clean RPMs (no malware, spyware, 
compromises other than the security defects that are intrinsic to 
however the software is implemented and are regularly patched with 
updated releases).  It appears from others who use the equivalent deb 
files from Ubuntu LTS (Canonical) that similar sanitation is applied by 
Canonical. However, snaps seems to have large numbers of independent 
authors, similar to the add-ons one can get for Mozilla applications 
(and for "smart phone" apps, etc.).  The question is not only the 
functionality, but also whether or not Canonical has sufficiently vetted 
the applications for cleanliness.  Hence, my question to this list.

If RHEL, Oracle EL, or SL provided compromised downloads -- as EL is 
used by large professional/commercial entities around the world -- there 
would be issues noticed and raised from such entities. Evidently, Ubuntu 
LTS is used in a similar fashion to EL. (Obviously, a poorly informed 
person who accepts software from an unvetted source or "pirated" or 
"cracked" software is open to such compromises.)  Canonical is a 
competitor to the pre-IBM Red Hat with a different business model 
(Ubuntu LTS does not require a license to get it in binary installable 
form, and thus does not require a SL solution to get EL at "no cost" -- 
although there are such solutions from other Ubuntu/Debian based distros).

Stay safe.  Take care.

Yasha Karant

On 4/24/20 11:24 PM, Andrew C Aitchison wrote:
> On Sat, 25 Apr 2020, Nico Kadel-Garcia wrote:
>
>> On Sat, Apr 25, 2020 at 1:38 AM Yasha Karant <[log in to unmask]> wrote:
>>
>>> Does anyone know how secure (safe, not malware, spyware, etc.) is 
>>> Snaps?
>>> Please see below.  Certain applications that are not available for 
>>> EL but
>>> from other distros, particularly Ubuntu, evidently can be installed via
>>> Snaps.  Epel is a standard EL repo, but Snaps is not.
>>>
>>
>> Never heqrd of them. This does not bode well. "Containerized packages"
>> hints that they're docker based and will "solve packaging" sounds 
>> like...
>> somebody reading Ayn Rand, or Karl Marx, and htinks they learned 
>> economics.
>> Having actually packaged and configured various software, I'm deeply
>> usspicious that they did the easy part and sell that.
>
> I tried snaps briefly on a home Ubuntu (19.04 IIRC) machine.
> I don't remember whether then were docker or singularity, but they 
> definitely were containers and each "package" was a file that
> was (loop-back?) mounted under /snap (or /snaps).
>
> However I had to abandon them almost immediately as they didn't
> support my particular home directory. For possibly good reasons
> homedirs have to be /home/<username> and not symbolic links.
> (For reasons of dual boot and having added a second disk my home dir 
> was a sym-link).
> That struck me as a potentially significant limitation for 
> institutional use: in my experience automounters often result in 
> sym-linked homedirs.
>

ATOM RSS1 RSS2