On Saturday, 23 April 2016 at 13:56:45 UTC, Joseph Rushton
Wakeling wrote:
On Saturday, 23 April 2016 at 11:29:29 UTC, NX wrote:
I will just leave it here:
http://www.zdnet.com/article/linux-expert-matthew-garrett-ubuntu-16-04s-new-snap-format-is-a-security-risk/
This is FUD.
There are no security risks with snappy packages that there
aren't with any other existing Linux packaging systems.
But that's more or less what he's saying though, if you read his
original blog post. His gripe isn't that it's defect
security-wise, but rather that it's being marketed as capital-s
Safe. As long as programs run under the X protocol, everything is
up for grabs. Snappy doesn't change that fact at all, so widely
claiming it makes it impossible to steal data would be
cherry-picking Mir behaviour.
"Snaps are intended to make it easier to distribute applications
for Ubuntu - they include their dependencies rather than relying
on the archive, they can be updated on a schedule that's separate
from the distribution itself and they're confined by a strong
security policy that makes it impossible for an app to steal your
data.
At least, that's what Canonical assert. It's true in a sense - if
you're using Snap packages on Mir (ie, Ubuntu mobile) then
there's a genuine improvement in security. But if you're using
X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any
Snap package you install is completely capable of copying all
your private data to wherever it wants with very little
difficulty.
The problem here is the X11 windowing system. X has no real
concept of different levels of application trust. Any application
can register to receive keystrokes from any other application.
Any application can inject fake key events into the input stream.
An application that is otherwise confined by strong security
policies can simply type into another window. An application that
has no access to any of your private data can wait until your
session is idle, open an unconfined terminal and then use curl to
send your data to a remote site. As long as Ubuntu desktop still
uses X11, the Snap format provides you with very little
meaningful security. Mir and Wayland both fix this, which is why
Wayland is a prerequisite for the sandboxed xdg-app design."
Sandboxing is good but I'm not convinced shipping duplicates of
libraries with each program is. Packages were meant to solve this
and they do, though .so version conflicts is a thing (albeit a
rare one).