On Saturday, 23 April 2016 at 13:56:45 UTC, Joseph Rushton Wakeling wrote:
On Saturday, 23 April 2016 at 11:29:29 UTC, NX wrote:
I will just leave it here:


This is FUD.

There are no security risks with snappy packages that there aren't with any other existing Linux packaging systems.

But that's more or less what he's saying though, if you read his original blog post. His gripe isn't that it's defect security-wise, but rather that it's being marketed as capital-s Safe. As long as programs run under the X protocol, everything is up for grabs. Snappy doesn't change that fact at all, so widely claiming it makes it impossible to steal data would be cherry-picking Mir behaviour.

"Snaps are intended to make it easier to distribute applications for Ubuntu - they include their dependencies rather than relying on the archive, they can be updated on a schedule that's separate from the distribution itself and they're confined by a strong security policy that makes it impossible for an app to steal your data.

At least, that's what Canonical assert. It's true in a sense - if you're using Snap packages on Mir (ie, Ubuntu mobile) then there's a genuine improvement in security. But if you're using X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.

The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security. Mir and Wayland both fix this, which is why Wayland is a prerequisite for the sandboxed xdg-app design."

Sandboxing is good but I'm not convinced shipping duplicates of libraries with each program is. Packages were meant to solve this and they do, though .so version conflicts is a thing (albeit a rare one).

Reply via email to