| 1 |
On 16/06/2016 21:11, Andrew Savchenko wrote: |
| 2 |
> On Thu, 16 Jun 2016 15:27:29 +0000 (UTC) James wrote: |
| 3 |
>> José Maldonado <josemald89 <at> gmail.com> writes: |
| 4 |
>> |
| 5 |
>> |
| 6 |
>>> The last days, ArsTechnica publish this new: |
| 7 |
>> |
| 8 |
>>> |
| 9 |
>> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ |
| 10 |
>>> |
| 11 |
>>> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, |
| 12 |
>>> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," |
| 13 |
>>> Canonical's announcement says. "They are currently being validated on |
| 14 |
>>> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are |
| 15 |
>>> easy to enable on other Linux distributions." (Ubuntu will continue to |
| 16 |
>>> support deb packages, but developers can choose to package applications |
| 17 |
>>> as snaps instead of or in addition to debs.)" |
| 18 |
>>> |
| 19 |
>>> Gentoo is supporting officially Snap packages? Why not Flatpak? |
| 20 |
>>> |
| 21 |
>>> Thank you very much for your responses! Bye! :) |
| 22 |
>>> |
| 23 |
>> |
| 24 |
>> One word SECURITY? Trust but verify does come to mind. |
| 25 |
> |
| 26 |
> +1 |
| 27 |
> It looks like C:/Program Files/ for Linux to me. |
| 28 |
> |
| 29 |
> It is a complete bundle with all dependency libs, thus |
| 30 |
> vulnerabilities can't be fixed by a regular emerge and users will |
| 31 |
> need to update _each_ snap separately. If updates will be |
| 32 |
> available, but likely they will not be, at least not in time. |
| 33 |
|
| 34 |
So it's like macs then? |
| 35 |
|
| 36 |
> |
| 37 |
> I'm not talking about tremendous RAM waste (due to shared objects |
| 38 |
> duplication) and disk space waste as well. Both of them can be |
| 39 |
> mitigated by deduplication of RAM and disk pages, but this will eat |
| 40 |
> lots of CPU and users should be quite advanced to do that. |
| 41 |
> |
| 42 |
>> Containers are not exactly the most secure apparatus, imho. |
| 43 |
>> "Clair is an open source project for the static analysis of vulnerabilities |
| 44 |
>> in appc and docker containers." [1]. So, I want to hear about the robustness |
| 45 |
>> of the security on these 'self containerd packages. |
| 46 |
> |
| 47 |
> There is a security audit of the snap already available: |
| 48 |
> http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html |
| 49 |
> |
| 50 |
> It is quite lengthy, but worth reading. |
| 51 |
> Tl;dr: if you care about security of your box, stay away of this |
| 52 |
> stuff. |
| 53 |
|
| 54 |
I don't see the part where all these latest fancy container |
| 55 |
thingymagicies are not really just "embed everything in everything" |
| 56 |
|
| 57 |
We've known for years the dangers of embedding stuff in packages (it |
| 58 |
hardly ever gets updated properly) |
Archives