1 |
On 16/06/2016 21:11, Andrew Savchenko wrote: |
2 |
> On Thu, 16 Jun 2016 15:27:29 +0000 (UTC) James wrote: |
3 |
>> José Maldonado <josemald89 <at> gmail.com> writes: |
4 |
>> |
5 |
>> |
6 |
>>> The last days, ArsTechnica publish this new: |
7 |
>> |
8 |
>>> |
9 |
>> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ |
10 |
>>> |
11 |
>>> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, |
12 |
>>> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," |
13 |
>>> Canonical's announcement says. "They are currently being validated on |
14 |
>>> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are |
15 |
>>> easy to enable on other Linux distributions." (Ubuntu will continue to |
16 |
>>> support deb packages, but developers can choose to package applications |
17 |
>>> as snaps instead of or in addition to debs.)" |
18 |
>>> |
19 |
>>> Gentoo is supporting officially Snap packages? Why not Flatpak? |
20 |
>>> |
21 |
>>> Thank you very much for your responses! Bye! :) |
22 |
>>> |
23 |
>> |
24 |
>> One word SECURITY? Trust but verify does come to mind. |
25 |
> |
26 |
> +1 |
27 |
> It looks like C:/Program Files/ for Linux to me. |
28 |
> |
29 |
> It is a complete bundle with all dependency libs, thus |
30 |
> vulnerabilities can't be fixed by a regular emerge and users will |
31 |
> need to update _each_ snap separately. If updates will be |
32 |
> available, but likely they will not be, at least not in time. |
33 |
|
34 |
So it's like macs then? |
35 |
|
36 |
> |
37 |
> I'm not talking about tremendous RAM waste (due to shared objects |
38 |
> duplication) and disk space waste as well. Both of them can be |
39 |
> mitigated by deduplication of RAM and disk pages, but this will eat |
40 |
> lots of CPU and users should be quite advanced to do that. |
41 |
> |
42 |
>> Containers are not exactly the most secure apparatus, imho. |
43 |
>> "Clair is an open source project for the static analysis of vulnerabilities |
44 |
>> in appc and docker containers." [1]. So, I want to hear about the robustness |
45 |
>> of the security on these 'self containerd packages. |
46 |
> |
47 |
> There is a security audit of the snap already available: |
48 |
> http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html |
49 |
> |
50 |
> It is quite lengthy, but worth reading. |
51 |
> Tl;dr: if you care about security of your box, stay away of this |
52 |
> stuff. |
53 |
|
54 |
I don't see the part where all these latest fancy container |
55 |
thingymagicies are not really just "embed everything in everything" |
56 |
|
57 |
We've known for years the dangers of embedding stuff in packages (it |
58 |
hardly ever gets updated properly) |