| 1 |
On Thu, 16 Jun 2016 15:27:29 +0000 (UTC) James wrote: |
| 2 |
> José Maldonado <josemald89 <at> gmail.com> writes: |
| 3 |
> |
| 4 |
> |
| 5 |
> > The last days, ArsTechnica publish this new: |
| 6 |
> |
| 7 |
> > |
| 8 |
> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ |
| 9 |
> > |
| 10 |
> > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, |
| 11 |
> > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," |
| 12 |
> > Canonical's announcement says. "They are currently being validated on |
| 13 |
> > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are |
| 14 |
> > easy to enable on other Linux distributions." (Ubuntu will continue to |
| 15 |
> > support deb packages, but developers can choose to package applications |
| 16 |
> > as snaps instead of or in addition to debs.)" |
| 17 |
> > |
| 18 |
> > Gentoo is supporting officially Snap packages? Why not Flatpak? |
| 19 |
>> |
| 20 |
>> Thank you very much for your responses! Bye! :) |
| 21 |
>> |
| 22 |
> |
| 23 |
> One word SECURITY? Trust but verify does come to mind. |
| 24 |
|
| 25 |
+1 |
| 26 |
It looks like C:/Program Files/ for Linux to me. |
| 27 |
|
| 28 |
It is a complete bundle with all dependency libs, thus |
| 29 |
vulnerabilities can't be fixed by a regular emerge and users will |
| 30 |
need to update _each_ snap separately. If updates will be |
| 31 |
available, but likely they will not be, at least not in time. |
| 32 |
|
| 33 |
I'm not talking about tremendous RAM waste (due to shared objects |
| 34 |
duplication) and disk space waste as well. Both of them can be |
| 35 |
mitigated by deduplication of RAM and disk pages, but this will eat |
| 36 |
lots of CPU and users should be quite advanced to do that. |
| 37 |
|
| 38 |
> Containers are not exactly the most secure apparatus, imho. |
| 39 |
> "Clair is an open source project for the static analysis of vulnerabilities |
| 40 |
> in appc and docker containers." [1]. So, I want to hear about the robustness |
| 41 |
> of the security on these 'self containerd packages. |
| 42 |
|
| 43 |
There is a security audit of the snap already available: |
| 44 |
http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html |
| 45 |
|
| 46 |
It is quite lengthy, but worth reading. |
| 47 |
Tl;dr: if you care about security of your box, stay away of this |
| 48 |
stuff. |
| 49 |
|
| 50 |
Best regards, |
| 51 |
Andrew Savchenko |
Archives