Results 1 to 7 of 7

Thread: is this a concern.

  1. #1
    Join Date
    Dec 2014
    Beans
    250

    is this a concern.

    Hey All,

    Are these items a risk Mir & Snap(py) to privacy or is this just an overblown article.
    Are theses in all versions of Ubuntu 16.04.

    http://www.networkworld.com/article/...vacy-flaw.html

    http://mjg59.dreamwidth.org/42320.html

    Thanks
    Dell Optiplex 360 (11/28/2008) / Intel Core 2 Duo Processor E6300 Conroe (1.86 GHz, 1066 MHz FSB, 2M Cache, LGA 775 Socket) / DDR2 Memory 3.0 GB, 800 MHz FSB / Graphics Card Nvidia GeForce 7300 LE [G72] PCIE.

  2. #2
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: is this a concern.

    Don't use Snap packages on your desktop...



    I agree with the author that if Snap packages are not secure on the desktop, Canonical should not market it that way -- they should, in fact, warn people.
    Please read The Forum Rules and The Forum Posting Guidelines
    My Blog
    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  3. #3
    Join Date
    Dec 2014
    Beans
    250

    Re: is this a concern.

    How does one determine if a package being downloaded is a Snap package.
    Is there a list or are the packages marked as a Snap package.
    Dell Optiplex 360 (11/28/2008) / Intel Core 2 Duo Processor E6300 Conroe (1.86 GHz, 1066 MHz FSB, 2M Cache, LGA 775 Socket) / DDR2 Memory 3.0 GB, 800 MHz FSB / Graphics Card Nvidia GeForce 7300 LE [G72] PCIE.

  4. #4
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: is this a concern.

    Ubuntu 16.04 is still using the X server which it is admitted has potential security flaws that require the X server to be replaced with something else. There are, as far as I know two offered replacements that are under construction. Compositors based on the Wayland protocol and Mir which is being developed by Canonical/Ubuntu developers.

    So, as to your second question, Mir is not in desktop Ubuntu 16.04. The Ubuntu phone & tablet OS is based on Ubuntu 15.04 code and using Mir & Unity 8, which is a version of Unity written to run on MIr.

    Snap packaging is an evolution of the Click packaging used on the Ubuntu phone OS. Click packaging is itself a development of Debian packaging that is used on Ubuntu desktop. There are security features built into the packaging process of both Click & Snap which if not complied with by the app developer will prevent an app from being accepted in the app store.

    Snappy Ubuntu core is a version of Ubuntu where the kernel is a snap and the OS is snap and all the apps are snaps. It does not have a desktop environment or a user interface. I have experimented installing a version of Ubuntu called Ubuntu Personal. It comes as an image file (personal_x86.img) & not as an installable ISO. It ran on MIr & had the Unity 8 user interface that is on the Ubuntu phone. And it was also snappy Ubuntu core. And it is very secure. But the experiment did not progress. There are as yet no builds of personal_x86.img built on 16.04 code.

    If you are interested in understanding the principles of snappy Ubuntu core and any Ubuntu desktop distribution that may in future be built on it, then you can read about it here.

    https://developer.ubuntu.com/en/snappy/

    If we download applications from untrusted sources then we run a risk that we are installing code that has the potential to put security and privacy at risk. This is true with deb packages & rpm (RedHat) packages as it is with Click & Snap packages. I doubt very much if Matthew Garret's snap app would have been accepted into any Ubuntu snap store. And do not forget. His experiment was done with a distribution using the X server.

    Personally, I will feel much more secure using Ubuntu Personal + Mir + Unity 8 + snaps then I would running any distribution built on Fedora and using the X server.

    I will feel more secure using Firefox as a snap packaged application than I do using it as an X application packaged as a deb. Which is what we do now. The quicker applications get packaged as snap and we use them on 16.04, the safer we will all be.

    Regards.
    Last edited by grahammechanical; April 25th, 2016 at 06:18 PM.
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  5. #5
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: is this a concern.

    If you want to see what snap apps are at present available on Ubuntu 16.04 then run this command

    Code:
    snap find
    This is what you will see
    graham@sdb7-Dev:~$ snap find
    Name Version Summary
    audovia 3.2.1 Database application for making music using JFugue MusicStrings
    canonical-dragon 0.7.1 The gadget snap for the dragonboard
    canonical-i386 3.1 The gadget snap for generic i386 systems
    canonical-pc 3.1 AMD64 generic package
    canonical-pc-linux 4.4.0-18+20160419.13-26 The ubuntu-core kernel snap
    canonical-pi2 3.2 Raspberry Pi 2 support package
    go-example-webserver 16.04-4 Minimal Golang webserver for snappy
    hello-world 6.0 Hello world example
    http 4.6692016 HTTPie in a snap
    links 2.12-1 Web browser running in text mode
    moon-buggy 1.0.51.9 Drive a car across the moon
    nmap 7.12SVN-0.4 Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing
    notes 0.0.8~snap3.gita80fd1c Note-taking application, write down your thoughts
    shout 0.53.0 A self hosted web IRC client
    sshtron 1.0 multiplayer Tron via ssh
    tmux 2.3bump1 tmux
    tor-middle-relay 0.2.7.6-6 Essential infrastructure node for Tor network
    ubuntu-calculator-app 2.1+snap3 Ubuntu Calculator application for the Unity 7 desktop
    ubuntu-clock-app 3.6+snap3 Ubuntu Clock application for the Unity 7 desktop
    ubuntu-core 16.04+20160419.20-55 The ubuntu-core OS snap
    xkcd-webserver 16.04-5 Show random XKCD compic via a build-in webserver
    yacas 1.4.2 Yet Another Computer Algebra System
    At present, if you want to install a snap app you have to use a command. For example,

    Code:
    sudo snap install ubuntu-calculator-app
    to remove a snap app

    Code:
    sudo snap remove ubuntu-calculator-app

    Not all those snap apps are suitable for a desktop GUI.

    Regards.
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  6. #6
    Join Date
    Oct 2012
    Beans
    148

    Re: is this a concern.

    These security concerns are not really a problem with snap packaging, but rather with X11. They already exist in the current package format. The articles do not make this very clear, but I think the main point is that, for now, snap packages on the desktop are not really more secure than debs, despite the claims to that effect. They're not less secure either, though. At least, that's what I have gathered from all this.

  7. #7
    Join Date
    Dec 2014
    Beans
    250

    Re: is this a concern.

    Hey All,

    Sounds as though more research is needed on this before anything is really known. It sure seems to sound like maybe some are jumping to fast to criticize before knowing what is happening or going to happen.

    The good I have read about any of this was some thought the time to upgrade or move into the new release would be closer to the 16.04.1 release or until all of this could be implemented properly.

    I am going to have to read the link grahammechanical posted to try and understand this better.
    I guess we wait and see what Canonical & Ubuntu developers decide to do on this.

    Thanks for the replies it does make better sense the way it is explained here.

    Thanks.
    Dell Optiplex 360 (11/28/2008) / Intel Core 2 Duo Processor E6300 Conroe (1.86 GHz, 1066 MHz FSB, 2M Cache, LGA 775 Socket) / DDR2 Memory 3.0 GB, 800 MHz FSB / Graphics Card Nvidia GeForce 7300 LE [G72] PCIE.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •