It was discovered that someone was uploading apps with a crypto currency miner. The user had had their uploads removed already. My question is, is there any way to know which apps he infected so I can check my system? Was Discord one of those he put up?
I do not know if the data they say in Reedit is true, but it would be good if the directors of Mate pronounced on the veracity of that and if it is true we would need a list of apps from this developer.
There is a saying, āthere is nothing new under the sunā.
Think about that for a moment.
I would advise running a commercial āanti-virusā on any client computer, including GNU/Linux. I do.
Sadly, there are, and always have been so it would seem, human beings who are prepared to prey upon their own species. But we do not have to make it easy for themā¦
I just checked and none of the snaps I had installed were made by Nicolas Tomb, so Iām safe from this one. I think we may need to reconsider snaps though if thereās this little oversight on them. Wow. I never thought Iād see the day when I was worried about malware on Linux as something other than theoretical.
Thatās maybe a bit extreme - after all, there are official snaps as well, some of them even preinstalled in recent versions of UM.
As long as you donāt install any dodgy snaps yourself you should be fine.
Just stick with the one that come with the system, and e.g. if a reputable project like GIMP or VLC publish their own official snaps those should probably be OK too.
If this is really the advice we're supposed to be following I think I'd rather have repositories back. Those at least make sense, don't clutter my home folder and I don't have to hunt and search the net for the "official" snaps. Having to do all that doesn't strike me as an improvement--it feels like a step back just when the whole world has finally seen the benefits of app stores and central installers.
While I donāt think the concept of snaps is all bad, I have to agree that the āappstoreā distribution model has a tendency to attract all those who want to make a quick buck by less than legitimate means.
If you offer something like that you better make sure you have the resources to tightly police what gets in there, and even then occasionally something slips through.
Canonical might just have underestimated that aspect, I thinkā¦
Btw. this is one of the reasons I prefer the curated approach of the Software Boutique.
People are used to app stores from their mobile devices now, which is why I used the term āapp storeā when I meant repositories and central installer.
Truthfully weāve been very fortunate that this sort of thing never happened with PPAs in the past but at least with those there was a clear separation of official and unofficial packages. Snaps youāre supposed to type in an application name and install. PPAs you manually add repositories and update to add outside packages.
I donāt see the benefit in playing hunt for the package or having to trust random packages with no way to vet them and clearly no vetting has been done by Ubuntu. All Iām seeing are negatives. This looks like a serious regression to walk away from the superior method of maintained central repositories with a single installer application just as that model arrives to the rest of the computing world.
@Wimpy Considering Mark Shuttleworth announced that the 18.10 release cycle would focus mainly on security, making sure no malware ends up in the Snap store is something Canonical should have on the agenda as well.
I donāt think the idea was people trusting the new and shiny snap system less than your average PPAā¦
The saying was written by King Solomon in Ecclesiastes 1:9
What has been is what will be,
and what has been done is what will be done,
and there is nothing new under the sun.
Well stated and unfortunately a true statement. Humanity has always been itās own worst enemy.
We should not really be surprised that someone would try to take advantage of Snap packaging, or Flatpakās for that matter, in this way. Itās a relatively new concept to application distribution for Linux, and the full implementation of it has not been realized yet. As such it is a attractive target for those with malicious intents.
When Apple first opened their āApp Storeā, similar things happened. Today the apps in their App Store has a digital signature, but the ability to install software that has not been signed exist in OS X. For obvious reasons of course.
The thing that bothers me most about Snap packages is their ability to update with out our consent. I never have been, and never will be a fan of automatic updates, regardless of what operating system Iām using. We should have the ability to know what is going to be installed on our operating systems, prior to it being installed, and then have the ability to either allow or deny the installation or update.
both @bornagainpenguin and @maximuscore make a point about snaps in the repoās, arenāt all our snaps (the ones currently available to us) done via the Ubuntu repoās?. If we choose to download snaps from the web, the same security procedures must be implemented and the download source checked and scanned before install, I know it is hard to do some times but remember, āTrust no oneā!.
not necessarily, it just means that it is currently not nearly as carefully checked as the repositories, because with ubuntu repositories you mostly have both debian AND ubuntu devs going over them, they perhaps need a way of peer reviewing like in the AUR (or thats how I understand the AUR works)
Iām just guessing that it is not as well vetted because they do not have enough developers interested to do the work, as well as the app store model where anybody can create something and upload it, I understand the Google Play store has had a good deal of issues with malware to, itās probably just not the best model for security, however it is a good model for getting a lot of apps to your system, honestly though Canonical should probably just hire a couple more people that know what they are doing to go over every app that comes into the store and just randomly go over apps already in the store as they have time to make sure no one inserts malware through an update to their snap