Using Snaps in Ubuntu MATE

Hello,

As a home user of Ubuntu MATE I have a big reservation for the usage of snaps. The reservation is that I, as a user, cannot control when snaps update, like I can with all other packages. This has been discussed heavily in the snap forums and Ubuntu developers refuse to introduce such functionality.

Given this situation I would like to suggest to avoid using snaps in the base system. (I know about Pulsemixer in 17.10 and I don’t mind one package doing this so Ubuntu (MATE) developers can get some useful information. However I don’t think it’s appropriate to proliferate snap usage and therefore unpredictable update behavior to the core system. The user cannot configure when snaps update like he can with all other packages. (For example I cannot stop them from updating on my parent’s laptop until I get there to manually make sure everything goes smooth.) The system packages will have their dependencies closely watched as the operating system is developed and tested so I think (caveat, I m not that knowledgeable on the subject) that the installation and isolation of dependencies do not add much versus the extra disk space they will occupy. On the other hand for an application like steam, that uses outdated 32-bit libraries, I can see a use case for a snap versus a deb package install.

Hi @Karsus,

I don’t think the base system of Ubuntu is using snaps, afaik, snaps are only used for the installed apps and not system files?, maybe someone can shed some light on the matter.

I think we would have to ask @wimpy as he should should have the answer to that?.

It is now possible to defer snap updates, for a maximum of 60 days. After 60 days they will update. So some control is available. Snap updates are also binary deltas, so you’re not pulling the whole snap each time. Snaps update automatically because the research Canonical has done shows that a surprisingly low percentage of Ubuntu users actually apply critical security updates when prompted.

Ubuntu MATE 18.04 is seeding snaps of pulsemixer, ubuntu-mate-welcome and software-boutique. The main reason for shipping ubuntu-mate-welcome and software-boutique as snaps is that it enables us to improve those applications outside of the usual constraints of fixed release cycles. We can, and will, iterate on both to deliver some significant improvements, fixes, new application listings, translations, etc. All of which will be immediately available to all Ubuntu MATE users. And all Ubuntu MATE users will be running the same versions of both, which makes support much easier.

While Ubuntu MATE Welcome did have an option to subscribe to updates, which connected a PPA, few users actually made use of the feature and never got to enjoy the improvements we made in the last 2 years.

Why do I need a predictable update schedule? Honest question. I like that snaps create their own file structure. Keeps stuff organized.

Why do I need a predictable update schedule?

One possibility is as Karsus mentioned, above, where someone is manually managing updates for another user who is not a technology-savvy.

Another is where you want to stop updates for a particular package that breaks something in your workflow. For example, I use EasyTAG to manage ID3 tags on my podcast files. The latest version works great for MP3 files but breaks the OGG downloads on some podcast receiving software. The previous version works perfectly, so I prevent that single package from updating automatically.

The mere concept of snaps and automatic updates brings back some nightmare feeling into those old Win users that felt they were dumped changes they didn’t need and ‘features’ that were more toward the big company benefit then the user himself. Even also for those that feel that these snaps and just a 1st step in the Linux/MS “rapprochement” (Yeah, I know… there’s quite a few fans of conspiracy theories around)

But there is certainly an answer to that sort of preoccupation, that I don’t know of. That would demonstrate that a snap cannot be used by a software provider to manage a back-door of their own. Essentially, an explanation for all those that are green and novice and no programmers (I am part of) and have no cue whatsoever what it is all about. Maybe a Wiki page on Snaps exists out there ? (Not Schnapps… Hic!)

W

To be honest i love snaps. It’s making everything easier.
I thought Updates were thrown by their own developers ?
If you use Windows , Each software have it’s own “update system”

Thanks for the replies everyone, and Ubuntu MATE developers for your good work.

The update deferral, as well as other options mentioned in the snap thread, have been discussed there. Snaps are a very good technology for several use cases. Having some snaps in the base system means I have less control over it - and controling/tinkering my system is one of the reasons I use free software. However, if the use-cases for them are thought out and limited, as presented by Wimpy here, then It’s a good compromise (from my perspective). But please be very conservative about the proliferation of snaps in the base system.

Regarding user installable applications, the user has choice in what he installs and can/should weight the trade-offs, so that’s ok as far as I’m concerned.

I’m glad someone brought this up. This is a natural progression. Old timers can’t stand loosing control and the general user doesn’t want to deal with it.

Since there is no way I’d run with snapd installed I’ve been testing 18.04 with it removed. No problem so far. I believe it works both ways - the isolated nature of snaps keeps them independent from the system.

I see. So it needs to be weighed carefully what kind of software is suitable to be a snap.

Snaps of one application will not (at least should not) break another application as all dependencies are self contained and each application has their own dependencies in the snap so u could have four different versions of the same dependency on your system but they cannot mess with each other or cause problems because they are sand boxed and snap updates are controlled by the developers so unless they break something…

@Bill_MI I don’t know if using linux for 2.5 years classifies me as an oldtimer but I don’t thing that using stereotypes to classify me as a person helps the discussion.

If the user doesn’t want to deal with updates he can set the auto update option at the Software and Updates program. The problem is that Software and Updates do not control when snaps update.

Additionally as a clarification, the problem is not that a snap update of applicationX outside of the user’s control will bring the system down. The problem is that applicationX updating without the user’s control may break itself and the user will have no idea why/when it happened. Bugs happen in software and will keep happening. As an example let me bring Intel’s microcode update bugs after the Spectre/Meltdown vulnerabilities. Now if appliationX is part of the base system, the system might be affected because other installed apps, may well depend on applicationX functioning.

Hi @Karsus, Sorry if you took my abbreviated description personally. It was definitely not intended that way. I had written a way-too-long comparison to the automobile and how many old timers resisted the concept shouting “get a horse!” That’s probably me.

But I do see a lack of yet another side-affect mention of allowing programs running around the net - information leakage. Mozilla’s the worst in my world. Apple, Google and Microsoft are beyond repair.

It has been said thousands of times, but… Anything automatic can automatically bite you.

IMO, @Karsus has reason to be concerned. Yes Linux is robust and seldom hacked compared to Win, but as @Watford pointed out, this could create a/another backdoor for hackers.

Hackers skills have improved as the software improved. There is hardly anywhere they haven’t been and undoubtedly numerous places we don’t know they have been. Many unexplained events occur to create havoc in our lives.

I think the most troubling item I read was from the Datamation Site

“I do have concerns about potential unforeseen security “gotchas” yet to be discovered. Not because of the X11 comments above, rather due to the automated approval process for snap packages.”

I hope they are mistaken. If it can be automatically approved where are the human checks and balances?

I am not a programmer. I am barely a user. I wouldn’t know a snap if it bit me on the ankle. I just know that automatic is good as long as it works and it automatically has a chance to break more than itself.

Last, snaps seems to be a Ubuntu “thing”. Why would any other distro jump on the band wagon? Sure they can, but why?

@ fey42, Other distros may opt to use snaps because as a technology they do solve some problems. Namely they allow to not polute your system with bad dependencies in order to install a badly written application (or just an application with a lot of dependencies).

Unfortunately Canonical’s decision to not allow control of updates means that user will have to weight the technical merits of snap with their governance problems. This is most likely the reason why non-Ubuntu distributions don’t jump on snaps - but I 'm guessing here so don’t quote me on this.

If you believe that Canonical should consider allowing users to control when snaps update you can, politely please, say so on the snap development thread I posted on my first post.

Only strictly confined snaps are subject to automatic approval, but they are still subject to scanning by the review tools which interrogate the snap and its contents looking for characteristics of malicious software.

Yes, and that is for a reason. My experience is that updates always cause problems. As an extreme example, every time I update the whole system from one LTS to the next, it takes me six weeks to get my computer back to the way I want it (stats from doing it three times). Once I get it working I freeze it for two years. I'm not going to risk wrecking it with so-called critical security updates.

Ouch. So I keep deferring and then when I am in the middle of some time critical process, my computer freezes because it's downloading a snap.

I looked at the thread in the snap forum. A bit horrifed (sorry for the misspelling - a piece of advice popped up as I was typing and lost me a keypress) by examples such as

I can’t imagine an autopilot saying on a highway at 200km/h: “Hey there! We haven’t updated the system for two months, you deferred it 10 times and I give no more chance! I’m gonna download the core snap now over 4G, update it and reboot your vehicle. You’d better pray”.

However I found this advice which I will probably adopt:

I’ll just block it by pointing api.snapcraft.io to 127.0.0.1 in the hosts file for now as a workaround, but I’d prefer to do it through a global switch in the future.

I had a look at

Interesting comments:

For one thing the Firefox Snap package is a 193MB download — that’s 120MB bigger than the regular version available to download from the Mozilla website!
…
Like the majority of Snap apps the Firefox snap also has theming issues.
…
But, other than taking a veritable age to start up (a problem all Snap apps have) I haven’t noticed any major issues in using the Firefox snap package as a normal web browser with regular pages.