Oh Snap! Canonical now doing manual reviews for new packages due to scam apps

I can recommend a minty flavored alternative if you're sick of it.

Green Ubuntu is Best Ubuntu
- Btw I have no idea why they want to mix Mint with Cinnamon, must taste ugly.
- I prefer some POP in my ubuntu, but green is flavorful.
- A fresh breath of minty cinnamon, mate?
- You mean Ubuntu MATE?
I recommend Debian. Why go downstream when you can go upstream?
- You mean old Ubuntu?
I'm using Mint and new to it. Does the Mint app store have more security or scrutiny? I'm cautious as most things are lucky to have one or two reviews listen. Many are zero though and it's not quite clear to me yet how to tell if things are from an official source or if they had review.
- Packages are usually not official but maintained by your distro, so there are pretty strict controls, especially on Linux Mint Debian edition. Flatpaks on the other hand come from flathub and are less controlled, but since they’re sandboxed the security is still good. If you open the website you can see which apps are verified (official) and which aren’t. Flatpaks also have more user reviews in the most cases

It always takes a disaster before corporations act.

Snap still has users?

Anyone using Ubuntu
- I use Ubuntu.
  Downvotes to the right mocking laughs to my face.
- But not voluntarily. Since it's.integrated with apt you randomly get snap garbage installed instead.
- Last I used Ubuntu, removing snap was a one time thing that took 5 minutes, of which 4 of them was looking for my notes from the time before.
  I ditched Ubuntu, but it wasn't because of snap. Maybe this has changed in the last 3 years?
- Before the current itteration of my homelab I used Ubuntu. Never used snap tho.
- People still use Ubuntu?

Why just now? Meanwhile, all Debian packages on their apt repos are reviewed and maintained by Debian.

I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.
We shall see if it continues or not.
- It was probably the wave of phishing apps that scared them tbh
- This predates that discovery.
- No. They will likely still use release tarballs
- Which means at all previous times, for 20 years, noone did check fck sht.

I've heard all the arguments about how these new packaging formats are supposed to make things easy for developers and for users with different use cases than my own (apparently), but I will continue to avoid them until they have further matured. I'm relieved that this is still possible.

The idea is good I think but the implementation has only ever caused me problems and seems to have a bunch of frustrating edge cases.
- I've been using snaps for a few years now and while they still could use some improvements, the snaps I'm currently using seem to be fairly indistinguishable from deb-based packaging thanks to bug fixes they have done over the years. I think the idea of containerized applications is a good one, I think it actually can be safer. Performance is also fine for me with snap applications even like Firefox snap startup speed, although I'm using an R9 5900x and Gen 4 M2 NVMe SSD so maybe that's why, or maybe they really have improved the snap software and it is just as fast now for the most part.
The problem for me is portability. Flatpak, Snap, Appimage, docker, podman, lxc, they all do the same thing, but they’re splitting the market into “servers” and “desktops”.
We need a portable container runtime we can build from a compose file, run cli or gui apps, and migrate to a server with web app capability displaying the UI. There are too many build targets, and too much virtual market segmentation.
Nix tries to solve the issue, but the problem is you have to use Nix.
True. Actual package managers are still thousands of times superior to flat and snap.
- That scentence makes little sense as both are using package managers that work similarly. Flatpak even uses ostree which is more advanced.

How is that not a security theater? , you just need to :

publish a good snap
change it to malware after it is approved
profit

The extra cost added to override this is fairly small, i don't think it will help.

At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.
- At least this prevents impersonation of well-known publishers or their software
  how?

Maybe adding a proprietary *layer to an open-source OS was a bad idea (for end users)?

Only took them 6 years of malware

I have this unpopular thought: If I had to choose between Canonical's Snap Store and Apple App Store...

Debian it iz
- This
  "Neither" is a valid choice, we don't have to use one or the other
- This
  "Neither" is a valid choice, we don't have to use one or the other
🍎

This is the best summary I could come up with:

After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.

I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher.

Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app.

Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.

So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name".

Hopefully this will begin to put an end to scam apps making it into the Snap Store and onto machines running Ubuntu and any other Linux distribution that enables Snap packages.