Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be Exodus wallet that caused a user to lose money.
Open platforms often have individuals running/hosting their own repositories, which means the risk is distributed.
This means that the individual repository can be attacked without affecting the whole network. The risk is still there, but they would have to simultaneously attack all repositories at once and succeed with all of them.
In a corporate-hosted platform like Snaps, you have one centralized location that can be abused and that can affect all repositories in the system.
If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.
If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.
So basically the same as if someone hacked flathub? Or if someone hacked Canonical/Debian/Red Hat/whoever and gained access to their package signing key?
People download and run completely opaque AppImages from god knows where and that’s better than Snap Store which is hit with malicious apps so rarely it’s actual news
Flatpak also has a system where any scammer and malicious developer can just roll their own flatpak repo and voila, nobody can stop them. If it ever becomes mainstream, it’ll be a shit show worse than Google Play
I enjoy y’all acting like this couldn’t happen with flatpak or AppImages
It’s happenend with the AUR too.
Snaps however have a certain expectation that newer/inexperienced users should be able to trust them.
Oh, it totally could.
I don’t actually see anyone in here making such an argument.
How is this notable or interesting then? I thought we were all just accepting that malicious software is an inherent part of all open platforms.
Open platforms often have individuals running/hosting their own repositories, which means the risk is distributed.
This means that the individual repository can be attacked without affecting the whole network. The risk is still there, but they would have to simultaneously attack all repositories at once and succeed with all of them.
In a corporate-hosted platform like Snaps, you have one centralized location that can be abused and that can affect all repositories in the system.
If someone hacks Canonical, they can make the whole Snap Store an attack vector without nearly as much effort.
So basically the same as if someone hacked flathub? Or if someone hacked Canonical/Debian/Red Hat/whoever and gained access to their package signing key?
Those are just app distribution formats. Since there’s just 1 snap store which can deliver snaps, they’re not comparable.
People download and run completely opaque AppImages from god knows where and that’s better than Snap Store which is hit with malicious apps so rarely it’s actual news
Flatpak also has a system where any scammer and malicious developer can just roll their own flatpak repo and voila, nobody can stop them. If it ever becomes mainstream, it’ll be a shit show worse than Google Play
What Flatpak stores are there in widespread use other than flathub? (Additional servers that depend on the runtimes flathub distributes don’t count.)