I know we all like to hate on canonical for literally any reason, but this happens with every single software repository that is not a closed garden and some that are.
And yeah, it’s sandboxed, so the damage is far, far less than it could be.
Sandboxing does nothing for social-engineering attacks, which is what many of the malicious snaps were designed for.
And the thing that makes the Snap Store uniquely bad is that there’s no human review. Anyone can throw up a malicious snap, and there are very good odds that it’ll get served there. Even the Flathub, a community-run project, has human reviews before new apps get published. Canonical, despite having money and resources that community projects don’t, can’t seem to be bothered to take basic steps to protect their users.
I know we all like to hate on canonical for literally any reason, but this happens with every single software repository that is not a closed garden and some that are.
And yeah, it’s sandboxed, so the damage is far, far less than it could be.
Given that the snap store is a closed source proprietary component, I’d argue that snaps are a walled garden
That was supposed to be their one thing.
Sandboxing does nothing for social-engineering attacks, which is what many of the malicious snaps were designed for.
And the thing that makes the Snap Store uniquely bad is that there’s no human review. Anyone can throw up a malicious snap, and there are very good odds that it’ll get served there. Even the Flathub, a community-run project, has human reviews before new apps get published. Canonical, despite having money and resources that community projects don’t, can’t seem to be bothered to take basic steps to protect their users.
Yeah, what’s important to note is snap just requires a web based submission process.
https://snapcraft.io/docs/using-the-snap-store
Flathub requires a PR in GitHub, visible to the community. Spammers know they will get caught opening PRs
https://docs.flathub.org/docs/for-app-authors/submission/
deleted by creator
I think the main issue here is they are telling users the software is safe without any due diligence.
Closed garden has the same problem too, it’s not immune