• wiki_me@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    How is that not a security theater? , you just need to :

    • publish a good snap
    • change it to malware after it is approved
    • profit

    The extra cost added to override this is fairly small, i don’t think it will help.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.

      • wiki_me@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        At least this prevents impersonation of well-known publishers or their software

        how?

        • progandy@feddit.de
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          9 months ago

          That depends on the depth of the review, e.g. verifying the submitter is a member of the project, the software name does not conflict with a well known name,…

  • octopus_ink@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    9 months ago

    I’ve heard all the arguments about how these new packaging formats are supposed to make things easy for developers and for users with different use cases than my own (apparently), but I will continue to avoid them until they have further matured. I’m relieved that this is still possible.

    • ricdeh@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      True. Actual package managers are still thousands of times superior to flat and snap.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        That scentence makes little sense as both are using package managers that work similarly. Flatpak even uses ostree which is more advanced.

        • octopus_ink@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          9 months ago

          My thing (I’m not the guy you replied to) is all the various user-facing complaints that I tend to see in these discussions. I use a distro where I can get current versions of anything I’ve ever needed, and I know how to maintain my system.

          As a user, even if the various alternatives are fine most of the time, without concerns about security, integration, etc - I’ve never read anything that would make me want the additional complication. (I say this recognizing that there are security concerns regardless of how you get your software - I’m not saying these new solutions are inherently worse in that regard.)

          I suppose at some point I’ll want or need to embrace flatpak/appimage/snaps, but I can’t find any reason I’d do so now - it feels like it increases the number of gotchas I need to worry about when installing software without actually giving me anything I want that I don’t already get with my “legacy” package manager.

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            0
            ·
            9 months ago

            We dont live in such a perfect world. Linux has a small marketshare for non-server software, so packaging is done by your distro.

            You would need to have user-facing settings for Apparmor or SELinux to replicate what already exists with Flatpak.

            Principle of least privilege.

            Maybe you prefer native packages, but bubblejail or SELinux confined users are complicated as hell and both are pre-alpha in my experience.

            So yes you add bloat, dependencies etc. But you also add stability, a small core system, take load of OS developers and unify the packaging efforts so that it is done by developers not packagers.

            This reduces complexity a lot, as the underlying system is not as important anymore, and you can just use whatever you want. Software is separated from the OS.

            Flatpak is the only good format, as explained in this talk

            (Snap has no sandboxing outside of Ubuntu and is thus not portable, Appimages are inherently insecure)

    • AChiTenshi@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.

      We shall see if it continues or not.