Debian 13:
$ uname -r
6.12.88+deb13-amd64
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode
$ snap debug confinement
partial
$ aa-enabled
Yes
Ubuntu (24.04):
$ uname -r
6.8.0-117-generic
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode strict
$ snap debug confinement
strict
$ aa-enabled
Yes
What does this mean, you ask? Well, basically every Snap package you thought was running isolated in it’s own little sandbox were running unconfined the whole time. The prorpietary app you removed the :home connection from, so it wouldn’t be able to access your home directory? Well, it could have exfiltrated all our private files in the meantime.
How is this not a bigger deal and how are Snaps ever to become mainstream when even today, more than 10 years after the introduction of snaps, you can’t run them sandboxed on a huge portion of Linux distros?
What is this, troll day? Nobody cares about snap bc none of us use it. It’s a colossal fuckup and nobody cares about it
Amen, ✊🏻
Who TF cares? If you want containerized apps, run Flatpak. There is no application packaged for Snap that I’ve not seen packaged for Flatpak, too. And Flatpak is better in basically every way.
have you actually looked at a snap’s status?
root@cave:~# lsb_release -d Description: Debian GNU/Linux 13 (trixie) root@cave:~# uname -r 6.12.88+deb13-amd64 root@cave:~# snap debug sandbox-features|grep confinement confinement-options: classic devmode root@cave:~# snap debug confinement partial root@cave:~# aa-enabled Yes root@cave:~# snap info --verbose hello-world name: hello-world summary: The 'hello-world' of snaps health: status: unknown message: health has not been set publisher: Canonical✓ contact: snaps@canonical.com links: contact: - mailto:snaps@canonical.com license: unset description: | This is a simple hello world example. commands: - hello-world.env - hello-world.evil - hello-world - hello-world.sh notes: private: false confinement: strict devmode: false jailmode: false trymode: false enabled: true broken: false ignore-validation: false snap-id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ tracking: latest/stable refresh-date: today at 07:43 CDT installed: 6.4 (29) 20.5kB - root@cave:~# snap run hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next /snap/hello-world/29/bin/evil: 9: /snap/hello-world/29/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied root@cave:~#I tried running chromium, removing :home and was still able save and open webpages in ~/test.html. However, this happened through the native file picker dialog.
Thank the gods. Nobody wants that proprietary walled garden in Debian.
It’s just a tool for Ubuntu to control, and maybe even sell itself one day to Goog’s or MS or similar.
Don’t want it in Debian.
It’s not proprietary, though.
Last time I checked the Snap Store was proprietary. While you could modify the Snap client, you can’t host your own store and you’re at the whims of Canonical for which apps you can get.
Meanwhile, both the Flatpak client and server are open, and you could (and some distros do) host your own repo. For example, Fedora has its own repo for Fedora-packaged Flatpak apps alongside Flathub.
I mean I get the concern but I’d be surprised if even 1% of Debian users had any interest in running snaps
If I had to guess, this isn’t a bigger issue because Snap is mostly pushed by Canonical. And in a bit of a weird way (proprietary backend, exclusive apps) so… reception in the rest of the Linux community is …mixed. To put it charitably. It’s probably not that relevant for most people outside of the Ubuntu ecosystem. And probably also not a priority for Canonical or the proprietary software vendors.
Exactly! I don’t understand why anyone in their right mind would use snap.
It may not be wise to use a Snap without first understanding the reputation/limitations of Snap.
seems the Debian Wiki has pretty much your take on it 😅
“Important note: Many users are wary of Snaps. Use at your own discretion. They update on their own schedule, and install files to nonstandard locations. It may not be wise to use a Snap without first understanding the reputation/limitations of Snap.”
Yeah. And I’d say with the SELinux problems and with what OP wrote, the security model including things like a failure mode to fall open, …silently… There’s more things to be wary of, than what they wrote in those 4 sentences.
There is also
Linglong which is flatpak/snap/appimage alternative but I don’t know it’s adoption on distros other than deepin
Hardly anyone but Ubuntu users use snap, because snap was created by Ubuntu, and their efforts to get other distros to adopt it never gained traction. Debian users are especially uninterested in using snap, and some people on Debian are ex-Ubuntu users who switched because they didn’t like snap.
Yeah, that tracks - I came back to Debian after a few years on Ubuntu, and even before I returned, I removed snap from my Ubuntu system.
Yeah this is it. I like snaps just fine but I also like Flatpaks and well, everyone else is using Flatpaks.
It’s not a big deal because the answer to the problem is “don’t run snaps”.
Because snap is an absolute abomination and no one in their right mind is loosing time maintaining it. If canonical whants to push their crap on debian too, they will need to put in the time to make it work. I really hope they are not making debian developers loose their precious time on this cancer.
Snaps is something you drink.
AFAIK only users who have it shoved down their throat by Ubuntu use snap packages.
Isch Schnaps.
Yes, that’s how it’s pronounced after you drink it.
No, swiss german.
It was a joke. 😋
Because snaps is a Ubuntu thing, and not particularly widely used on Debian.
#rank name inst vote old recent no-files
2 util-linux 4000213 2110588 1172784 345252 371589
2258 snapd 19307 17314 846 1033 114
I actually don’t understand what use case snapd on Debian covers better than docker on Debian or snapd on ubuntu
Companies are more likely to use Ubuntu instead of plain Debian or another Debian-based distro on their workstations. No one in this chain aims to bring snap packages to other distros and ensure that they work properly there.
file a debian bug report against snapd.
No need. It’s already reported. And known since Dec 2019. 👀
i know that. i suggested the bug report because snaps themselves do report strict confinement even though snap debug doesn’t list that confinement option’s availability.
Uh yeah. That is more information… Sorry, I’m not that familiar with Snaps. It looks to my untrained eye a bit like the report on the Snap itself, maybe it advertises to support running in strict confinement. Which it could… but doesn’t do. (Alike the other channels, which you could install, but didn’t… It’s kind of buried with that kind of information.)
It’s confusing at least. And the user definitely wouldn’t expect it from that wording. So I’d view it as a separate bug as well. And dropping confinement without notice would be the third thing, I’d consider a bug.)
