Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.
A post on the Snapcraft Discourse forum noted three "Fake Crypto Apps" had appeared on the store, with the user mentioning they "steal funds from user accounts". Canonical reacted pretty quickly removing them, and the packages get replaced with empty ones so that they get updated and removed for anyone who had them installed
Writing a statement Canonical's Igor Ljubuncic said:
Article taken from GamingOnLinux.com.On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps.
As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed.
Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
If you try to register a new snap while the requirement is active, you will be prompted to “request reserved name”. Upon a successful manual review from the Snap Store staff, the name will be registered. Uploading and releasing revisions for existing snaps will not be affected.
We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment.
We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store.
Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware
As others have said, it's only a matter of time before Flatpak experiences the same thing.
Fester_Mudd Oct 2, 2023
Quoting: pleasereadthemanualWait, did Canonical not review Snap packages at all before this?
Of course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)
pleasereadthemanual Oct 2, 2023
Quoting: dziadulewiczCanonical is now placing a manual review requirement on all Snaps. Logically, we can conclude that they did not manually review snaps before.Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.So, what you was suggesting, wasn't said anywhere ..
Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)To me, the above quote suggests that Canonical has never reviewed Snap packages until now.
I'm happy to be corrected.
slaapliedje Oct 2, 2023
Quoting: devlandUncurated packages? Like ARCH's AUR that everybody warns you against using?The huge difference between AUR and snap? You can see exactly what the AUR PKGBUILDs are doing...
Oh, it has the canonical logo slapped on it. That's much better. /$
They're generally built to snag from the upstream repo that you can verify, it verifies the hash against the tarball release, and you can see in the PKGBUILD if anything is being injected into it after that fact...
slaapliedje Oct 2, 2023
Quoting: BlackBloodRumIt was inevitable. Flatpak will suffer the same too at some point.This is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.
They have their conveniences, but they will always come with this risk.
Quoting: CanonicalFurthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.Different emphasis.
Quoting: pleasereadthemanualI'm happy to be corrected.There's a review forum.
Quoting: slaapliedjeThis is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.Labeling doesn't help in such a case. You can steal a wallet's content with almost no system access (network & display are obviously required).
The labels are just a general indicator about the sandbox. Most proprietary applications are unsafe since they don't support Wayland.
But apps like Discord are maintained by known Flathub contributors & should be safe. You can check the build manifests online.
BlackBloodRum Oct 2, 2023
Quoting: slaapliedjeThat's a recent addition.Quoting: BlackBloodRumIt was inevitable. Flatpak will suffer the same too at some point.This is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.
They have their conveniences, but they will always come with this risk.
The problem is, many people may simply ignore such warnings and use it anyway. But just like anything when it comes to technology, just use common sense and caution, you should be fine.
Mountain Man Oct 2, 2023
Fester_Mudd Oct 2, 2023
Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)To me, the above quote suggests that Canonical has never reviewed Snap packages until now.
I'm happy to be corrected.[/quote]
Honestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away). As they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sure
and upvotes from Ubuntu haters on these grounds 
i mean it's so obvious. Linux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....
Patreon
PayPal
See more from me