Snap store from Canonical hit with malicious apps

Quoting: Fester_Mudd

Quoting: Fester_MuddOf course they review packages within their resources. Are you serious assuming that they wouldn't at all? Or just a drama seeker towards Canonical and Ubuntu's :)

Quoting: pleasereadthemanualTo me, the above quote suggests that Canonical has never reviewed Snap packages until now.

I'm happy to be corrected.

Honestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away). As they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sure and upvotes from Ubuntu haters on these grounds i mean it's so obvious.

Linux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....

You know, in the space it took to be bitchy, you could have told us all what this google search would reveal to us.


Last edited by Purple Library Guy on 2 October 2023 at 11:58 pm UTC

Quoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).

It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.

Quoting: Fester MuddAs they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sure and upvotes from Ubuntu haters on these grounds i mean it's so obvious.

It's generous of you to assume I'm lying to create drama.

What exactly makes this manual review special compared to whatever Canonical was doing before? I've read it several times, yet I do not understand what difference you are suggesting there is.

Quoting: Fester MuddLinux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....

You mean, my assumption based on reading a 198-word announcement from Canonical themselves? I didn't assume anything. I asked an open question to anyone who did know whether my understanding of the announcement was true.

I read GamingOnLinux because I don't have endless free time to research topics in-depth (particularly those that are only peripherally related to me), and occasionally I rely on other users to teach me things. I've learned a lot from members in this community and had some productive and interesting discussions.

I spent several minutes using a search engine to look this up. The best I could find was this: https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460

There is this page, too, which vaguely suggests that Snapcraft will run automated reviews for some packages and manual reviews for other packages: https://ubuntu.com/core/services/guide/snap-publishing

Quoting: CanonicalUploaded snaps undergo automated and manual review processes, depending on the security profile of the snap. Snaps are checked by Canonical’s snap reviewer team to ensure that they are safe to use.

Putting the two together, some sort of automated testing was run for all Snap packages that did not use the "classic" profile.

Quoting: poiuzDifferent emphasis.

Could you explain what you are trying to imply by emphasizing this section? "on all new" suggests they weren't doing it before, either. Perhaps you meant to emphasize all, to imply they were manually reviewing some packages?

Quoting: poiuzThere's a review forum.

I assume you're referring to this: https://forum.snapcraft.io/c/store-requests/19

Looking through some old manual review requests, it seems they occur when the Snap package asks for more permissions than expected: https://forum.snapcraft.io/t/manual-review-for-udisks2/36633

There were about 15 manual review requests this year. This one is interesting: https://forum.snapcraft.io/t/request-for-manual-review-of-the-last-brave-releases/35498

Just because it is manually reviewed the first time does not mean that all subsequent releases are automatically approved.

Here's another request for review where the requester expresses discontent about the time it takes to review their packages: https://forum.snapcraft.io/t/manual-review-request-for-several-kde-apps-long-delays/34628

So, going back to the original article, Snapcraft felt the right move was to institute manual review for all Snaps. This suggests the 3 malicious Snaps were automatically approved without manual review. From this, we can conclude that the Snaps did not ask for too many permissions, and yet they were still able to act maliciously. Determining which Snaps to review manually based on permissions, then, is not viable; regardless of what permissions the Snap has, it can potentially cause harm.

Snapcraft also did not take this decision lightly, as they could not cope well with the amount of manual reviews already. This still seems to me like the right decision based on my understanding so far.

Quoting: pleasereadthemanual

Quoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).

It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.

You know, now that you mention it, I take offence too! It's offensive to people who read it, and then get offended because they can't read!

I suppose it could be worse, as RTFM



(This post is a joke, don't take it seriously, just trying to lighten the mood a bit.)

Quoting: slaapliedjeThe huge difference between AUR and snap? You can see exactly what the AUR PKGBUILDs are doing...

They're generally built to snag from the upstream repo that you can verify, it verifies the hash against the tarball release, and you can see in the PKGBUILD if anything is being injected into it after that fact...

Yeah, the issue is the combination of AUR-Helpers (or even integrating AUR into the graphical package manager...looking at you, manjaro...) and Arch-based distros targeting 'beginners'.


I don't want to sound elitist, but the concept of the AUR is fine in the context of Arch and its intended userbase. At least it's more likely that 'real' Arch users actually read and understand the PKGBUILD before installing/updating.
But of course now with more and more people just blindly installing AUR-Packages it's becoming more attractive to malware-scum and it's only a matter of time that we'll get some more malicious packages there i fear...

Quoting: TermyI don't want to sound elitist, but the concept of the AUR is fine in the context of Arch and its intended userbase. At least it's more likely that 'real' Arch users actually read and understand the PKGBUILD before installing/updating.

Anybody using Arch, whether they are technically skilled or not, is a "real" Arch user.

I know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.

Quoting: pleasereadthemanual

Quoting: Fester_MuddHonestly. Your handle is "pleasereadthemanual" but here you are just assuming without even bothering to google (you would have found the answer right away).

It's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.

Quoting: Fester MuddAs they take more special measures to tackle this, to you it automatically suggests that before they did not review at all. Sure and upvotes from Ubuntu haters on these grounds i mean it's so obvious.

It's generous of you to assume I'm lying to create drama.

What exactly makes this manual review special compared to whatever Canonical was doing before? I've read it several times, yet I do not understand what difference you are suggesting there is.

Quoting: Fester MuddLinux users should keep together more. Many users could learn to google even, before such assumptions based on well nothing.....

You mean, my assumption based on reading a 198-word announcement from Canonical themselves? I didn't assume anything. I asked an open question to anyone who did know whether my understanding of the announcement was true.

I read GamingOnLinux because I don't have endless free time to research topics in-depth (particularly those that are only peripherally related to me), and occasionally I rely on other users to teach me things. I've learned a lot from members in this community and had some productive and interesting discussions.

I spent several minutes using a search engine to look this up. The best I could find was this: https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460

There is this page, too, which vaguely suggests that Snapcraft will run automated reviews for some packages and manual reviews for other packages: https://ubuntu.com/core/services/guide/snap-publishing

Quoting: CanonicalUploaded snaps undergo automated and manual review processes, depending on the security profile of the snap. Snaps are checked by Canonical’s snap reviewer team to ensure that they are safe to use.

Putting the two together, some sort of automated testing was run for all Snap packages that did not use the "classic" profile.

Quoting: poiuzDifferent emphasis.

Could you explain what you are trying to imply by emphasizing this section? "on all new" suggests they weren't doing it before, either. Perhaps you meant to emphasize all, to imply they were manually reviewing some packages?

Quoting: poiuzThere's a review forum.

I assume you're referring to this: https://forum.snapcraft.io/c/store-requests/19

Looking through some old manual review requests, it seems they occur when the Snap package asks for more permissions than expected: https://forum.snapcraft.io/t/manual-review-for-udisks2/36633

There were about 15 manual review requests this year. This one is interesting: https://forum.snapcraft.io/t/request-for-manual-review-of-the-last-brave-releases/35498

Just because it is manually reviewed the first time does not mean that all subsequent releases are automatically approved.

Here's another request for review where the requester expresses discontent about the time it takes to review their packages: https://forum.snapcraft.io/t/manual-review-request-for-several-kde-apps-long-delays/34628

So, going back to the original article, Snapcraft felt the right move was to institute manual review for all Snaps. This suggests the 3 malicious Snaps were automatically approved without manual review. From this, we can conclude that the Snaps did not ask for too many permissions, and yet they were still able to act maliciously. Determining which Snaps to review manually based on permissions, then, is not viable; regardless of what permissions the Snap has, it can potentially cause harm.

Snapcraft also did not take this decision lightly, as they could not cope well with the amount of manual reviews already. This still seems to me like the right decision based on my understanding so far.

Now, again you assume much. Why do you keep doing this. You now assume i took offence of your name. No, no, no. I pointed out that you assumed that Canonical does not review at all as they're now taking extra special measures by manually reviewing and your name suggests you're an avid researcher, you know? How can you suggest i accused you of LYING also, when you just asked about it. Please don't dramatize you know full well i did not make you appear like a liar.

They have always reviewed in their limited ability. How could Canonical possibly just think "let all in without any reviews, yeah!". Just no. Maybe google is avoiding you but also Alan Pope talked about the curation of Snap Store.

Quoting: BlackBloodRumAnybody using Arch, whether they are technically skilled or not, is a "real" Arch user.

That's why i put that in quotes. ;)
Like i said, i don't want to be elitist and i'm totally rooting for distros like Manjaro, EndeavourOS and the like - just not in case of the AUR.

Quoting: BlackBloodRumI know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.

I know - that doesn't mean that that is a good thing or advisable.

Quoting: Termy

Quoting: BlackBloodRumAnybody using Arch, whether they are technically skilled or not, is a "real" Arch user.

That's why i put that in quotes. ;)
Like i said, i don't want to be elitist and i'm totally rooting for distros like Manjaro, EndeavourOS and the like - just not in case of the AUR.

Quoting: BlackBloodRumI know many Arch users who use Arch itself, who would not even look at the PKGBUILD before using it.

I know - that doesn't mean that that is a good thing or advisable.

Indeed, AUR is very much a "use at your own risk" kind of deal.

But then that's where general computing common sense comes in: How well do you trust the source.

The problem with AUR is, for a new user at least; is it provides a false sense of security. Unlike the regular distribution packages there is a much lower level of validation, so it is possible for AUR to have dangerous packages. Even experienced users may only check a few PKGBUILDs, found they're safe, continue to use it however neglecting to check further.

New users may ask where do I get XYZ? If it's not in the main repos, or available as a Flatpak. If it's in AUR then they'll be instructed to go get it from there. That may be the first time that user has even heard of AUR, so they'll assume it's safe, I mean people wouldn't recommend something dangerous, right?

I should be clear, I'm in agreement with you here. That is, the user should learn to check things. But then that's easier said than done when we're talking about people who may only be using Linux for the first time. The warnings just need to be amplified a bit when it comes to third-party minimally checked stuff (whether that's a flatpak, snap, aur, whatever).

(As for elitism, which distro is best etc.. let's not go there... that topic has been had far too many times, and beaten to death.)

Quoting: Fester MuddNo, no, no. I pointed out that you assumed that Canonical does not review at all as they're now taking extra special measures by manually reviewing [...] How can you suggest i accused you of LYING also, when you just asked about it. Please don't dramatize you know full well i did not make you appear like a liar.

I didn't assume that. If I assumed that, I might have said:

Quoting: pleasereadthemanualWell, that's about what you'd expect when you don't review packages.

I phrased it as a question. I was asking for confirmation. It was not rhetorical. I made it clear this was not rhetorical in my follow-up comment.

You seem to have taken that as me intentionally pretending not to know (lying, or gaslighting, if you prefer; there was clearly an element of deception you were implying) that Snapcraft obviously reviews packages in an attempt to instigate drama. I mean, how could I be honestly suggesting that the phrase temporary manual review might mean that manual review is something that isn't done normally?

I would appreciate if you had done me the courtesy of assuming good faith.

Quoting: Fester Muddand your name suggests you're an avid researcher, you know?

I'll give you that one. Though, since we've both dramatically misinterpreted each other's comments now, I'll go ahead and call us even

Although, in the Arch forums, users might respond with a link that answers the question and nothing else

Maybe I should have gone with pleasegivemethemanual.

Anyway, sorry; I shouldn't have reacted emotionally.

Quoting: Fester MuddMaybe google is avoiding you but also Alan Pope talked about the curation of Snap Store.

I can't seem to find this article on his blog.

Quoting: BlackBloodRumBut then that's easier said than done when we're talking about people who may only be using Linux for the first time.

And that is exactly why i don't think its a good idea for beginner-friendly arch-derivatives to make AUR easily accessible.

Quoting: BlackBloodRumThe warnings just need to be amplified a bit when it comes to third-party minimally checked stuff (whether that's a flatpak, snap, aur, whatever).

Indeed - although that problem is pretty much the same as with the 'normal' windows madness of downloading and running random .exe files that most people have internalized so well...^^

Quoting: Termy

Quoting: BlackBloodRumBut then that's easier said than done when we're talking about people who may only be using Linux for the first time.

And that is exactly why i don't think its a good idea for beginner-friendly arch-derivatives to make AUR easily accessible.

Newbies may also use Arch though, don't forget arch also has the "archinstall" which can automate much of the installation. (or all of it? I'm not sure, I haven't tried it)

Arch isn't difficult to install even without it, since for the most part you can just follow the wiki, which will get you a working installation easily enough.

I myself have pointed some people to Arch who wanted to better understand the inner workings of Linux while they are also relatively new to Linux (or had not used it before). So, it is possible for someone who has an interest in the technical details, to be using Arch as their first distro, so the issue may also directly affect Arch users, not just derivatives. :-).

Although, one would hope such users have better computer common sense, so to speak.

Quoting: Termy

Quoting: BlackBloodRumThe warnings just need to be amplified a bit when it comes to third-party minimally checked stuff (whether that's a flatpak, snap, aur, whatever).

Indeed - although that problem is pretty much the same as with the 'normal' windows madness of downloading and running random .exe files that most people have internalized so well...^^

Windows is less user friendly than Linux, in my opinion. It's a royal pain in the certain end. I hate that pile of brown substance.

Windows has been, and frankly probably always will be a mess when it comes to obtaining applications.


Last edited by BlackBloodRum on 3 October 2023 at 5:31 pm UTC

Quoting: BlackBloodRumsince for the most part you can just follow the wiki,

You would be surprised for how many people even that poses an enormous obstacle if you take a look in the support channels xD

But yeah, you're bringing up a point that many raise against archinstall - even if manual installation is very easy indeed, it at least makes the new arch-user familiar with using the wiki (in theory).

Quoting: BlackBloodRumWindows is less user friendly than Linux, in my opinion

Couldn't agree more. My family-support-efforts dropped to near zero after i installed linux for my mother, aunt and so on...

Quoting: Termy

Quoting: BlackBloodRumsince for the most part you can just follow the wiki,

You would be surprised for how many people even that poses an enormous obstacle if you take a look in the support channels xD

But yeah, you're bringing up a point that many raise against archinstall - even if manual installation is very easy indeed, it at least makes the new arch-user familiar with using the wiki (in theory).

That in my opinion, is not so much the operating system at fault, as it is the user at fault, which brings us back to the original point:

People need to exercise caution. Part of that caution is understanding what they are doing.

With enough warnings in place which could be heavily emphasised, any problem beyond that purely sits with the user that ignored them.

Ideally, we want Linux to be open and accepting for all, technical users or not. I'm not suggesting we "dumb it down" though. The geeky bits are the heart of linux! However, a few words here and there for new users shouldn't be too much, particularly where third party application sources are involved.

Quoting: Termy

Quoting: BlackBloodRumWindows is less user friendly than Linux, in my opinion

Couldn't agree more. My family-support-efforts dropped to near zero after i installed linux for my mother, aunt and so on...

Indeed, Linux just fits everywhere! Ironically my grandma, who is almost 90 now, is a Linux Mint user! She is more of a Linux fanboy than me! My aunt tried to get her to use a new MacOS computer in their home. My grandma? She just complained it's too difficult, confusing etc. Just would not stop complaining about it. Refused to use it. Wanted her Linux back.

Made me proud!

Eventually her old computer was just.. too old. So I upgraded the hardware but to keep things simple I just stuck an offline Linux Mint with the Mate desktop for her games (puzzle mostly, like hidden object etc) and family pictures. She got converted to Linux when I was a wee teen thousands of years ago. So at the time Gnome 2 was dominant, and gnome 3 hadn't destroyed gnome. So, she had used gnome 2 on CentOS 5/6 for many years. I figured it was much easier for a new computer for her to use Mate rather than messing about trying to teach her a new KDE or new Gnome etc. I configured it to look and act exactly the same, so in her mind, it basically is the same.

She uses that happily, I never get a complaint! It's an offline computer that never hits the net (I outright disabled all networking components, and she doesn't have sudo/root privileges. Just in-case another family member who visits her tries something stupid, she gets a lot of teenagers at this point.), so I can basically just forget about it and she's happy!

Meanwhile, her new iPhone my aunt got her? She is always complaining about it!

My guess would be, if it was a Windows computer, I would be having lots of complaints by now!

Linux is perfect for peace of mind, and ease of use, and it just fits in anywhere. Even my mum is on SUSE Leap on her laptop, and my stepdad is on Fedora Kinoite! There is a Linux setup for everyone, somewhere.

Anyway, I shouldn't talk too much about Linux *facepalm*, sorry for derailing the thread!

I remember when Snap Packages were just being introduced. At that time I was running Peppermint OS 8 and was helping people out on the Peppermint Forums. The amount of hate for Snap Packages, for them not installing properly, excluding a lot of features, that the original Deb package has. We sent people to Canonical to complain there and directed people to install the original Deb package, as it will take up far less resources and work straight away, along with all the features.

Then about a year later Malware was found embedded in a Snap Package. My hate for Snap Packages evolved from the amount of complaints and for the fact they run slow, take up way too many resources. Flatpaks at least actually work, AppImages are even better in my opinion, as everything is together in one single download file. Kdenlive AppImage for example is made by the KDE team, so you can run the latest version. I wish for a world without Snap Packages, that's why I run Linux Mint Xfce edition.

Quoting: BlackBloodRum

Quoting: slaapliedje

Quoting: BlackBloodRumIt was inevitable. Flatpak will suffer the same too at some point.

They have their conveniences, but they will always come with this risk.

This is the second time it's happened. Flatpak actually labels stuff as unsafe if you're using the UI. I always check to see if it's made by the upstream project or not. For example, Discord flatpak is not from Discord, you should download the .deb/tar.gz from their website.

That's a recent addition.

The problem is, many people may simply ignore such warnings and use it anyway. But just like anything when it comes to technology, just use common sense and caution, you should be fine.

Right. One of the main reasons Linux is not known for malware and viruses is because the software comes from the distribution themselves. This has the benefit of one of the few attack vectors being actually getting into the repository systems to modify files, which has happened to pretty much any distro at one point or another, but it's not the easiest thing to do.

Flatpak / Snap doesn't have such a barrier, granted if you are one to upload something nasty there, it's likely you won't be given access to do the same in the future.

If people are ignoring the 'This package is unsafe!' then that's really on them, no? Ha, I was using the Flatpak for Discord for while, but then I went to launch it one day and it was like 'yeah, don't do this, we have a deb package.' and then it started downloading that. I had to remove the flatpak one and just use the .deb, which will send me to the website to download the new .deb once there is one... Discord does it weird. Just add a apt repo, ffs, so it'll just update when I 'apt update'.

Quoting: pleasereadthemanualIt's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.

OMG, I really should have more coffee before I read stuff... I thought for a minute that your user name was 'Pleasured the Manual"

Arch has the best Wiki of any distribution, pretty much no one even remotely close. Well Red Hat's info is supreme as well, but you have to have an account with them.

Quoting: BlackBloodRumIdeally, we want Linux to be open and accepting for all, technical users or not. I'm not suggesting we "dumb it down" though.

Well, it's fine to "dumb it down" - for some users and the distros/DEs/whatever that target those.
And yeah - for those users, there should be as many saveguards and warnings as possible.

But at the same time, that means that the user should choose a distro that fits their needs - if you don't want to learn and read the wiki, Arch probably isn't for you.

As always, problems arise when the user doesn't know what they're doing - and that includes choosing the right distro

Quoting: BlackBloodRumMeanwhile, her new iPhone my aunt got her? She is always complaining about it!

Can personally totally understand - i've never understood why Apples UX is deemed "intuitive". ^^

But my experience is similar - the people that have the least issues when switching to linux are the ones that don't know shit about computers. I guess the fact that they do not try to apply their Windows-Knowledge/Routines to it is a big factor here.
At the same time, advanced computer/Windows-Users tend to have the hardest time if they approach it with the wrong expectations.

Quoting: clatterfordslimI remember when Snap Packages were just being introduced. At that time I was running Peppermint OS 8 and was helping people out on the Peppermint Forums. The amount of hate for Snap Packages, for them not installing properly, excluding a lot of features, that the original Deb package has. We sent people to Canonical to complain there and directed people to install the original Deb package, as it will take up far less resources and work straight away, along with all the features.

Then about a year later Malware was found embedded in a Snap Package. My hate for Snap Packages evolved from the amount of complaints and for the fact they run slow, take up way too many resources. Flatpaks at least actually work, AppImages are even better in my opinion, as everything is together in one single download file. Kdenlive AppImage for example is made by the KDE team, so you can run the latest version. I wish for a world without Snap Packages, that's why I run Linux Mint Xfce edition.

The only thing missing with AppImages for me is that they don't all seem to create a proper .desktop file automatically. Other than that, they're okay. I think the other complaint I have about them is that you have to download a new one to upgrade (for most? At least Cura definitely does it that way) and so you end up with a bunch of different versions of it on your drive...

Quoting: Termy

Quoting: slaapliedjeThe huge difference between AUR and snap? You can see exactly what the AUR PKGBUILDs are doing...

They're generally built to snag from the upstream repo that you can verify, it verifies the hash against the tarball release, and you can see in the PKGBUILD if anything is being injected into it after that fact...

Yeah, the issue is the combination of AUR-Helpers (or even integrating AUR into the graphical package manager...looking at you, manjaro...) and Arch-based distros targeting 'beginners'.


I don't want to sound elitist, but the concept of the AUR is fine in the context of Arch and its intended userbase. At least it's more likely that 'real' Arch users actually read and understand the PKGBUILD before installing/updating.
But of course now with more and more people just blindly installing AUR-Packages it's becoming more attractive to malware-scum and it's only a matter of time that we'll get some more malicious packages there i fear...

I like how Garuda does it. They have a curated list of packages that they build binaries out of. Granted I'm not sure exactly how those are picked and built...
But yeah, Arch is, I feel, not a distributions for beginners to use in the first place. Even the archinstall thing should be for intermediate users. Garuda gets close to being a user friendly Arch based Linux, but the customization they do is pretty extreme.

Quoting: slaapliedje

Quoting: pleasereadthemanualIt's a joke. I'm an Arch user. I have never actually said that to anyone, and you are the first person to take offense to it in my 2 years of using this site.

OMG, I really should have more coffee before I read stuff... I thought for a minute that your user name was 'Pleasured the Manual"

Hmmm . . . manually? Well after all, I'm sure manuals need love too.