Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be "Exodus wallet" that caused a user to lose money.
Posting on the Snapcraft forum an unfortunate user noted their wallet has been emptied after using it, and a day later a Canonical staffer mentioned it had now been removed and they were investigating the incident.
Mark Shuttleworth, CEO of Canonical, has now jumped into the discussion in another forum post to note that while "cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting", Shuttleworth doesn't think that "banning cryptocurrency apps helps" as "If anything, it would make using Linux much worse.".
Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.
Hopefully Canonical come up with a good solution, because repeating issues like this reflect pretty poorly on Snap, Canonical and Ubuntu.
Alan Pope (formerly of Canonical, now Axiom) wrote up two blog posts on it "Exodus Bitcoin Wallet: $490K Swindle" and the follow-up "Exodus Bitcoin Wallet: Follow up 2.0" that you may want to read for a little more background.
Article taken from GamingOnLinux.com.
QuoteAdditionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.... Shouldn't they have thought of this before letting randoms publish to a store?
dziadulewicz Feb 23
"I don’t however think that banning cryptocurrency apps helps. If anything, it would make using Linux much worse.
At least snaps have good, and over time increasingly good, mechanisms for technical confinement. Projects like Ubuntu and Debian and RHEL have relatively rigorous know-your-contributor processes, but apps can’t all be in the distro archives. The other Linux app distribution mechanisms (such as PPAs, Github builds and releases, OBS, or even the containerised ones like Flatpak) don’t have nearly the same technical measures for confinement that snaps do. If we ban cryptocurrency apps from the snap store then those users will simply get apps from those unconfined sources - and then the attacks will be even worse because the apps can go trawling all over the system, or do things like keylogging."
https://forum.snapcraft.io/t/should-unverified-cryptocurrency-apps-be-banned/38919/4
They are adding a high risk category to the store for starters. AI, crypto, fediverse... These newer are here to stay with their challenges and should nor could not be hidden away from. This has very little to do with snaps particularly but i'm sure many want to make it look like that. Things would have been the same with flatpak too.
Quoting: ShabbyXHappy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
Last edited by Purple Library Guy on 23 February 2024 at 4:56 pm UTC
1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
Patreon
PayPal
See more from me