After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.
I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher. Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app. Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.
So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name".
On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap". Currently all of this is not supposed to be long-term, as it's an evolving situation.
Hopefully this will begin to put an end to scam apps making it into the Snap Store and onto machines running Ubuntu and any other Linux distribution that enables Snap packages.
Quoting: CyborgZetaNo offense to people who like cryptocurrency, but I remain highly distrustful of crypto.I don't understand why. Crypto's value is just as reliable as any other traded commodity with neither any inherent value whatsoever nor any institutional backing. And it has no more scammers than anything else completely dependent on a get-rich-quick mentality to keep it afloat.
Last edited by Purple Library Guy on 29 March 2024 at 5:47 pm UTC
Quoting: Purple Library GuyQuoting: CyborgZetaNo offense to people who like cryptocurrency, but I remain highly distrustful of crypto.I don't understand why. Crypto's value is just as reliable as any other traded commodity with neither any inherent value whatsoever nor any institutional backing. And it has no more scammers than anything else completely dependent on a get-rich-quick mentality to keep it afloat.
Yup, and its created an internet boom-town more dangerous than Dodge (or should that be Doge) City circa 1883! Even more unregulated than the cattle trade circa 1883 too!
This issue (malicious software that is freely available) is precisely why you do not grant your users nearly unchecked access to repositories, and why 3rd party repositories are a dangeous thing.
For the record, this also applies to the Arch AUR, Ubuntu PPAs, Fedora COPR and RPMFusion, OpenSUSE OBS, and even Flathub.
Last edited by sprocket on 30 March 2024 at 3:25 pm UTC
Canonical in 2024: Oh Snap!
Quoting: Vortex_AcheronticCanonical in 2014: Ah Linux is too niche, we do not need any kind of review how bad can it be?No software distribution model is perfect... that being said, the Snap Store has had this happen continually for more than 5 years. You know what happened after the repos for Debian and RH were compromised? They locked that down, created new ways to sign packages, enforced the build servers to sign everything and do some automated checking for things, etc. That is the correct response to something like this. Canonical waiting so long to, 'oh, I suppose we should check these, eh?' is pretty sad state of affairs.
Canonical in 2024: Oh Snap!
There can still be harmful apps in the snap store, but I feel that this is there last chance. If any harmful app appears again in the store even with manual reviews, it’s over.
See more from me