2

I reported a bug with LibreOffice (the 'official' bionic-upgrade version) and LO support person suggested upgrading to a current version from their site. They said I was using an old version.

I prefer to upgrade via 'Ubuntu Software' in an attempt to reduce risk (security and stability) so I looked there.

It caused me to wonder if the more up-to-date, snap version, which also appears in 'Ubuntu Software' alongside , is (more) trustworthy than the Canonical distributed one.

Basically, how much trust can be placed in snap of a provider? This obviously requires comparing it to the trustworthiness of Canonical Corp...!

p.s. Please don't simply suggest to learn to read code and I won't suggest you learn DIY open heart surgery; humans specialise.

Little me
  • 105
  • https://askubuntu.com/questions/1179175/are-snap-and-flatpack-apps-safe-to-install-are-they-official-approved-or-tes – adasiko Feb 18 '20 at 17:13

2 Answers2

2

https://readyspace.co.id/en/a-technical-comparison-between-the-snap-and-the-flatpak-formats/ gives an overview of Snaps and speaks to the security advantages. In part:

From the security perspective, snaps are isolated from the system using a combination of several mechanisms, including AppArmor, SecComp, cgroups, and others. By default, snaps cannot access resources outside their sandbox. Granular access is provided through interfaces.

Also, Snaps are distributed through a repository operated by Canonical. Since Canonical builds Ubuntu, the same level of security for Ubuntu itself should be provided to the users of Snaps.

Therefore, I conclude the security of a Snap-installed app is on a par with an app included with the original installation of Ubuntu, or an app installed or updated post-installation through Ubuntu Software, and the added sandboxing of a Snap can add to your system's security. Certainly it is more secure than an app installed by installing a downloaded .DEB or using a PPA.

https://www.darkreading.com/application-security/how-hackers-infiltrate-open-source-projects-/d/d-id/1335072 also adds a little insight:

In almost all open source projects, contributors must have their work vetted by other members before the code is accepted as part of the project. The level of review varies with the individual's reputation — as they become more trusted, fewer layers of review may be required. Especially in the larger, more well-known open source projects such as major Linux distributions, the procedures are well-defined and the labor pool large enough to enforce those procedures on a consistent basis.

K7AAY
  • 17,202
  • 1
    Thanks @K7AAY for one of these 2 great answers. One concern from your answer is that 'operated by Canonical' is not the same level of oversight as 'built/released by Canonical'... It leaves me wondering, who are the snapcrafters & can I easily determine/know if the standard repo version is merely wrapped up in a snap form then dropped into the snap repo. Some snap versions seem to have different functionality; ergo could be different in malicious ways. If the number of snapcrafters are limited & snap targets noobs, then it could open a new opportunity for an evil snapcrafter. – Little me Feb 19 '20 at 21:11
  • You may wish to nose around the web to explore your concern, as well as on the Snapcraft forum https://forum.snapcraft.io/categories, and get a little background before asking some hard questions there. – K7AAY Feb 19 '20 at 21:15
  • 1
    Fair point. I researched my first question but had no definitive or rich answer (I didn't even find the similar questions here)/ I'll head off, armed with all this fresh info from this page. Thanks again! – Little me Feb 19 '20 at 21:24
1

Most folks are familiar with the Ship Of Theseus question: If you replace all the parts, is it still the same ship? If you took all the original parts and rebuilt the original parts, which is the original ship?

This question about "safest" heads down some of the same meta paths. There are three alternatives, and they all arrive at the same location, but at different times.

When a high-priority vulnerability in --let's say-- LibreOffice 6.0 is disclosed and a patch created, the patch moves in several directions:

  1. The Ubuntu Security Team uses the patch, and issues a security fix without bumping the version number. Version 6.0 remains version 6.0, but the vulnerability is now gone.

    Under the hood, you can see this in the package version that apt sees: 6.0.7-0ubuntu0.18.04.10. It's not stock 6.0 (with the vulnerability) anymore.

    This patched package goes out through the -security pocket of the Ubuntu repositories, and most folks get it installed in the background without even noticing that anything changed.

  2. LibreOffice adds the patch to all their other changes and issues a new, exciting release a few weeks later: Version 6.1! Everybody should update! New security fixes!

    This update gets packed in the next release of Ubuntu, and gets pushed to Snap users. Example: Ubuntu 19.10 uses LO 6.3, and Ubuntu 20.04 is testing LO 6.4. The current LO snap is also 6.4.

    What the update hype does not mention is that Ubuntu users of 6.0 and 6.3 get most of the SAME security fixes as 6.4 users, right away (see #1 above). Their systems are just as safe as newer versions.

The upshot is that it doesn't matter which Ship Of Theseus you are standing upon. They all travel safely. Your choice of LTS Release/Interim Release/Upstream Release/Snap does not need to be based upon the criteria of safety. They are all safe. Your choice should be based upon convenience -- which kind you are most comfortable working with.

Admittedly, lots of folks (like that well-meaning LO support person) don't quite understand how Ubuntu security works. Their insistence that newer-is-better is understandable from the upgrade-hype, though still perhaps misguided. As long as you have -security enabled and Unattended Upgrades enabled, your 18.04 version of LO is SAFE. Just as safe as everybody else's newer versions and snaps.

user535733
  • 62,253
  • Thanks for taking the time to respond with so much detail. For those in the UK, by The Ship Of Theseus, @user535733 is referring to the complexities of [Trigger's Broom] (https://www.youtube.com/watch?v=LAh8HryVaeY). Now, I need to know if the snapcrafters are suitably overseen. – Little me Feb 19 '20 at 21:21