3

Consider a package that is available as a .deb from the publisher as well as a snap from some other (unverified) publisher. A good example for this would be Zoom. The version of the .deb package on their website (Version 5.6.7 (22045.0607)) is exactly the same with the snap's version, however the publisher of the snap package is not verified (no green tick mark in the Publisher column).

Since I am primarily concerned about security, which package should I choose?

BeastOfCaerbannog
  • 14,585
stephanmg
  • 206
  • 1
    Depends which kind of security. If you trust Zoom, the .deb is fine. A snap has some kind of isolation to your system, while with the deb version, the software can access all your data. – pLumo Jun 18 '21 at 11:03
  • So the snap would be "better" in terms of security unless not in strict mode? I mean what about unverified publishers? They could be arbitrary people of zero trust, correct? – stephanmg Jun 18 '21 at 11:05
  • @ArturMeinild then I wonder why the publisher is not verified?! As Canoical is pushing snap forward, I'm curious. – stephanmg Jun 18 '21 at 11:17
  • 1
    I don't know if the snapcraft docs have any guidelines how to be "verified". But I think it's only companies that release their own software that can be verified. Ogra is still a "personal" publisher, that makes 3rd party snaps of other companies software, therefore not verified. At least I think that's how it works. – Artur Meinild Jun 18 '21 at 11:20
  • Ah that's interesting @ArturMeinild. I'm not sure if I should add this as an additional bonus question, but what about the snaps provided by https://github.com/snapcrafters - are they okay to use or is there no general no/yes to this? – stephanmg Jun 18 '21 at 11:23
  • Let us continue this discussion in chat. – Artur Meinild Jun 18 '21 at 11:24

1 Answers1

5

In general, if the snap is kept up to date, this might be a better choice for security. So if you have a feeling the snap is well maintained, go for that. On the other hand, some snaps are NOT well maintained or updated, and in this case the .deb might still be a better choice.

Also, to vet publishers, try to see what other snaps they have released, check their activity on the Snapcraft forum, check on Github etc. This might give you an idea if they're public and active about their snap releases. In the case of Zoom, Oliver Grawert (ogra) is a Canonical employee.

In the case a company doesn't provide a snap version themselves, there is a community of members who distribute snaps called snapcrafters, but individual people can also release 3rd party snaps.

You could say that snaps are still very dependent on that either companies themselves, or reliable 3rd party distributors (like snapcrafters) make and maintain snap packages.

Artur Meinild
  • 26,018