Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Ubuntu Software

Canonical Now Doing Manual Reviews For New Packages Due To Scam Apps (gamingonlinux.com) 37

An anonymous reader quotes a report from GamingOnLinux: After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions. I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher. Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app. Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.

So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name." On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap." Currently all of this is not supposed to be long-term, as it's an evolving situation.

This discussion has been archived. No new comments can be posted.

Canonical Now Doing Manual Reviews For New Packages Due To Scam Apps

Comments Filter:
  • Abandon snaps (Score:4, Insightful)

    by Going_Digital ( 1485615 ) on Friday March 29, 2024 @08:04AM (#64353216)
    Hopefully canonical will get fed up with playing cat and mouse withe the scammers and finally give up on the stupid snaps!
    • Re: (Score:2, Troll)

      by sg_oneill ( 159032 )

      The "snaps" are not the problem. Its the crypto shit.

      Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.

      • Re: (Score:2, Insightful)

        by man machine ( 900254 )

        The "snaps" are not the problem. Its the crypto shit.

        Just ban the fucking things from the app stores. If people want it, they can download it from github, ./configure && make && make install . Source code distributed apps tend not to last long as scams. Many eyes and shallow problems.

        I disagree. The "snaps" are the problem, because unlike the apt-get flow, "snaps" are uncurated. They also auto update by default, and in fact it's very hard not to have them auto update. This means a vendor can easily push malicious content at a later time without most users (and canonical) noticing, even so called "power users". Even Apple lets users control if and when to update. "snaps" as they are implemented now are not an acceptable distribution solution IMO.

    • I completely agree - if only for the environmental advantages. Snap is so prodigiously wasteful of storage and bandwidth - not everyone has it, and for those that do, it's still a waste of money and CO2. We already solved the shared-libraries problem.

    • by Anonymous Coward

      That won't happen. Every release they're pushing more and more proprietary stuff. The snap store in particular is their secret sauce they hope to cash in on.

      Snaps are really bad though. They use resources even when not running them. They duplicate stuff the regular package management system does, using more resources. They are bloated and slow. Just terrible all around.

      Red Hat/IBM's Flatpak is no better. It litters the system with crypted filenames and duplicate stuff the regular package manager can do.

      Sna

    • And then you have google chromium, which is 3.4 Gb in xz compressed sources and bundles its own copy of libXNVCtrl from Nvidia-drivers, abseil-cpp, libaom, dav1d, brotli, crc32c, double-conversion, ffmpeg, hardfbuzz, icu, json-cpp, libevent, libusb, libvpx, openh264, openjpeg, libpng, re2, snappy, woff2, zstd, and libcxx (the C++ standard library).

    • I suspect snaps aren't a problem in this way simply because they are snaps. If canonical gave up on snaps and adopted something else, scammers would likely follow suit.

      Anyway, this isn't a unique problem, other app stores have also been targeted, in the past Apple's App Store and Google's Play Store have both been targeted by this sort of thing.

      I'm certain Windows wouldn't have nearly the reputation for being targeted by malware if it weren't as popular.

      Linux use is gaining in popularity among desktops in

      • by allo ( 1728082 )

        Snaps do not have someone responsible for them. The package maintainers of Debian packages are developers trusted by the project. In snap and flathub each software has its own uploader who isn't vetted by anyone.

      • Thankfully, Valve is working on a security container called pressure vessel which isolates each game and forcibly gives it a traceable parent process name. Unlike the security mess they created on Windows with making a Program Files folder writeable to Everyone by default, they actually seem to care on Linux. At least when they arent nuking your /home with unsafe rm -rf usage.
    • I agree!
    • Abandon it, for what, .deb?

  • by Baron_Yam ( 643147 ) on Friday March 29, 2024 @08:18AM (#64353260)

    If you care at all about what you're distributing, manual review of the source (as in the origin) and the app is the only way to go.

    Automated curating does not work as once the algorithm is known someone will automate the requirements for getting past the algorithm.

    If that's too expensive, you can either shut down or accept that you're going to have your collection poisoned by crap and scamware.

    • I'm fairly sure thats why Apple has always been a little vague on its app store terms beyond the obvious rules, and has never distributed its static analysis tool. As much as its a massive pain for devs, it does make it a hell of a lot harder for scammers to carefullly hedge their way around it.

  • Should be obvious in 2024 that your supply chain is really important. There are a lot of convenient options for obtaining/installing/running software but they require a lot of trust or an unrealistic amount of sleuthing contents and changes. If you want to be more sure of what you are getting then you need to control your sources.

    Pushing the easy button and hoping for the best is a recipe for disaster.

  • Linux is finally popular enough to get malware written for it. 20 years of being the year of the desktop finally broke through.
    • Don't be too enthusiastic already, it's only the non-FOSS cryptocurrency app store section of one particular distro... that is finally popular enough to get malware written for it.

  • Package maintainers follow the development of the programs they are packaging and notice if something is fishy. How often did Debian package a malicious software?

    The problem is, that Ubuntu tries to establish an Appstore instead of using a package repository and now they get the problems that Appstores have.

  • The old Ubuntu would have never used Snaps. Apt works, fullstop.
  • by JThundley ( 631154 ) on Friday March 29, 2024 @12:52PM (#64354002)

    Canonical set out to fix the problem of Linux not being like Windows and really delivered on the promise of downloading and running untrusted dangerous software from random people.

  • Wait, are we saying that automation failed here?

  • Wow! Who could have imagined that having a shitty app store like on android or iphones would result in the same kind of shitty scam apps that they have?

    That's inconceivable!

    Remember kids: if it's not Free Software from a trustworthy source then don't install it.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...