This is interesting because it contains some popular applications not available from any debian package repository. For example:
Are applications software signatures (gpg) verified end-to-end? I.e. signed by developer and verified on local computer? Or is it only as safe as https?
Is it required to trust the source (snapcraft.io) which is run by cannoncial (they also host Ubuntu and have some issues).
It doesn’t use GPG verification but it does use AppArmor and sandboxing.
Yes. It’s needed to trust canonical.
Something similar to Snap that may be worth looking into is Flatpak. It uses GPG verification and sandboxing.
Snaps are a Canonical attempt to create application lock-in Flatpak is the superior alternative and allows decentralization and verification.
Snap is interesting in context of Chromium Browser for Kicksecure Discussions (not Whonix) since it provides a source for chromium:
It’s security needs to be researched.
Quote ISV questions about signing a snap - store - snapcraft.io
Snap are signed and snapd checks it before installation.
Does Snap pass the TUF Threat Model, TUF: Attacks and Weaknesses [archive]?
Server components of the snap packaging system remain closed which gives Canonical control over the tech. Avoiding the support and proliferation of their lock-in format is a good move IMO.
Related:
They do little oversight of package safety/maintenance. A hidden cryptocurrency miner was slipped thru in uploads.
Quote Snap (software) - Wikipedia
All apps uploaded to the Snap Store undergo automatic testing, including a malware scan. However, Snap apps do not receive the same level of verification as software in the regular Ubuntu archives. In one case in May 2018, two applications by the same developer were found to contain a cryptocurrency miner which ran in the background during application execution. When this issue was found, Canonical removed the applications from the Snap Store and transferred ownership of the Snaps to a trusted third-party which re-published the Snaps without the miner present.[10][11][12] Although the Snap sandbox reduces the impact of a malicious app, Canonical recommends users only install Snaps from publishers trusted by the user.[13][14]
That disqualifies it as a general recommendation.
At time of writing, chromium in snapstore was from publisher Canonical with a green arrow standing for verified account.
Therefore in context of Chromium Browser for Kicksecure Discussions (not Whonix) - #56 by HulaHoop it could still be good enough.
Major apps lacked updates for a long time.
Also in context of Chromium Browser for Kicksecure Discussions (not Whonix) - #58 by Patrick the chromium package seems up to date.
Installation of snap by default in Whonix and/or Kicksecure might encourage installation of packages using snap. Would be hard to educate users “but please only use snap for chromium or other applications from trusted publishers”.
Probably best to find a more solid all around choice.
Related: https://forums.whonix.org/t/flathub-as-a-source-of-software/10706
Created a dedicated forum thread for it:
https://forums.whonix.org/t/flathub-as-a-source-of-software/10706
I was wondering, is snapstore really nonfreedom software.
Wikipedia Snap (software) - Wikipedia links to a github repository GitHub - snapcore/snapcraft: Package, distribute, and update any app for Linux and IoT.. But is it complete?
Found this:
Seems like a clever question by Freedom Software enthusiasts is:
Why is there only one Snap Store?
A defender of snapstore wrote this:
Links to this:
https://merlijn.sebrechts.be/blog/2020-08-02-why-one-snap-store/
Quote:
Is the Snap Store open source?
Sadly, part of the Snap store is still closed source. Snap itself is completely open source and many parts of the Snap store are open source like the web-store front-end, the automatic review tools, the build service, the desktop store app, and many more. The back-end hosting the snaps, however, is still proprietary.
Open sourcing the Snap store back-end would require significant changes to it, according to Martin Wimpress of Canonical:
[because of its history,] the Snap store now integrates with other areas of the Canonical infrastructure. So the Snap store isn’t a single thing. It’s not like this one piece of software that you can easily decouple from the rest of the machinery that powers the infrastructure at Canonical. So we can’t just pull it apart and separate it and say, “Here you go, here’s the open source Snap store.
Canonical is doubtful that this investment would be worth it because of what happened with Launchpad. Although they invested significant resources in open sourcing Launchpad, there is still only one instance of Launchpad running and they have not received any significant contributions from non-Canonical employees.
Interestingly, Canonical actually released an open-source prototype Snap store backend a few years ago, but there was very little interest from the community in in actually maintaining and running a second Snap store, so the project bit-rotted and became incompatible with the current Snap protocol.
It links to this:
TechRepublic: Community members have expressed concern about the Snap server being proprietary software. What would be needed for a third party to operate its own Snap server, if it wanted to do so?
Answer here: CXO | TechRepublic
A Freedom Software snap store work in progress at time of writing:
Therefore at time of writing it is safe to conclude that snap store server part is nonfreedom software.
Simple test: If Debian had done he same with apt would Ubuntu have had a base to build onto? Also this is similar to chat clients with non-free server side components.
Additional note to the mentioned above: snap use apparmor to secure their apps whereas in comparison to flatpak use bubblewrap.
AppArmor
AppArmor profiles are generated for each command. These have the appropriate security label and command-specific AppArmor rules to mediate file access, application execution, Linux capabilities, mount, ptrace, IPC, signals, coarse-grained networking.
Snap apps can be downloaded as an offline package .snap, Flatpak cant do that.