Canonical goes full snap, Chromium is next

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Canonical goes full snap, Chromium is next

Postby Head_on_a_Stick » 2019-06-14 17:27

Danielsan wrote:Deb packages are hard to create

That's because the packaging system is incredibly powerful with lots of features.

Are you familiar with the many helper scripts on offer? Creating a .deb can be very simple if you know the tools.

Danielsan wrote:Deb packages don't provide roll back system

Code: Select all
# dpkg --install --force-downgrade older.deb

Or use your backup.

But rolling back packages is not something that's really needed in stable.

Danielsan wrote:you need root to install packages and you can't install packages per users

How would non-root installations work for packages that provide system files (ie, all of them)?

Do you really want to give hackers that have local access the power to install stuff without gaining root privileges?

Danielsan wrote:you can't confine or containerize packages by default

Try systemd-nspawn or schroot or firejail or apparmor or SELinux.

Danielsan wrote:you can't install easily different version of the same package

I refer the right honourable gentleman to the answer I gave a few moments ago.

Danielsan wrote:you can't have delta updates

https://packages.debian.org/stretch/debdelta
User avatar
Head_on_a_Stick
 
Posts: 10464
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Canonical goes full snap, Chromium is next

Postby Danielsan » 2019-06-14 18:05

4D696B65 wrote:
Danielsan wrote:
4D696B65 wrote:This is the best thing about apt

Why?
If I install unstable software on my user just because I want take advantage of some features or for testing without breaking the system and without invoking root to do it, I believe it is a great things.

if it is your computer, do what you want
if it is a server owned by your employer, he/she may have other ideas what you can and cannot install



I didn't get you... :(
User avatar
Danielsan
 
Posts: 541
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

Postby Danielsan » 2019-06-14 18:08

Head_on_a_Stick wrote:[...]


A. The others are equally powerful but easier and better designed, like the Arch Builds System, just because are modern.

B. While rolling back doesn't make sense on Stable makes sense on Unstable or any testing environments. Rolling back on Debian doesn't work properly and at your own risk because DPKG/APT aren't designed for this scope.

C. While snaps works also for system components I am not sure about Nix or GuixSD (the latter is under my study). Installing packages on your home you can have multiple instances of PHP or Krita leaving you core system clean and safe. Packeges installed on the home users are confined so hacker can just mess up with the home users.

D. Firejail is known to be an unsafe container, never used Selinux, while I use systemd-nspawn to test packages however has its limitation, for example it can access to the GPU, at least with the nvidia-drivers, as a matter of fact any application that require opengl I tested simply crashes. It is not designed to run graphics application, as the same Poettering stated, for this scope there's already flatpak by RedHat; but I consider Nix/Guix superiors.

E. He was wrong because Nix/Guix are designed to deploy by default hence are more suitable for working on servers or on a fleet of personal computers.

F. Never heard about it, why is it not install by default? Maybe because it need to rebuild every packages locally, isn't it?
User avatar
Danielsan
 
Posts: 541
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

Postby Nili » 2019-06-14 18:22

Danielsan wrote:Packeges installed on the home users are confined so hacker can just mess up with the home users.

This is completely wrong mate, If the hacker does whatever want on my $HOME for me or someone else is game over.
Don't tell me you mean : let have saved "/" , and leave $HOME alone in hand of hackers because one may put malicious code on snap.

Personal data are important, many save the stuff @ home some others on USB,externalHDD,DVD etc...
Snaps aren't secure, sure it's practical but if my $HOME is exposed to me, it does not matter any more practicality.
Devuan | Fluxbox
---
Nothing beats peace and quiet - Tomoki Sakurai
User avatar
Nili
 
Posts: 377
Joined: 2014-04-30 14:04
Location: $HOME/♫♪

Re: Canonical goes full snap, Chromium is next

Postby Danielsan » 2019-06-14 18:39

Nili wrote:
Danielsan wrote:Packeges installed on the home users are confined so hacker can just mess up with the home users.

This is completely wrong mate, If the hacker does whatever want on my $HOME for me or someone else is game over.
Don't tell me you mean : let have saved "/" , and leave $HOME alone in hand of hackers because one may put malicious code on snap.

Personal data are important, many save the stuff @ home some others on USB,externalHDD,DVD etc...
Snaps aren't secure, sure it's practical but if my $HOME is exposed to me, it does not matter any more practicality.


While I am agree with you, and respect this topic there are very few efforts on Linux, my reply makes sense when is related with its contest. But if an hacker has direct access to your home you are f##k anyway, while if a software has a potential bug you can further restrict the access on your home but then you can't save your job anywhere.
User avatar
Danielsan
 
Posts: 541
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

Postby Wheelerof4te » 2019-06-14 18:54

^There are other ways to create application sandboxes. A package manager shouldn't be centered around sandboxing, because that's not the job of a package manager.
A job of package manager is to manage your software. Part of why modern solutions fail is their creators drive to make them do more than just install, remove, search and update your software.
Wheelerof4te
 
Posts: 1423
Joined: 2015-08-30 20:14

Re: Canonical goes full snap, Chromium is next

Postby Danielsan » 2019-06-14 19:16

Wheelerof4te wrote:^There are other ways to create application sandboxes. A package manager shouldn't be centered around sandboxing, because that's not the job of a package manager.
A job of package manager is to manage your software. Part of why modern solutions fail is their creators drive to make them do more than just install, remove, search and update your software.


This is your opinion because the trend is exactly the opposite, as a matter of fact this is not failing at all and it is been adopting widely. Even a distro like Debian Stable is vulnerable to a 0 day bug and containerization is a great feature against a 0 day attack.
User avatar
Danielsan
 
Posts: 541
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

Postby sickpig » 2019-06-14 19:34

Snaps are user convenience focused. If you need latest or dev. version of an app say gimp or inkscape how will u install it in stable? change repos to sid?

before anyone digs up links about malicious snaps - dont install them if you dont trust their developer or packager

snaps, flatpaks are the way forward no matter what anyone thinks or does. appimage is quite convenient too.

whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical? More power to anything that is user centric and focusses on convenience rather than changing repos or jumping through hoops.
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

Postby 4D696B65 » 2019-06-14 20:12

sickpig wrote:whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?

I guess if you trust Cannonical, nothing. I for one don't trust them.
User avatar
4D696B65
 
Posts: 2435
Joined: 2009-06-28 06:09

Re: Canonical goes full snap, Chromium is next

Postby Head_on_a_Stick » 2019-06-14 20:35

Danielsan wrote:Rolling back on Debian doesn't work properly and at your own risk because DPKG/APT aren't designed for this scope.

Try https://packages.debian.org/stretch/snapper

sickpig wrote:If you need latest or dev. version of an app say gimp or inkscape how will u install it in stable?

viewtopic.php?f=16&t=129390

And contrary to Danielsan's claim the container will use the graphics card, at least it does for the open source drivers — I can run openarena & Xonotic from a systemd-nspawn container.
User avatar
Head_on_a_Stick
 
Posts: 10464
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Canonical goes full snap, Chromium is next

Postby sickpig » 2019-06-14 20:50

Head_on_a_Stick wrote:viewtopic.php?f=16&t=129390

^^^^
is my exact definition of
sickpig wrote:jumping through hoops.

thanks for proving my point.

i choose not to reinvent the wheel to just install an app. I would just install a snap.

edit
resource usage of your alternative is 200 kgs heavier than just running an app as a snap. You are essentially running another version of the OS alongside your current one. And it will start all of its startup services daemons and whatnot
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

Postby Danielsan » 2019-06-15 03:33

I think we are doing confusion between downgrade and rollback, functions for which DPKG and APT aren't designed for. And in any case a snapshot is not as a rollback for a single package.

And about systemd-nspawn this is not a desktop oriented solution to confine a single package, it is an isolated environment with the basic core system installed and it needs some effort to make it work with a graphic application.
User avatar
Danielsan
 
Posts: 541
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

Postby sickpig » 2019-06-15 04:02

Danielsan wrote:And about systemd-nspawn this is not a desktop oriented solution to confine a single package, it is an isolated environment with the basic core system installed and it needs some effort to make it work with a graphic application.


along with the effort it is not secure as highlighted in viewtopic.php?f=16&t=129390 without adding additional flags

in the same thread chroot option is mentioned which is more secure as it uses xephyr server which is a standalone graphics server and doesn't share display resources with X11
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

Postby KBD47 » 2019-06-16 02:05

4D696B65 wrote:
sickpig wrote:whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?

I guess if you trust Cannonical, nothing. I for one don't trust them.

Agreed!
https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware
KBD47
 
Posts: 85
Joined: 2011-09-04 09:07

Re: Canonical goes full snap, Chromium is next

Postby sickpig » 2019-06-16 02:15

KBD47 wrote:
4D696B65 wrote:
sickpig wrote:whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?

I guess if you trust Cannonical, nothing. I for one don't trust them.

Agreed!
https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware


sickpig wrote:before anyone digs up links about malicious snaps - dont install them if you dont trust their developer or packager
User avatar
sickpig
 
Posts: 315
Joined: 2019-01-23 10:34

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable