Canonical goes full snap, Chromium is next

If it doesn't relate to Debian, but you still want to share it, please do it here
Message
Author
User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Canonical goes full snap, Chromium is next

#16 Post by Head_on_a_Stick »

Danielsan wrote:Deb packages are hard to create
That's because the packaging system is incredibly powerful with lots of features.

Are you familiar with the many helper scripts on offer? Creating a .deb can be very simple if you know the tools.
Danielsan wrote:Deb packages don't provide roll back system

Code: Select all

# dpkg --install --force-downgrade older.deb
Or use your backup.

But rolling back packages is not something that's really needed in stable.
Danielsan wrote:you need root to install packages and you can't install packages per users
How would non-root installations work for packages that provide system files (ie, all of them)?

Do you really want to give hackers that have local access the power to install stuff without gaining root privileges?
Danielsan wrote:you can't confine or containerize packages by default
Try systemd-nspawn or schroot or firejail or apparmor or SELinux.
Danielsan wrote:you can't install easily different version of the same package
I refer the right honourable gentleman to the answer I gave a few moments ago.
Danielsan wrote:you can't have delta updates
https://packages.debian.org/stretch/debdelta
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

User avatar
Danielsan
Posts: 637
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

#17 Post by Danielsan »

4D696B65 wrote:
Danielsan wrote:
4D696B65 wrote:This is the best thing about apt
Why?
If I install unstable software on my user just because I want take advantage of some features or for testing without breaking the system and without invoking root to do it, I believe it is a great things.
if it is your computer, do what you want
if it is a server owned by your employer, he/she may have other ideas what you can and cannot install

I didn't get you... :(

User avatar
Danielsan
Posts: 637
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

#18 Post by Danielsan »

Head_on_a_Stick wrote:[...]
A. The others are equally powerful but easier and better designed, like the Arch Builds System, just because are modern.

B. While rolling back doesn't make sense on Stable makes sense on Unstable or any testing environments. Rolling back on Debian doesn't work properly and at your own risk because DPKG/APT aren't designed for this scope.

C. While snaps works also for system components I am not sure about Nix or GuixSD (the latter is under my study). Installing packages on your home you can have multiple instances of PHP or Krita leaving you core system clean and safe. Packeges installed on the home users are confined so hacker can just mess up with the home users.

D. Firejail is known to be an unsafe container, never used Selinux, while I use systemd-nspawn to test packages however has its limitation, for example it can access to the GPU, at least with the nvidia-drivers, as a matter of fact any application that require opengl I tested simply crashes. It is not designed to run graphics application, as the same Poettering stated, for this scope there's already flatpak by RedHat; but I consider Nix/Guix superiors.

E. He was wrong because Nix/Guix are designed to deploy by default hence are more suitable for working on servers or on a fleet of personal computers.

F. Never heard about it, why is it not install by default? Maybe because it need to rebuild every packages locally, isn't it?

User avatar
Nili
Posts: 409
Joined: 2014-04-30 14:04
Location: $HOME/♫♪

Re: Canonical goes full snap, Chromium is next

#19 Post by Nili »

Danielsan wrote:Packeges installed on the home users are confined so hacker can just mess up with the home users.
This is completely wrong mate, If the hacker does whatever want on my $HOME for me or someone else is game over.
Don't tell me you mean : let have saved "/" , and leave $HOME alone in hand of hackers because one may put malicious code on snap.

Personal data are important, many save the stuff @ home some others on USB,externalHDD,DVD etc...
Snaps aren't secure, sure it's practical but if my $HOME is exposed to me, it does not matter any more practicality.
Fedora (Workstation Edition)
\m/ Ijime, Dame, Zettai「イジメ、ダメ、ゼッタイ」\m/

User avatar
Danielsan
Posts: 637
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

#20 Post by Danielsan »

Nili wrote:
Danielsan wrote:Packeges installed on the home users are confined so hacker can just mess up with the home users.
This is completely wrong mate, If the hacker does whatever want on my $HOME for me or someone else is game over.
Don't tell me you mean : let have saved "/" , and leave $HOME alone in hand of hackers because one may put malicious code on snap.

Personal data are important, many save the stuff @ home some others on USB,externalHDD,DVD etc...
Snaps aren't secure, sure it's practical but if my $HOME is exposed to me, it does not matter any more practicality.
While I am agree with you, and respect this topic there are very few efforts on Linux, my reply makes sense when is related with its contest. But if an hacker has direct access to your home you are f##k anyway, while if a software has a potential bug you can further restrict the access on your home but then you can't save your job anywhere.

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Canonical goes full snap, Chromium is next

#21 Post by Wheelerof4te »

^There are other ways to create application sandboxes. A package manager shouldn't be centered around sandboxing, because that's not the job of a package manager.
A job of package manager is to manage your software. Part of why modern solutions fail is their creators drive to make them do more than just install, remove, search and update your software.

User avatar
Danielsan
Posts: 637
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

#22 Post by Danielsan »

Wheelerof4te wrote:^There are other ways to create application sandboxes. A package manager shouldn't be centered around sandboxing, because that's not the job of a package manager.
A job of package manager is to manage your software. Part of why modern solutions fail is their creators drive to make them do more than just install, remove, search and update your software.
This is your opinion because the trend is exactly the opposite, as a matter of fact this is not failing at all and it is been adopting widely. Even a distro like Debian Stable is vulnerable to a 0 day bug and containerization is a great feature against a 0 day attack.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

#23 Post by sickpig »

Snaps are user convenience focused. If you need latest or dev. version of an app say gimp or inkscape how will u install it in stable? change repos to sid?

before anyone digs up links about malicious snaps - dont install them if you dont trust their developer or packager

snaps, flatpaks are the way forward no matter what anyone thinks or does. appimage is quite convenient too.

whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical? More power to anything that is user centric and focusses on convenience rather than changing repos or jumping through hoops.

User avatar
4D696B65
Site admin
Site admin
Posts: 2623
Joined: 2009-06-28 06:09
Been thanked: 5 times

Re: Canonical goes full snap, Chromium is next

#24 Post by 4D696B65 »

sickpig wrote: whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?
I guess if you trust Cannonical, nothing. I for one don't trust them.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Canonical goes full snap, Chromium is next

#25 Post by Head_on_a_Stick »

Danielsan wrote:Rolling back on Debian doesn't work properly and at your own risk because DPKG/APT aren't designed for this scope.
Try https://packages.debian.org/stretch/snapper
sickpig wrote:If you need latest or dev. version of an app say gimp or inkscape how will u install it in stable?
http://forums.debian.net/viewtopic.php?f=16&t=129390

And contrary to Danielsan's claim the container will use the graphics card, at least it does for the open source drivers — I can run openarena & Xonotic from a systemd-nspawn container.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

#26 Post by sickpig »

Head_on_a_Stick wrote:viewtopic.php?f=16&t=129390
^^^^
is my exact definition of
sickpig wrote:jumping through hoops.
thanks for proving my point.

i choose not to reinvent the wheel to just install an app. I would just install a snap.

edit
resource usage of your alternative is 200 kgs heavier than just running an app as a snap. You are essentially running another version of the OS alongside your current one. And it will start all of its startup services daemons and whatnot

User avatar
Danielsan
Posts: 637
Joined: 2010-10-10 22:36

Re: Canonical goes full snap, Chromium is next

#27 Post by Danielsan »

I think we are doing confusion between downgrade and rollback, functions for which DPKG and APT aren't designed for. And in any case a snapshot is not as a rollback for a single package.

And about systemd-nspawn this is not a desktop oriented solution to confine a single package, it is an isolated environment with the basic core system installed and it needs some effort to make it work with a graphic application.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

#28 Post by sickpig »

Danielsan wrote:And about systemd-nspawn this is not a desktop oriented solution to confine a single package, it is an isolated environment with the basic core system installed and it needs some effort to make it work with a graphic application.
along with the effort it is not secure as highlighted in viewtopic.php?f=16&t=129390 without adding additional flags

in the same thread chroot option is mentioned which is more secure as it uses xephyr server which is a standalone graphics server and doesn't share display resources with X11

KBD47
Posts: 87
Joined: 2011-09-04 09:07

Re: Canonical goes full snap, Chromium is next

#29 Post by KBD47 »

4D696B65 wrote:
sickpig wrote: whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?
I guess if you trust Cannonical, nothing. I for one don't trust them.
Agreed!
https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Canonical goes full snap, Chromium is next

#30 Post by sickpig »

KBD47 wrote:
4D696B65 wrote:
sickpig wrote: whats wrong with chromium packaged as a snap if it is packaged officially by Cannonical?
I guess if you trust Cannonical, nothing. I for one don't trust them.
Agreed!
https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware
sickpig wrote:before anyone digs up links about malicious snaps - dont install them if you dont trust their developer or packager

Deb-fan
Posts: 1042
Joined: 2012-08-14 12:27

Re: Canonical goes full snap, Chromium is next

#31 Post by Deb-fan »

Can't see this becoming the future default packaging format. Interesting and truthfully not up to speed on this topic. Personally won't be using it or highly unlikely. Still can see some benefits and won't bad mouth these types of efforts either. Snappy-snap, flatpak and appimages, cool more options for those who choose to use.
Most powerful FREE tech-support tool on the planet * HERE. *

pendrachken
Posts: 1391
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Canonical goes full snap, Chromium is next

#32 Post by pendrachken »

How would non-root installations work for packages that provide system files (ie, all of them)?

Do you really want to give hackers that have local access the power to install stuff without gaining root privileges?
Sounds like someone doesn't know how snaps / flatpacks work. Here's a hint; they contain all the libraries needed to run, regardless of if the versions are the same as the underlying base OS or not. This CAN lead to library duplication, but is often quite handy when the newer application needs updated libraries, as you don't have to mess with the base systems stable libraries.... potentially introducing bugs into the stable software of the base system. You also don't have to try to backport the application to use older libraries, which can also introduce subtle bugs and regressions, or just plain fail. This also means you can run OLDER software on a newer modern base without having to change library versions or worry about regressions in newer libraries.


All of this means that the flatpack / snap will be bigger than a packaged dynamically linked binary, but as said by many a people here - disk space is cheap.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

User avatar
golinux
Posts: 1575
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: Canonical goes full snap, Chromium is next

#33 Post by golinux »

We know what super-sizing has done to our health. It is a sloppy, unmindful and ultimately destructive habit to feed our cravings for all sorts of things that ultimately only complicate our lives. Convenience is a trap . . . beware.
May the FORK be with you!

User avatar
Bloom
Posts: 365
Joined: 2017-11-11 12:23

Re: Canonical goes full snap, Chromium is next

#34 Post by Bloom »

Debian has a rigorous testing and review system for its packages. Have you lot never wondered why in all the years that Debian exists no malware was ever introduced?
Snap is IMHO the easiest way forward to have malware introduced to Ubuntu where it was previously secure. Debian needs to stay away from that.

CwF
Posts: 1099
Joined: 2018-06-20 15:16
Been thanked: 2 times

Re: Canonical goes full snap, Chromium is next

#35 Post by CwF »

I've tried to explain elsewhere, where linux is going in terms of windows evolution only to realize my references were unknown as ancient irrelevant history. Once upon a time MS had the idea to package common code in libraries in a very unix like way. These libraries called dll's promised to consolidate and ease things. Of course you could put a customized dll in the programs directory to override the systems, if you really really had to....A decade later, a file search on the average windows system of any common and random dll results in numerous identically named dll's. The method could have been tight, and very resource efficient, but it's not.
The mentality here is simply repeating the same pattern. Linux is of course superior (maybe not) and when it is on parity with windows it will be as bloated and bad. Yes, things will work fine, if we provide the space, the extra memory, and a few extra cores to manage the slop.

Once the average distro/user can download and execute many cool programs from all over the wonderful web, Linux's will finally match windows. Maybe we should call these things exe's. Just dl and run! That's the ticket!

Post Reply