Snap store from Canonical hit with malicious apps
adonis@kbin.social to 
gamingonlinux.com
Canonical are currently dealing with a security incident with the Snap store, after users noticed multiple fake apps were uploaded so temporary limits have been put in place.
You are viewing a single comment
I stopped using the Snap Store the moment I realized the majority of the Snaps were uploaded by totally random people who have zero relationship with the app itself.
For example: https://snapcraft.io/publisher/kz6fittycent
You’re telling me this guy is personally involved with all 43 snaps he’s published? You want me to believe he’s going to dutifully maintain all 43 of them?
Yeah. Okay. Sure. Totally.
It’s like, there’s a man on the street corner selling chicken nuggets he swears he got from McDonalds. Do you want to buy nuggets from him or just walk around the corner and get them from McDonalds yourself?
I dislike the snap store as well, but what you describe is how packaging works on Debian as well. Anyone can make, maintain a package. And there are people there that maintain even more packages.
However, there is a difference when uploading it to the repos, you either have to be a Debian developer or find one to sponsor your package first. After a while of doing good work, you can also request becoming one yourself.
This additional burden makes it more difficult for malicious people to go through.
Personally I prefer this separation of software developer and package maintainer, because that makes it a bit more difficult for malicious devs to push packages directly or for them to not package them the optimal way for the distro.
I think that in practice it prevents them completely, i never heard of any type malware uploaded to debian or nix and flathub for that matter.
I guess its a reminder to verify your apps
After realizing the Godot package in Ubuntu was terribly outdated, I checked their snap store.
There are half a dozen Godot packages on Snapcraft, uploaded by random people. There is no indication of which a user should actually get, as none are "official". The one package that has a "verified" check also has a full description of just the word "blah", so it's clear it's not the real one and the "verified" checkmark means nothing.
Anyone that wants to upload something can. Non-functional, non-tested apps, others' work, abandoned apps, malware, etc.
And then the system ties your hands behind your back and refuses to let you control things like updates.
Snaps are an abortion and it has been turning people off to Ubuntu like crazy.
Isn't it the same for Flatpak?
It doesn't seem to be an issue on flatpak but idk if they're doing anything in particular to stop this
Probably cuz Flatpak apps are all GUI apps and are harder compared to CLI apps?
Somewhat but its not nearly as bad