wanst that the whole damn (stated) point of making it proprietary?
I can recommend a minty flavored alternative if you're sick of it.
Green Ubuntu is Best Ubuntu
I prefer some POP in my ubuntu, but green is flavorful.
I like it across the road a bit more, you know, the fedora shop
Btw I have no idea why they want to mix Mint with Cinnamon, must taste ugly.
Literally what I'm chewing right now. Its pretty okay.
I should do a "sorting DEs by their taste" meme
Yeah, once you crunch down the edges its pretty good. Make sure to use optical rather than solid state tho.
A fresh breath of minty cinnamon, mate?
You mean Ubuntu MATE?
No, I do not
I recommend Debian. Why go downstream when you can go upstream?
You mean old Ubuntu?
I'm using Mint and new to it. Does the Mint app store have more security or scrutiny? I'm cautious as most things are lucky to have one or two reviews listen. Many are zero though and it's not quite clear to me yet how to tell if things are from an official source or if they had review.
Packages are usually not official but maintained by your distro, so there are pretty strict controls, especially on Linux Mint Debian edition. Flatpaks on the other hand come from flathub and are less controlled, but since they’re sandboxed the security is still good. If you open the website you can see which apps are verified (official) and which aren’t. Flatpaks also have more user reviews in the most cases
It always takes a disaster before corporations act.
Snap still has users?
Anyone using Ubuntu
I use Ubuntu.
Downvotes to the right mocking laughs to my face.
Ubuntu may be good at being semi-stable.
Just run unsnap and experience actually secure apps.
Did you know that Snaps are only sandboxed on Ubuntu with Apparmor? This makes them more versatile than Flatpaks using Bubblewrap (the whole system is sandboxed like that) but will break all sandboxing if systems dont use Apparmor, or dont include all patches.
But not voluntarily. Since it's.integrated with apt you randomly get snap garbage installed instead.
Before the current itteration of my homelab I used Ubuntu. Never used snap tho.
Last I used Ubuntu, removing snap was a one time thing that took 5 minutes, of which 4 of them was looking for my notes from the time before.
I ditched Ubuntu, but it wasn't because of snap. Maybe this has changed in the last 3 years?
Yes. Now if you use apt to install Firefox or Thunderbird, it will reinstall snap and install the snap versions of those programs.
If you blacklist snap, it'll throw an error when you try to install Firefox or Thunderbird cause it can't resolve their "dependencies".
You'll have to install those programs from outside of Ubuntu's repositories, and the list of affected programs is growing.
Ubuntu's stated goal is to eventually use snap for all userland apps.
People still use Ubuntu?
One of the top most used distros probably
This thread is a good example of just how circlejerky and bubble like lemmy has become.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you'd think the opposite.
Most of us do live in bubbles (not exclusive to lemmy or tech nerds). I first picked up Ubuntu in 2004. It was a massive leap forward at the time as Gnome was moving a lot faster than Debian stable and I was running Sid to keep up. I am genuinely surprised everytime I learn Ubuntu is still "popular" as they have made so many NIH misteps over the years (mir,upstart,unity,snap) and frustrated their users. I moved back to Debian years ago for server/dev as Ubuntu re-packaging wasn't adding any value and once I was on another distro for desktop I lost all interest.
Ubuntu started off with some amazing community building. It felt more like a peoples distro than Canonicals for a time. I felt more invested in it in those days so I can relate to Ubuntu users but I also understand some of the criticism aimed at Canonical and their choices.
True. I've always felt more at home in Ubuntu and its derivatives. Debian is quite nice too.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you’d think the opposite.
So which part of the internet is Steam Hardware & Software Survey then?
The most popular Ubuntu version is at a whopping 5% of all Linux users.
Ubuntu went from the most popular desktop distribution to the most or at least one of the most popular container distributions, ie. for hard-core users and tech nerds. Meanwhile Steam Deck sold millions and I'm confident to say that a good chunk of the users have no idea what Steam Deck runs, let alone SteamOS being an Arch Linux derivative.
Very few linux installs include steam and this survey only represents a few thousand gamers. The only thing it shows is that steam users like steam os.
Very few linux installs include steam
Millions of sold Steam Deck units run Linux and default to Steam. It's easily the most popular personal computing device running GNU/Linux out there.
steam users
So regular users, "outside of the hard-core users and tech nerds".
i wonder how many old thinkpads are still running linux... Honestly, it's possible some arbitrary single model may still outnumber steam decks.
I think you’re forgetting about AWS, GCP, Azure.
I think you’re forgetting about AWS, GCP, Azure.
No, I'm not. Had you read my comments correctly, you'd know that I was stating repeatedly that Ubuntu is popular for containers but that's is a completely different topic.
That's not a meaningful comparison because it splits Ubuntu by version but all of Arch is a single category. We'd need to roll up the Ubuntu users for it to be apples to apples.
Like Windows, Ubuntu is installed by default on many computers. In my university, all the computers have a dual boot Ubuntu Windows.
Haha in mine they have Ubuntu stickers on them but no Ubuntu to be found.
Ubuntu is installed by default on many computers.
SteamOS is installed on more computers, though.
You don't honestly believe that, right? Like you're aware that the Steam hardware survey only includes Steam users that have it installed and choose to participate in the survey? There are way more computers and servers running Ubuntu than there are steam decks.
You don’t honestly believe that, right?
Context is computers dual booting Windows and Ubuntu, so obviously consumer hardware and not servers and also not multiple containers on one device. There are millions of Steam Decks sold already and Steam Deck is consumer hardware which means that there are millions of individual devices running SteamOS.
servers running Ubuntu
Sure there are hardcore users that run dozens of containers simultaneously and Ubuntu is quite a popular choice among those. Completely different topic from the one I've replied to, though.
Steam numbers are completely meaningless. There’s absolutely no way SteamOS outnumbers Ubuntu even if we limit this comparison to desktop installs. Ubuntu’s been around for a very long time and many of its users wouldn’t show up on Steam because they don’t game.
If you look at just my household, Ubuntu and its derivatives outnumber SteamOS by a factor of 7:1, not even counting numerous VMs and containers, or 3:1 if you're just counting desktops, laptops and tablets. But if you look at my steam usage, Ubuntu hasn't shown up there in over a year.
I probably spend 10x as much time on Ubuntu machines as I spend on my Steam Deck, but the Steam hardware survey would never surface that fact, nor is it intended to.
If you look at just my household
No, I won't because anecdotal evidence is no statistic.
Sure, but it's often a clearer way to explain why a statistic is misleading.
In this case, my anecdote shows an example of why the steam hardware survey is not, and was never intended to be, an accurate depiction of what distros people are using overall. Instead, it's a depiction of what distros people are using for Steam, which is the point of the statement above mine.
Using anecdote instead of statistical data is a bad idea. But so is ignoring anecdotes simply because they're anecdotes, as anecdotes are often one of the best ways to find limitations in statistical data.
Sure, but it’s often a clearer way to explain why a statistic is misleading.
As I've already explained to you elsewhere, that's not how this works. You are the one who made the claim. The burden is on you to provide a good backing for said claim. When people asked for that backing, you provided something that does not back up that claim. It's not on anyone else to provide an alternative claim, as that would be a variation of attempting to shift the burden of proof.
Personally, I'm not sure if good enough data to provide an answer to everyone's satisfaction exists. But that doesn't mean we get to shortcut the process by claiming that a data set means something it doesn't. Some other data that one could theoretically provide that would be of similar quality to what you've provided (that is, decent quality data that measures something related but cannot be reasonably extrapolated to verify or falsify your claim) include:
Distro breakdowns from the Snap store (this would overrepresent distros with Snap preinstalled)
Distro breakdowns from Flathub (this would overrepresent distros with Flatpak preinstalled and flathub preconfigured)
Distro breakdowns from web statistics (this would underrepresent privacy-centric distros and hide the distro for people who, for example, use a flatpak of their browser)
Cloud vendor distro breakdowns
As I’ve already explained to you elsewhere, that’s not how this works.
So you say...
You are the one who made the claim. The burden is on you to provide a good backing for said claim.
I have no burden to provide anything but I did anyway out of courtesy, you and your friends just refuse that out of gut feeling.
Personally, I’m not sure if good enough data to provide an answer to everyone’s satisfaction exists.
So there is, according to your own words, absolutely no credible evidence that Ubuntu is popular on desktops at all. So everybody here claiming how popular Ubuntu is, is making claims without backing them up. Funny how your fervor isn't with them and their "burden to provide a good backing for said claim". Seems you are not that objective about that matter.
Fact is, Steam is widely used by "regular" people (which this sub-thread is about) and therefore the best statistic there is about distribution usage outside the "techie sphere".
So you are "not sure if good enough data to provide an answer to everyone’s satisfaction exists" that Ubuntu is popular and the statistic that exists says it isn't that popular among non-techie users. Good that we have this settled now!
I have no burden to provide anything but I did anyway out of courtesy
You provided a source and then claimed it says something it doesn't. That's not courtesy, that's spreading falsehoods. When people called you out on it, you doubled down. That goes from saying something false, which we all do occasionally even when we don't intend to, to lying. If you don't want to back up your claims, you can say that. But that's not what you did, and that's why people have a problem with this behaviour.
So there is, according to your own words, absolutely no credible evidence that Ubuntu is popular on desktops at all.
This is what's known as moving the goalposts. Stating that we don't have the data to provide an answer to everyone's satisfaction is not the same as saying that there's not credible evidence of Ubuntu's popularity.
So everybody here claiming how popular Ubuntu is, is making claims without backing them up.
[Ubuntu is] one of the top most used distros probably
Not only did @embed_me@programming.dev say something that general context of the industry tends to say is likely, they also caveated their statement with a "probably."
Not only that, but the very screenshot you keep sharing actually provides evidence for that. Ubuntu is in the top 5 distros listed.
Funny how your fervor isn’t with them and their “burden to provide a good backing for said claim”.
Because their statements match my current informed understanding of the state of things (so I don't feel the need to ask them where they're getting their info) and, more importantly, they're not making toxic replies and personal attacks. They're not, in what I've read, telling you to shut up. Rather, most of the replies I've read to your comments have been unfailingly polite, which is more than I can say of your own comments.
Seems you are not that objective about that matter.
I'm not objective in the matter, and neither are you. However, I'm also not claiming that Steam OS isn't popular. It's undoubtedly popular, and on a personal note I'm a fan of it. What I am claiming is that the data you're using doesn't back up your statement.
Fact is, Steam is widely used by “regular” people (which this sub-thread is about) and therefore the best statistic there is about distribution usage outside the “techie sphere”.
There's the problematic leap. Steam is widely used, yes. And the Steam survey is a great tool for helping game developers decide where to target their games. But that doesn't make it a good statistic about general distro usage, for numerous reasons, including (but not limited to):
It is likely to overrepresent the Steam Deck for the same reason a survey of Snap users would overrepresent Ubuntu.
Steam users are not necessarily representative of all Linux users.
Where someone uses Steam OS is not necessarily representative of their everyday usage.
Given that the Steam Deck is primarily an appliance, its use of Linux no more makes someone who's playing on a Steam Deck a Linux user than someone with a TV running Tizen is a Linux user.
Still in the process of moving my server from Ubuntu to Debian.
That should be possible by changing the repos, shouldnt it? I will try this in a VM.
Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.
It works for me, and my tinkering times are behind me.
Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.
Plus, who cares? It's a server. I don't interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That's just asking for headache.
Because its a server. And you want your server to stay online and not get hacked. that's why
What about Ubuntu is more vulnerable? Ubuntu isn't vulnerable to this newly discovered CVE.
Everything downloaded in snap is vulnerable because snap does not cryptographically verify all packages, unlike apt.
Also Ubuntu has newer packages in apt than Debian, which is more dangerous.
snap does not cryptographically verify all packages, unlike apt
This isn't correct. Run snap download htop from your terminal and you'll receive two files: The actual squashfs image that gets mounted in /snap/htop/ and a .assert file that cryptographic signature data about this snap file. Modify the squashfs image and snap won't let you install it without passing --dangerous to bypass that check, just like apt-get's --allow-unauthenticated.
The problem here exists at a different level: the level of what's getting signed. Conceptually speaking, running sudo snap install htop is a bit like running sudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let's Encrypt uses).
There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can't just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious libc6 update.
These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.
Can you please link to the documentation that describes this?
I'm not sure if there's a single document explaining all of that, but this document talks about snap's assertions. I'm not entirely sure but I believe this file contains the main snapd business logic for actually checking these assertions.
On the PPA side I don't even know whether there is documentation for this - it's just the result of my understanding of how apt works and my own history creating PPAs.
You're literally replying under a submission that's about unreviewed malware that got accepted in their repo.
Those are snaps. I don't use those on my server. AFAIK, they're mostly used for GUI applications. I don't even have a GUI on my server. I wouldn't even know how to install or run a snap from command line.
Most things that run in my server are containerized services that I wrote personally. So as long as there isn't a vulnerability in podman or my reverse proxy, and as long as keep my base containers up to date (they pull the latest base image each time the image is built), I'm mostly fine.
I want to make something clear before I start: the person to whom you are replying is being quite toxic in this thread and I'm sorry you had to interact with them. (They're also saying a bunch of incorrect stuff.)
That said - I personally have more non-GUI snaps installed than GUI ones. Including in my homelab, where having the latest htop is very convenient and where I've got several actual server apps installed as snaps (postgres and plex being the first two that come to mind).
That's good to know, and I had a feeling I was wrong about that.
Those are snaps. I don’t use those on my server.
Just because you don't use them doesn't invalidate the earlier statement.
And that's totally fine, but it doesn't invalidate my claim that I don't really care, because it doesn't affect me. 🤷
I use it because a class wanted me to either use it in a VM or use WSL but WSL didn't work and I figured it was easier to set up a dual boot than setting up a VM since I've installed Linux quite a few times.
Yes, just not the people who hang out on Linux communities on federated social media.
People still use Ubuntu?
They're currently number 6 on DistroWatch's Last 6 Months. So people are at least still interested in it.
The DistroWatch Page Hit Ranking statistics are a light-hearted way of measuring interest in Linux distributions and other free operating systems among the visitors of this website. They correlate neither to usage nor to quality and should not be used to measure the market share of distributions. They simply show the number of times a distribution page on DistroWatch was accessed each day, nothing more.
They simply show the number of times a distribution page on DistroWatch was accessed each day, nothing more.
Which can be manipulated by scripting or setting the browser's home page to the DistroWatch page of a distribution. No way in hell is MX Linux actually popular.
DistroWatch is extremely weird. Who actually uses MXLinux and all these obscure Distros?
Why just now? Meanwhile, all Debian packages on their apt repos are reviewed and maintained by Debian.
I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.
We shall see if it continues or not.
It was probably the wave of phishing apps that scared them tbh
This predates that discovery.
No. They will likely still use release tarballs
And MD5 for package integrity checking, and not using per-package PKI signatures.
That anyone still uses MD5 or SHA1 is unbelievable.
What should be used instead?
That is a very good question. At this point, a hash function in the SHA-2 family is generally considered secure.
MD5 has been known to be cryptographically insecure since about 2008. Collisions can be reliably reached in sub-second timeframes on hardware that is over a decade old. It also has many other attack vectors. The only place that it really could reasonably be used is when checking for file integrity for an rsync or the like but even then, with modern hardware, there's little reason to not use a secure hashing algorithm.
For SHA-1, successful collisions were hit in under 2^69 ops as early as 2005.
In 2017, Big G (when they were still trying but to be evil) announced the SHAttered attack that that reliably reached collisions with 2^63.1 ops. SHAttered required 6500 CPU-years and 110 GPU-years to implement but that's a number well within reach for a well-funded adversary. Several other attacks from other directions have been proven out with the barrier to entry getting significantly lower. It doesn't even take a state actor anymore with costs being estimated as low as $45k USD in 2020.
SHA-2 has not yet had any publicly disclosed success in defeating all hashing rounds. Last year, there was success in collision in 31/60 rounds for SHA-256 and 31/80 rounds for SHA-512. So, it's generally thought to still be secure (noone has had yet disclosed a practical collision or pseudo collusion that is close to defeating ALL rounds).
EDIT: Newlines to avoid formatting (how do I escape formatting characters?)
The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.
Absolutely this. I wasn't aware that Debs were still using MD5s and am now quite disturbed by this. Time to dig through some source.
In theory (whitepaper is still being written), if you MITM the connection to the APT mirror it's using you can also carry out the attack over the network by injecting it into the package on the fly. Cert pinning might be a blocker, but local (LAN) package mirrors might still be valid attack targets. Enterprises often use MITM certs for things like DLP and packet inspection we might be able to leverage at least.
Yeah. This is a pretty big issue. Proper handling of MitM certs via a trusted root CA on the enterprise machines could mitigate a bit by avoiding use of TLS skip-verify but, there's still a wider threat surface than there should be due to the use of MD5. Sub-second collisions means that malicious code could be readily inserted by an adversary through something like that xz backdoor and likely go unnoticed for much longer.
Time to figure out contributing to Debian.
To save you some effort, they do not consider it a priority to fix. Code was attempted to merge that would make package signatures the default, but it was removed because it “was a waste of cpu cycles” when “md5 and the https was just as good”. I’m not kidding, you can find the whole conversation in the Debian mailing archives. So instead I’m going to make it known how dumb it is, and encourage people to use something else.
The extra cost added to override this is fairly small, i don't think it will help.
At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.
At least this prevents impersonation of well-known publishers or their software
how?
That depends on the depth of the review, e.g. verifying the submitter is a member of the project, the software name does not conflict with a well known name,...
verifying the submitter is a member of the project
That's a different requirement as far as i can tell (When you do that you get the "plus" sign next to the name on the store).
the software name does not conflict with a well known name,…
It should conflict, the point is that some random dude can create a package and people could use it.
They can review and check that the URL in the manifest used to build or install the package is from upstream, but that can later be changed, it would be better to have some system where you need to whitelist URL's i think.
I've heard all the arguments about how these new packaging formats are supposed to make things easy for developers and for users with different use cases than my own (apparently), but I will continue to avoid them until they have further matured. I'm relieved that this is still possible.
The idea is good I think but the implementation has only ever caused me problems and seems to have a bunch of frustrating edge cases.
I've been using snaps for a few years now and while they still could use some improvements, the snaps I'm currently using seem to be fairly indistinguishable from deb-based packaging thanks to bug fixes they have done over the years. I think the idea of containerized applications is a good one, I think it actually can be safer. Performance is also fine for me with snap applications even like Firefox snap startup speed, although I'm using an R9 5900x and Gen 4 M2 NVMe SSD so maybe that's why, or maybe they really have improved the snap software and it is just as fast now for the most part.
I've had to swap Firefox on my laptop for the deb package, the snap took like 5sec to open, whereas the deb opens instantly. Other than that, i don't see much of a difference, but i run into sandboxing issues quite often (same with flatpak though)
I had a "Save As" issue in Firefox snap where it just wouldn't be able to save pages, but since upgrading to either Ubuntu 20.04 or 22.04 (can't remember which version fixed it), that problem has gone away entirely.
The problem for me is portability. Flatpak, Snap, Appimage, docker, podman, lxc, they all do the same thing, but they’re splitting the market into “servers” and “desktops”.
We need a portable container runtime we can build from a compose file, run cli or gui apps, and migrate to a server with web app capability displaying the UI. There are too many build targets, and too much virtual market segmentation.
Nix tries to solve the issue, but the problem is you have to use Nix.
True. Actual package managers are still thousands of times superior to flat and snap.
That scentence makes little sense as both are using package managers that work similarly. Flatpak even uses ostree which is more advanced.
My thing (I'm not the guy you replied to) is all the various user-facing complaints that I tend to see in these discussions. I use a distro where I can get current versions of anything I've ever needed, and I know how to maintain my system.
As a user, even if the various alternatives are fine most of the time, without concerns about security, integration, etc - I've never read anything that would make me want the additional complication. (I say this recognizing that there are security concerns regardless of how you get your software - I'm not saying these new solutions are inherently worse in that regard.)
I suppose at some point I'll want or need to embrace flatpak/appimage/snaps, but I can't find any reason I'd do so now - it feels like it increases the number of gotchas I need to worry about when installing software without actually giving me anything I want that I don't already get with my "legacy" package manager.
We dont live in such a perfect world. Linux has a small marketshare for non-server software, so packaging is done by your distro.
You would need to have user-facing settings for Apparmor or SELinux to replicate what already exists with Flatpak.
Principle of least privilege.
Maybe you prefer native packages, but bubblejail or SELinux confined users are complicated as hell and both are pre-alpha in my experience.
So yes you add bloat, dependencies etc. But you also add stability, a small core system, take load of OS developers and unify the packaging efforts so that it is done by developers not packagers.
This reduces complexity a lot, as the underlying system is not as important anymore, and you can just use whatever you want. Software is separated from the OS.
After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.
I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher.
Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app.
Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.
So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name".
Hopefully this will begin to put an end to scam apps making it into the Snap Store and onto machines running Ubuntu and any other Linux distribution that enables Snap packages.
The original article contains 238 words, the summary contains 195 words. Saved 18%. I'm a bot and I'm open source!
wanst that the whole damn (stated) point of making it proprietary?
I can recommend a minty flavored alternative if you're sick of it.
Green Ubuntu is Best Ubuntu
I prefer some POP in my ubuntu, but green is flavorful.
I like it across the road a bit more, you know, the fedora shop
Btw I have no idea why they want to mix Mint with Cinnamon, must taste ugly.
Literally what I'm chewing right now. Its pretty okay.
I should do a "sorting DEs by their taste" meme
Yeah, once you crunch down the edges its pretty good. Make sure to use optical rather than solid state tho.
A fresh breath of minty cinnamon, mate?
You mean Ubuntu MATE?
No, I do not
I recommend Debian. Why go downstream when you can go upstream?
You mean old Ubuntu?
I'm using Mint and new to it. Does the Mint app store have more security or scrutiny? I'm cautious as most things are lucky to have one or two reviews listen. Many are zero though and it's not quite clear to me yet how to tell if things are from an official source or if they had review.
Packages are usually not official but maintained by your distro, so there are pretty strict controls, especially on Linux Mint Debian edition. Flatpaks on the other hand come from flathub and are less controlled, but since they’re sandboxed the security is still good. If you open the website you can see which apps are verified (official) and which aren’t. Flatpaks also have more user reviews in the most cases
It always takes a disaster before corporations act.
Snap still has users?
Anyone using Ubuntu
I use Ubuntu.
Downvotes to the right mocking laughs to my face.
Ubuntu may be good at being semi-stable.
Just run unsnap and experience actually secure apps.
Did you know that Snaps are only sandboxed on Ubuntu with Apparmor? This makes them more versatile than Flatpaks using Bubblewrap (the whole system is sandboxed like that) but will break all sandboxing if systems dont use Apparmor, or dont include all patches.
But not voluntarily. Since it's.integrated with apt you randomly get snap garbage installed instead.
Before the current itteration of my homelab I used Ubuntu. Never used snap tho.
Last I used Ubuntu, removing snap was a one time thing that took 5 minutes, of which 4 of them was looking for my notes from the time before.
I ditched Ubuntu, but it wasn't because of snap. Maybe this has changed in the last 3 years?
Yes. Now if you use apt to install Firefox or Thunderbird, it will reinstall snap and install the snap versions of those programs.
If you blacklist snap, it'll throw an error when you try to install Firefox or Thunderbird cause it can't resolve their "dependencies".
You'll have to install those programs from outside of Ubuntu's repositories, and the list of affected programs is growing.
Ubuntu's stated goal is to eventually use snap for all userland apps.
People still use Ubuntu?
One of the top most used distros probably
This thread is a good example of just how circlejerky and bubble like lemmy has become.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you'd think the opposite.
Most of us do live in bubbles (not exclusive to lemmy or tech nerds). I first picked up Ubuntu in 2004. It was a massive leap forward at the time as Gnome was moving a lot faster than Debian stable and I was running Sid to keep up. I am genuinely surprised everytime I learn Ubuntu is still "popular" as they have made so many NIH misteps over the years (mir,upstart,unity,snap) and frustrated their users. I moved back to Debian years ago for server/dev as Ubuntu re-packaging wasn't adding any value and once I was on another distro for desktop I lost all interest.
Ubuntu started off with some amazing community building. It felt more like a peoples distro than Canonicals for a time. I felt more invested in it in those days so I can relate to Ubuntu users but I also understand some of the criticism aimed at Canonical and their choices.
True. I've always felt more at home in Ubuntu and its derivatives. Debian is quite nice too.
So which part of the internet is Steam Hardware & Software Survey then?
The most popular Ubuntu version is at a whopping 5% of all Linux users.
Ubuntu went from the most popular desktop distribution to the most or at least one of the most popular container distributions, ie. for hard-core users and tech nerds. Meanwhile Steam Deck sold millions and I'm confident to say that a good chunk of the users have no idea what Steam Deck runs, let alone SteamOS being an Arch Linux derivative.
Very few linux installs include steam and this survey only represents a few thousand gamers. The only thing it shows is that steam users like steam os.
Millions of sold Steam Deck units run Linux and default to Steam. It's easily the most popular personal computing device running GNU/Linux out there.
So regular users, "outside of the hard-core users and tech nerds".
i wonder how many old thinkpads are still running linux... Honestly, it's possible some arbitrary single model may still outnumber steam decks.
I think you’re forgetting about AWS, GCP, Azure.
No, I'm not. Had you read my comments correctly, you'd know that I was stating repeatedly that Ubuntu is popular for containers but that's is a completely different topic.
That's not a meaningful comparison because it splits Ubuntu by version but all of Arch is a single category. We'd need to roll up the Ubuntu users for it to be apples to apples.
Like Windows, Ubuntu is installed by default on many computers. In my university, all the computers have a dual boot Ubuntu Windows.
Haha in mine they have Ubuntu stickers on them but no Ubuntu to be found.
SteamOS is installed on more computers, though.
You don't honestly believe that, right? Like you're aware that the Steam hardware survey only includes Steam users that have it installed and choose to participate in the survey? There are way more computers and servers running Ubuntu than there are steam decks.
Context is computers dual booting Windows and Ubuntu, so obviously consumer hardware and not servers and also not multiple containers on one device. There are millions of Steam Decks sold already and Steam Deck is consumer hardware which means that there are millions of individual devices running SteamOS.
Sure there are hardcore users that run dozens of containers simultaneously and Ubuntu is quite a popular choice among those. Completely different topic from the one I've replied to, though.
Steam numbers are completely meaningless. There’s absolutely no way SteamOS outnumbers Ubuntu even if we limit this comparison to desktop installs. Ubuntu’s been around for a very long time and many of its users wouldn’t show up on Steam because they don’t game.
If you look at just my household, Ubuntu and its derivatives outnumber SteamOS by a factor of 7:1, not even counting numerous VMs and containers, or 3:1 if you're just counting desktops, laptops and tablets. But if you look at my steam usage, Ubuntu hasn't shown up there in over a year.
I probably spend 10x as much time on Ubuntu machines as I spend on my Steam Deck, but the Steam hardware survey would never surface that fact, nor is it intended to.
No, I won't because anecdotal evidence is no statistic.
Sure, but it's often a clearer way to explain why a statistic is misleading.
In this case, my anecdote shows an example of why the steam hardware survey is not, and was never intended to be, an accurate depiction of what distros people are using overall. Instead, it's a depiction of what distros people are using for Steam, which is the point of the statement above mine.
Using anecdote instead of statistical data is a bad idea. But so is ignoring anecdotes simply because they're anecdotes, as anecdotes are often one of the best ways to find limitations in statistical data.
Provide a better one or keep quiet.
No, they are an actual statistic, whereas you deniers just have gut feeling and literally nothing else.
[citation needed]
I don't know if millions is as big a number you think it is
[Citation Needed]
Irrelevant Citation
Provide a better one or keep quiet.
As I've already explained to you elsewhere, that's not how this works. You are the one who made the claim. The burden is on you to provide a good backing for said claim. When people asked for that backing, you provided something that does not back up that claim. It's not on anyone else to provide an alternative claim, as that would be a variation of attempting to shift the burden of proof.
Personally, I'm not sure if good enough data to provide an answer to everyone's satisfaction exists. But that doesn't mean we get to shortcut the process by claiming that a data set means something it doesn't. Some other data that one could theoretically provide that would be of similar quality to what you've provided (that is, decent quality data that measures something related but cannot be reasonably extrapolated to verify or falsify your claim) include:
So you say...
I have no burden to provide anything but I did anyway out of courtesy, you and your friends just refuse that out of gut feeling.
So there is, according to your own words, absolutely no credible evidence that Ubuntu is popular on desktops at all. So everybody here claiming how popular Ubuntu is, is making claims without backing them up. Funny how your fervor isn't with them and their "burden to provide a good backing for said claim". Seems you are not that objective about that matter.
Fact is, Steam is widely used by "regular" people (which this sub-thread is about) and therefore the best statistic there is about distribution usage outside the "techie sphere".
So you are "not sure if good enough data to provide an answer to everyone’s satisfaction exists" that Ubuntu is popular and the statistic that exists says it isn't that popular among non-techie users. Good that we have this settled now!
You provided a source and then claimed it says something it doesn't. That's not courtesy, that's spreading falsehoods. When people called you out on it, you doubled down. That goes from saying something false, which we all do occasionally even when we don't intend to, to lying. If you don't want to back up your claims, you can say that. But that's not what you did, and that's why people have a problem with this behaviour.
This is what's known as moving the goalposts. Stating that we don't have the data to provide an answer to everyone's satisfaction is not the same as saying that there's not credible evidence of Ubuntu's popularity.
Well let's examine the very comment to which you replied:
Not only did @embed_me@programming.dev say something that general context of the industry tends to say is likely, they also caveated their statement with a "probably."
Not only that, but the very screenshot you keep sharing actually provides evidence for that. Ubuntu is in the top 5 distros listed.
Because their statements match my current informed understanding of the state of things (so I don't feel the need to ask them where they're getting their info) and, more importantly, they're not making toxic replies and personal attacks. They're not, in what I've read, telling you to shut up. Rather, most of the replies I've read to your comments have been unfailingly polite, which is more than I can say of your own comments.
I'm not objective in the matter, and neither are you. However, I'm also not claiming that Steam OS isn't popular. It's undoubtedly popular, and on a personal note I'm a fan of it. What I am claiming is that the data you're using doesn't back up your statement.
There's the problematic leap. Steam is widely used, yes. And the Steam survey is a great tool for helping game developers decide where to target their games. But that doesn't make it a good statistic about general distro usage, for numerous reasons, including (but not limited to):
I do
why?
Still in the process of moving my server from Ubuntu to Debian.
That should be possible by changing the repos, shouldnt it? I will try this in a VM.
Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.
It works for me, and my tinkering times are behind me.
Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.
Plus, who cares? It's a server. I don't interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That's just asking for headache.
Because its a server. And you want your server to stay online and not get hacked. that's why
What about Ubuntu is more vulnerable? Ubuntu isn't vulnerable to this newly discovered CVE.
Everything downloaded in snap is vulnerable because snap does not cryptographically verify all packages, unlike apt.
Also Ubuntu has newer packages in apt than Debian, which is more dangerous.
This isn't correct. Run
snap download htop
from your terminal and you'll receive two files: The actual squashfs image that gets mounted in/snap/htop/
and a.assert
file that cryptographic signature data about this snap file. Modify the squashfs image and snap won't let you install it without passing--dangerous
to bypass that check, just like apt-get's--allow-unauthenticated
.The problem here exists at a different level: the level of what's getting signed. Conceptually speaking, running
sudo snap install htop
is a bit like runningsudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop
. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let's Encrypt uses).There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can't just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious
libc6
update.These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.
Can you please link to the documentation that describes this?
I'm not sure if there's a single document explaining all of that, but this document talks about snap's assertions. I'm not entirely sure but I believe this file contains the main snapd business logic for actually checking these assertions.
On the PPA side I don't even know whether there is documentation for this - it's just the result of my understanding of how apt works and my own history creating PPAs.
You're literally replying under a submission that's about unreviewed malware that got accepted in their repo.
Those are snaps. I don't use those on my server. AFAIK, they're mostly used for GUI applications. I don't even have a GUI on my server. I wouldn't even know how to install or run a snap from command line.
Most things that run in my server are containerized services that I wrote personally. So as long as there isn't a vulnerability in podman or my reverse proxy, and as long as keep my base containers up to date (they pull the latest base image each time the image is built), I'm mostly fine.
I want to make something clear before I start: the person to whom you are replying is being quite toxic in this thread and I'm sorry you had to interact with them. (They're also saying a bunch of incorrect stuff.)
That said - I personally have more non-GUI snaps installed than GUI ones. Including in my homelab, where having the latest htop is very convenient and where I've got several actual server apps installed as snaps (postgres and plex being the first two that come to mind).
That's good to know, and I had a feeling I was wrong about that.
Just because you don't use them doesn't invalidate the earlier statement.
And that's totally fine, but it doesn't invalidate my claim that I don't really care, because it doesn't affect me. 🤷
I use it because a class wanted me to either use it in a VM or use WSL but WSL didn't work and I figured it was easier to set up a dual boot than setting up a VM since I've installed Linux quite a few times.
Yes, just not the people who hang out on Linux communities on federated social media.
They're currently number 6 on DistroWatch's Last 6 Months. So people are at least still interested in it.
Which can be manipulated by scripting or setting the browser's home page to the DistroWatch page of a distribution. No way in hell is MX Linux actually popular.
DistroWatch is extremely weird. Who actually uses MXLinux and all these obscure Distros?
Why just now? Meanwhile, all Debian packages on their apt repos are reviewed and maintained by Debian.
I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.
We shall see if it continues or not.
It was probably the wave of phishing apps that scared them tbh
This predates that discovery.
No. They will likely still use release tarballs
And MD5 for package integrity checking, and not using per-package PKI signatures.
That anyone still uses MD5 or SHA1 is unbelievable.
What should be used instead?
That is a very good question. At this point, a hash function in the SHA-2 family is generally considered secure.
MD5 has been known to be cryptographically insecure since about 2008. Collisions can be reliably reached in sub-second timeframes on hardware that is over a decade old. It also has many other attack vectors. The only place that it really could reasonably be used is when checking for file integrity for an rsync or the like but even then, with modern hardware, there's little reason to not use a secure hashing algorithm.
For SHA-1, successful collisions were hit in under 2^69 ops as early as 2005.
In 2017, Big G (when they were still trying but to be evil) announced the SHAttered attack that that reliably reached collisions with 2^63.1 ops. SHAttered required 6500 CPU-years and 110 GPU-years to implement but that's a number well within reach for a well-funded adversary. Several other attacks from other directions have been proven out with the barrier to entry getting significantly lower. It doesn't even take a state actor anymore with costs being estimated as low as $45k USD in 2020.
SHA-2 has not yet had any publicly disclosed success in defeating all hashing rounds. Last year, there was success in collision in 31/60 rounds for SHA-256 and 31/80 rounds for SHA-512. So, it's generally thought to still be secure (noone has had yet disclosed a practical collision or pseudo collusion that is close to defeating ALL rounds).
EDIT: Newlines to avoid formatting (how do I escape formatting characters?)
The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.
Absolutely this. I wasn't aware that Debs were still using MD5s and am now quite disturbed by this. Time to dig through some source.
In theory (whitepaper is still being written), if you MITM the connection to the APT mirror it's using you can also carry out the attack over the network by injecting it into the package on the fly. Cert pinning might be a blocker, but local (LAN) package mirrors might still be valid attack targets. Enterprises often use MITM certs for things like DLP and packet inspection we might be able to leverage at least.
Yeah. This is a pretty big issue. Proper handling of MitM certs via a trusted root CA on the enterprise machines could mitigate a bit by avoiding use of TLS skip-verify but, there's still a wider threat surface than there should be due to the use of MD5. Sub-second collisions means that malicious code could be readily inserted by an adversary through something like that xz backdoor and likely go unnoticed for much longer.
Time to figure out contributing to Debian.
To save you some effort, they do not consider it a priority to fix. Code was attempted to merge that would make package signatures the default, but it was removed because it “was a waste of cpu cycles” when “md5 and the https was just as good”. I’m not kidding, you can find the whole conversation in the Debian mailing archives. So instead I’m going to make it known how dumb it is, and encourage people to use something else.
Cough Fedora does that (using rpm-sequoia written in Rust) and also uses zst instead of xz for RPMs since Fedora 31
Did they ever make good on this plan?
How is that not a security theater? , you just need to :
The extra cost added to override this is fairly small, i don't think it will help.
At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.
how?
That depends on the depth of the review, e.g. verifying the submitter is a member of the project, the software name does not conflict with a well known name,...
That's a different requirement as far as i can tell (When you do that you get the "plus" sign next to the name on the store).
It should conflict, the point is that some random dude can create a package and people could use it.
They can review and check that the URL in the manifest used to build or install the package is from upstream, but that can later be changed, it would be better to have some system where you need to whitelist URL's i think.
I've heard all the arguments about how these new packaging formats are supposed to make things easy for developers and for users with different use cases than my own (apparently), but I will continue to avoid them until they have further matured. I'm relieved that this is still possible.
The idea is good I think but the implementation has only ever caused me problems and seems to have a bunch of frustrating edge cases.
I've been using snaps for a few years now and while they still could use some improvements, the snaps I'm currently using seem to be fairly indistinguishable from deb-based packaging thanks to bug fixes they have done over the years. I think the idea of containerized applications is a good one, I think it actually can be safer. Performance is also fine for me with snap applications even like Firefox snap startup speed, although I'm using an R9 5900x and Gen 4 M2 NVMe SSD so maybe that's why, or maybe they really have improved the snap software and it is just as fast now for the most part.
I've had to swap Firefox on my laptop for the deb package, the snap took like 5sec to open, whereas the deb opens instantly. Other than that, i don't see much of a difference, but i run into sandboxing issues quite often (same with flatpak though)
I had a "Save As" issue in Firefox snap where it just wouldn't be able to save pages, but since upgrading to either Ubuntu 20.04 or 22.04 (can't remember which version fixed it), that problem has gone away entirely.
The problem for me is portability. Flatpak, Snap, Appimage, docker, podman, lxc, they all do the same thing, but they’re splitting the market into “servers” and “desktops”.
We need a portable container runtime we can build from a compose file, run cli or gui apps, and migrate to a server with web app capability displaying the UI. There are too many build targets, and too much virtual market segmentation.
Nix tries to solve the issue, but the problem is you have to use Nix.
True. Actual package managers are still thousands of times superior to flat and snap.
That scentence makes little sense as both are using package managers that work similarly. Flatpak even uses ostree which is more advanced.
My thing (I'm not the guy you replied to) is all the various user-facing complaints that I tend to see in these discussions. I use a distro where I can get current versions of anything I've ever needed, and I know how to maintain my system.
As a user, even if the various alternatives are fine most of the time, without concerns about security, integration, etc - I've never read anything that would make me want the additional complication. (I say this recognizing that there are security concerns regardless of how you get your software - I'm not saying these new solutions are inherently worse in that regard.)
I suppose at some point I'll want or need to embrace flatpak/appimage/snaps, but I can't find any reason I'd do so now - it feels like it increases the number of gotchas I need to worry about when installing software without actually giving me anything I want that I don't already get with my "legacy" package manager.
We dont live in such a perfect world. Linux has a small marketshare for non-server software, so packaging is done by your distro.
You would need to have user-facing settings for Apparmor or SELinux to replicate what already exists with Flatpak.
Principle of least privilege.
Maybe you prefer native packages, but bubblejail or SELinux confined users are complicated as hell and both are pre-alpha in my experience.
So yes you add bloat, dependencies etc. But you also add stability, a small core system, take load of OS developers and unify the packaging efforts so that it is done by developers not packagers.
This reduces complexity a lot, as the underlying system is not as important anymore, and you can just use whatever you want. Software is separated from the OS.
Flatpak is the only good format, as explained in this talk
(Snap has no sandboxing outside of Ubuntu and is thus not portable, Appimages are inherently insecure)
I will check out the video, thanks! I still say you can have the aur and arch repos when you pry them from my cold, dead fingers, but I'm openminded.
Here is an alternative Piped link(s):
explained in this talk
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Maybe adding a proprietary *layer to an open-source OS was a bad idea (for end users)?
Only took them 6 years of malware
I have this unpopular thought: If I had to choose between Canonical's Snap Store and Apple App Store...
Debian it iz
This
"Neither" is a valid choice, we don't have to use one or the other
This
"Neither" is a valid choice, we don't have to use one or the other
And why would you have to? Unless it's for work or someone's putting a gun to your head, there will be other options
This is the best summary I could come up with:
After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.
I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher.
Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app.
Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.
So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name".
Hopefully this will begin to put an end to scam apps making it into the Snap Store and onto machines running Ubuntu and any other Linux distribution that enables Snap packages.
The original article contains 238 words, the summary contains 195 words. Saved 18%. I'm a bot and I'm open source!
They should have been doing this from the start.
I'm glad to see that teststeve5 passed the test!
🤣
Just remove the crypto bullshit apps and 99% of the problems will go away.
And maybe release the SnapStore code so they can all scam each other over there.
Just because you don't like a kind of software doesn't mean it has no place
Then I'll be on the last deb until it no longer works. I'm not going down the proprietary snap route.
Can you use snaps with autofs/NFS yet?
Or sandbox Snap apps on systems without the Ubuntu Apparmor patches or even using SELinux?
Maybe it's just me, but I doubt this will be very effective.