• AChiTenshi@sh.itjust.works
      link
      fedilink
      arrow-up
      32
      arrow-down
      5
      ·
      8 months ago

      I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.

      We shall see if it continues or not.

              • nickwitha_k (he/him)@lemmy.sdf.org
                link
                fedilink
                arrow-up
                5
                ·
                edit-2
                8 months ago

                That is a very good question. At this point, a hash function in the SHA-2 family is generally considered secure.

                MD5 has been known to be cryptographically insecure since about 2008. Collisions can be reliably reached in sub-second timeframes on hardware that is over a decade old. It also has many other attack vectors. The only place that it really could reasonably be used is when checking for file integrity for an rsync or the like but even then, with modern hardware, there’s little reason to not use a secure hashing algorithm.

                For SHA-1, successful collisions were hit in under 2^69 ops as early as 2005.

                In 2017, Big G (when they were still trying but to be evil) announced the SHAttered attack that that reliably reached collisions with 2^63.1 ops. SHAttered required 6500 CPU-years and 110 GPU-years to implement but that’s a number well within reach for a well-funded adversary. Several other attacks from other directions have been proven out with the barrier to entry getting significantly lower. It doesn’t even take a state actor anymore with costs being estimated as low as $45k USD in 2020.

                SHA-2 has not yet had any publicly disclosed success in defeating all hashing rounds. Last year, there was success in collision in 31/60 rounds for SHA-256 and 31/80 rounds for SHA-512. So, it’s generally thought to still be secure (noone has had yet disclosed a practical collision or pseudo collusion that is close to defeating ALL rounds).

                EDIT: Newlines to avoid formatting (how do I escape formatting characters?)

                • vanderbilt@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  5
                  ·
                  8 months ago

                  The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            5
            arrow-down
            1
            ·
            edit-2
            8 months ago

            Cough Fedora does that (using rpm-sequoia written in Rust) and also uses zst instead of xz for RPMs since Fedora 31

            • vanderbilt@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              8 months ago

              Did they ever make good on this plan?

              RPM must accept SHA-1 hashes and DSA keys for Fedora 38, ideally with a deprecation warning that it will be disabled in F39.

  • wiki_me@lemmy.ml
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    3
    ·
    8 months ago

    How is that not a security theater? , you just need to :

    • publish a good snap
    • change it to malware after it is approved
    • profit

    The extra cost added to override this is fairly small, i don’t think it will help.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      18
      ·
      8 months ago

      At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.

      • wiki_me@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        At least this prevents impersonation of well-known publishers or their software

        how?

        • progandy@feddit.de
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          8 months ago

          That depends on the depth of the review, e.g. verifying the submitter is a member of the project, the software name does not conflict with a well known name,…

          • wiki_me@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            verifying the submitter is a member of the project

            That’s a different requirement as far as i can tell (When you do that you get the “plus” sign next to the name on the store).

            the software name does not conflict with a well known name,…

            It should conflict, the point is that some random dude can create a package and people could use it.

            They can review and check that the URL in the manifest used to build or install the package is from upstream, but that can later be changed, it would be better to have some system where you need to whitelist URL’s i think.

  • octopus_ink@lemmy.ml
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    2
    ·
    edit-2
    8 months ago

    I’ve heard all the arguments about how these new packaging formats are supposed to make things easy for developers and for users with different use cases than my own (apparently), but I will continue to avoid them until they have further matured. I’m relieved that this is still possible.

    • tempest@lemmy.ca
      link
      fedilink
      arrow-up
      18
      ·
      8 months ago

      The idea is good I think but the implementation has only ever caused me problems and seems to have a bunch of frustrating edge cases.

      • ipkpjersi@lemmy.ml
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        edit-2
        8 months ago

        I’ve been using snaps for a few years now and while they still could use some improvements, the snaps I’m currently using seem to be fairly indistinguishable from deb-based packaging thanks to bug fixes they have done over the years. I think the idea of containerized applications is a good one, I think it actually can be safer. Performance is also fine for me with snap applications even like Firefox snap startup speed, although I’m using an R9 5900x and Gen 4 M2 NVMe SSD so maybe that’s why, or maybe they really have improved the snap software and it is just as fast now for the most part.

        • ben_dover@lemmy.ml
          link
          fedilink
          arrow-up
          5
          ·
          8 months ago

          I’ve had to swap Firefox on my laptop for the deb package, the snap took like 5sec to open, whereas the deb opens instantly. Other than that, i don’t see much of a difference, but i run into sandboxing issues quite often (same with flatpak though)

          • ipkpjersi@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            I had a “Save As” issue in Firefox snap where it just wouldn’t be able to save pages, but since upgrading to either Ubuntu 20.04 or 22.04 (can’t remember which version fixed it), that problem has gone away entirely.

    • ___@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      The problem for me is portability. Flatpak, Snap, Appimage, docker, podman, lxc, they all do the same thing, but they’re splitting the market into “servers” and “desktops”.

      We need a portable container runtime we can build from a compose file, run cli or gui apps, and migrate to a server with web app capability displaying the UI. There are too many build targets, and too much virtual market segmentation.

      Nix tries to solve the issue, but the problem is you have to use Nix.

    • Richard@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      5
      ·
      8 months ago

      True. Actual package managers are still thousands of times superior to flat and snap.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        5
        ·
        8 months ago

        That scentence makes little sense as both are using package managers that work similarly. Flatpak even uses ostree which is more advanced.

        • octopus_ink@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          My thing (I’m not the guy you replied to) is all the various user-facing complaints that I tend to see in these discussions. I use a distro where I can get current versions of anything I’ve ever needed, and I know how to maintain my system.

          As a user, even if the various alternatives are fine most of the time, without concerns about security, integration, etc - I’ve never read anything that would make me want the additional complication. (I say this recognizing that there are security concerns regardless of how you get your software - I’m not saying these new solutions are inherently worse in that regard.)

          I suppose at some point I’ll want or need to embrace flatpak/appimage/snaps, but I can’t find any reason I’d do so now - it feels like it increases the number of gotchas I need to worry about when installing software without actually giving me anything I want that I don’t already get with my “legacy” package manager.

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            We dont live in such a perfect world. Linux has a small marketshare for non-server software, so packaging is done by your distro.

            You would need to have user-facing settings for Apparmor or SELinux to replicate what already exists with Flatpak.

            Principle of least privilege.

            Maybe you prefer native packages, but bubblejail or SELinux confined users are complicated as hell and both are pre-alpha in my experience.

            So yes you add bloat, dependencies etc. But you also add stability, a small core system, take load of OS developers and unify the packaging efforts so that it is done by developers not packagers.

            This reduces complexity a lot, as the underlying system is not as important anymore, and you can just use whatever you want. Software is separated from the OS.

            Flatpak is the only good format, as explained in this talk

            (Snap has no sandboxing outside of Ubuntu and is thus not portable, Appimages are inherently insecure)

            • octopus_ink@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              ·
              8 months ago

              I will check out the video, thanks! I still say you can have the aur and arch repos when you pry them from my cold, dead fingers, but I’m openminded.

  • Empricorn@feddit.nl
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    2
    ·
    edit-2
    8 months ago

    Maybe adding a proprietary *layer to an open-source OS was a bad idea (for end users)?

  • eveninghere@beehaw.org
    link
    fedilink
    arrow-up
    13
    ·
    8 months ago

    I have this unpopular thought: If I had to choose between Canonical’s Snap Store and Apple App Store…

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    8 months ago

    This is the best summary I could come up with:


    After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.

    I’ve covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher.

    Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app.

    Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.

    So to try and do something about it, Canonical’s Holly Hall has posted on their Discourse forum about how “The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors” and that they will now do manual reviews whenever people try to register “a new snap name”.

    Hopefully this will begin to put an end to scam apps making it into the Snap Store and onto machines running Ubuntu and any other Linux distribution that enables Snap packages.


    The original article contains 238 words, the summary contains 195 words. Saved 18%. I’m a bot and I’m open source!

  • ikidd@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    8 months ago

    Just remove the crypto bullshit apps and 99% of the problems will go away.

    And maybe release the SnapStore code so they can all scam each other over there.