Hacker News new | past | comments | ask | show | jobs | submit login

It's probably not a surprise to you, but this is a hotly debated topic inside Canonical. And I apologize for that thread, as it really doesn't represent our best attempt at external debate.

Changing a paradigm usually involves pushing the envelope and breaking some existing assumptions; systemd is everybody's favorite example of that in the Linux world. The root of this issue with snaps is the trade-off between built-in security and user control. Some points to consider:

1. Browsers like FF and Chromium [on Windows] simply self-update, and disabling that requires configuration. So there is at least some precedent for taking the position that user applications should just update themselves. Server apps are more complex and are a strong argument counter to the existing behavior, as is the fact that many apps cannot be refreshed without user impact.

2. Ubuntu, since 16.04 LTS, ships with unattended-upgrades enabled, which means that for debian packages the default behavior is already auto-updating (although automated reboots are not enabled by default, as that would be crazy for the general purpose case). That feels like the correct default, too, given the risk of running code exposed to exploitable, public CVEs — and how reluctant users (like my dad and my wife!) are to click on "Install now" in the update-manager dialog.

3. Debian package updates run as root. Snap updates run in userspace, and confined. So in principle the risk exposure for snap updates is much smaller. And snaps do have an auto-rollback mechanism for failed updates [a]. Counter to that argument is the fact that snaps are meant to be under third-party control, and that there is no clear mechanism to separate security patches vs updates which you get with the debian pocket mechanism (i.e. focal-security vs focal-updates).

The lack of any official [b] means of user control over the snap auto-update mechanism feels wrong to many of us, including me. And while we may seem somewhat opaque in these debates, the feedback we get in threads like this one (and the snapcraft.io one) actually feeds into our decision making. So please do keep pushing on this topic and we'll do our part internally.

[a] See https://kyrofa.com/posts/snap-updates-automatic-rollbacks for a detailed guide on this topic. Of course, if your snap refreshes and you hate the new version, downgrading isn't quite always possible.

[b] There are ways to, hmmm, control auto-updating (i.e. refresh.metered, refresh.hold) if you really want to; that thread has a few. That doesn't help the debate, but I'm sharing in case someone has a technical need for it.




Sorry, but as a fellow Canonical employee, speaking from a throwaway obviously, it's evident to me that you're simply not telling the truth here.

You know just as well as I do that if you criticize Snap within the company, you get fired. Especially if Mark overhears you. There is no room for criticism. You either drink the koolaid or you shutup. So, no, sorry, we're going to keep pumping out Snap and those who don't fall inline will just fall out of the company. This is how we've always done these things, despite it failing repeatedly, and Snap is no exception. Actually, Snap is in particular no exception, given how hard it's being pushed by top level management.

[An aside from the main point of this comment: your point 3 is nonsense, and any security guy will tell you the same. For packages that the main sudo-ing user executes, sandboxed or not, there still is effectively no difference between that and root. Snap's sandbox is alpha quality at best, and major platform hurdles remain to make it capable of doing anything remotely useful. Say no to auto-updating snap backdoors. Please. There's a reason why Linux has thrived and benefited with its vetted-by-distros traditional package managers.]


OK, I've had breakfast.

First, has anybody actually been fired for criticizing snaps? Your comment seems to imply through hyperbole that we don't debate inside Canonical, but in my experience that simply isn't true. In fact, I've seen a lot more intense IC to CEO debate in Canonical than anywhere else I've worked. It's not always super constructive debate, but I don't know how much better it is in any relatively small organization with the broad impact Canonical has.

Second, debate and reflexion is how these positions get refined. An idea starts out crazy and radical -- "let's make an OS which costs zero and which anybody on the planet can figure out how to use!", or "Launchpad will only support bzr", or yet again "upstart, not systemd" -- but over time it evolves towards a place of greater consensus. So I don't think we're the destination for snaps; in fact, if these blog posts are only coming out now, it signals we are rather early in the journey.

Finally, I can understand creating a throwaway account to disclose something you're not comfortable with at your workplace, but it's not cool -- nor constructive, civil or all sorts of C words -- to create one to and start with "you're simply not telling the truth". C'mon, I'm your coworker.


I want to just say I appreciate your level-headed response to the anonymous poster.

Separately... "In fact, I've seen a lot more intense IC to CEO debate in Canonical than anywhere else I've worked."

As an outsider, this makes me wonder if the CEO is too involved in day-to-day operations. (And overriding the work of those with more expertise than himself.)


Just out of curiosity. How was the "debate" about disabling Flatpak support by default?


Hmm, let me think a bit about how to respond to your first paragraph.

But meanwhile, I'm curious about point 3 as you seem to have facts that I lack -- when a confined snap refresh runs through snapd, is the upgrade payload not executed entirely in userspace within the sandbox? I haven't looked at the code, but my understanding of the model is that the snap can only modify its own writable areas (and do stuff like add a symlink to /snap/bin, though that's also limited). So a snap update could't, for instance, modify arbitrary files, nor read restricted ones. Whereas a dpkg install can do anything as root. Can you help clarify?


> The root of this issue with snaps is the trade-off between built-in security and user control.

What this tells me is that I am not the kind of user you are targeting. I don't either need or want any such trade-off. I'm knowledgeable enough to make my own decisions about security; I don't need a third party to do it for me. So if your distro will end up insisting that I cede any control over what software runs on my machine to a third party, it's a nonstarter as far as I am concerned.

That may or may not change your overall strategy, and I emphasize that it's your decision either way and I would not have a problem if your response is simply: "Well, we are targeting a particular kind of user and that's just the way it is." (I would simply go find another distro to run.) But I think you need to be clear about what kind of users you are targeting and what kinds of control you expect those users to give up to third parties, so users know what they are getting into.

I also think that this idea of having third parties control the security of your computer is against the basic Unix/Linux philosophy, because the whole point of running Linux or some other variety of Unix is to opt out of the walled gardens and third-party controls that other operating systems that I won't name force users to accept. So if you're going that route, IMO you're going to have a tough time explaining to users why they shouldn't just go ahead and run one of those other operating systems instead.


Ubuntu does stand for a certain set of values; security built in and doing The Right Thing on the behalf of the end user are part of it. That does lead to certain distro semantics that I'm sure not everyone will like. And that's OK, we do appreciate that some people want to control more deeply what happens in the distro.

There is a whole other set of users that would prefer that Ubuntu kept out of their way administrative actions for which they trust the machine to handle. They are probably more silent because they are mostly OK with how things work. And I'll say that I'm not comfortable with everything about snaps so it's more of a spectrum than binary acceptance.

Snaps were invented because we had a problem. We wanted to make it easier for software publishers -- think games, desktop tools, browsers -- to deliver their software to Ubuntu users, but debs were both too hard and too powerful to make that a viable proposition. In the old days, people relied on archive.canonical.com [1] from which debs like skype were published, but it was unsustainable and led to poorly packaged and out of date software.

Regarding third parties, in the end, nobody in the community reads through the source code of every patch applied to binaries in their systems. There is a degree of assumed trust in any update. I accept that trusting Canonical is one thing and trusting third party publishers is another, but given the motivation I describe in the previous paragraph, the decision to use snaps wasn't made in a vaccuum.

[1] Which still exists, if you want to go and check out the pool for third-party binaries. All of those installed as root!


> We wanted to make it easier for software publishers -- think games, desktop tools, browsers -- to deliver their software to Ubuntu users, but debs were both too hard and too powerful to make that a viable proposition.

Is there somewhere--a blog post on Canonical's website, perhaps--that explains this in more detail? Off the top of my head I'm having a hard time seeing how snaps improve the situation, unless it's simply the "dependency hell" problem.

> nobody in the community reads through the source code of every patch applied to binaries in their systems

That's true, but irrelevant to the concerns of users like me. We aren't saying we insist on controlling when all updates are applied to our systems because we want to ensure that we have time to read the source code. We're just saying we insist on controlling when all updates are applied to our systems, period.

> There is a degree of assumed trust in any update.

Trusting that, for example, a particular update doesn't include malware is one thing. Trusting a third party to control when an update is applied to my system is something quite different. It seems to me that you are trying to conflate the two, which might be fine for some set of users (and, again, if that's simply the only set of users you are targeting, that's your call), but is not fine for me, nor I suspect for other users with similar concerns to mine.

> All of those installed as root!

Doesn't any update get installed as root? I certainly don't want system-level binaries installed to my user account; that would be a huge breach of security since my user would then have write access to them.


Let me point out: to me, auto-updating isn't even the crucial issue (I use unattended-upgrades as well, so whatever).

Yes, functionality and workflows around installation and updates are still insufficient for many use cases, but that could have been ironed out given enough time.

But what you messed up badly, IMO, was to force-migrate packages to Snap in an LTS release before it was ready.

Had you waited until Ubuntu 20.10, I'd have been more forgiving. But you (collectively) were so eager to get this in before the window closed for another two years.

If you had made Snap a compelling product, even LTS users might have voluntarily migrated to snaps once they saw how good it was. Now you've kind of pulled off the opposite.

Sadly the ship has sailed: Both in general, since you've pushed so heavily for Snap in a LTS release when it simply wasn't ready yet. And for me personally, where the forced installation of Snaps by some debs (notably Chromium) broke my trust significantly enough that I turned my back on Ubuntu after over a decade.

Not only is the Chromium Snap dog slow, it also can't see my NFS shares. So the snap version is objectively worse, at least for now.

But if I install a deb, I expect to get a deb. You don't want to offer it anymore, fine, take it out of the repo. But sneakily migrating me to a snap, and not even notifying me, is just trust-breaking.


>But if I install a deb, I expect to get a deb. You don't want to offer it anymore, fine, take it out of the repo. But sneakily migrating me to a snap, and not even notifying me, is just trust-breaking

Indeed.

We need to modify the age old saying:

"Computers do what you tell them to do, not what you want them to"

By applying the following patch:

"Computers do what you tell them to do, not what you want them to do - except Ubuntu 20.04 LTS"


That can't be right because it implies that computers with Windows 10 do either what you want or what you tell them.


The the very least there should be a simple way to turn off snaps entirely. As in, when installing do we want any snaps? If we don't, don't even install the snap ecosystem. After install, have I decided I don't want snaps? If so, uninstall the entire ecosystem.

Do these options currently exist?


The challenge is that a) we don't really want to (can't afford to, etc) maintain a forked package for everything which comes in snaps and b) snaps are really, really, much better for publishing and maintaining certain classes of application, in particular complex ones with hundreds of dependencies and a massive surface area, like a web browser. And users want web browsers, so the default is to include snaps.

In general, you can opt of snaps entirely and `apt-get remove snapd`, but you'll miss out on potentially critical components that are only available via snaps.


If there are ever any 'potentially critical components ... only available via snaps', many of us will bail to distros that don't have that weakness.

I don't use, but see the advantages of such packaging. But auto-updating software (FOSS or blob) brings-in it's own barrel of concerns. In the event of something 'critical', a -message- alerting the user ... who can then research and decide ... is far preferable.


I've not used Ubuntu but was about to search for a distro to put on a rebuild machine... I was considering Ubuntu up until I heard about this.

As a former Gentoo user, this whole Snap concept is a huge deal-breaker. I wouldn't consider Ubuntu for anything other than some thin-client/smart terminal/kiosk usage, and I'd still be wary of what gets pushed and what sort of potential holes might get opened.

> but you'll miss out on potentially critical components that are only available via snaps

REALLY shitty move.


> I wouldn't consider Ubuntu for anything other than some thin-client/smart terminal/kiosk usage

Until the snap maintainer of Qt decides to upgrade you out of version compliance with your compositor and... Well, hope your kiosk doesn't do anything critical...


You mention that snaps are really well suited for installing and updating large surface applications like web browsers. Then you say that by removing snapd you will opt out of critical components. If Canonical is using snaps for large third party applications so their maintainers can push updates without user intervention, why would it EVER use snaps for critical components? Like, wtf is that? If something is critical to my system, I need to decide when it is modified. The maintainers can't possibly know when that's okay. Using snaps for anything important is a serious regression.


I'd argue you can't just "apt-get remove snapd", when you push transitional apt packages that depends on snapd.

I understand the argument with browsers, but that does not justify the default on ubuntu-server. LXD being Snap-only really feels like force-feeding Snap.


You could give this a try combined with something like the ungoogled-chromium PPA:

    sudo apt-get autoremove snapd
    sudo apt-mark hold snapd
(I use apt-mark and some custom scripting to defer nVidia driver updates until system boot to ensure that they don't yank libGL function out from under me at an inopportune time.)

If it doesn't work sufficiently well when I'm ready to upgrade from 16.04 LTS, then I'm switching to Debian. (I'd intended to be on 18.04 LTS by now, but life doesn't always cooperate and I haven't found time to risk a day or two of squashing upgrade-induced bugs)


It sounds to me like the omission of an opt-out configuration is the entire technical problem. However, it sounds to me like the real irritant here is the presumption that omitting that configuration is in any way something that benefits the linux community. Defaulting it on is fine. The users who don't care to dive in, will then have it on, and the herd immunity to security problems is achieved. Telling long-time linux users that "what you want is wrong," is, shall we say, worrysome.


Why not at least have an option per install to control the update behavior?

I might want the latest Chrome and Firefox. But I don’t necessarily want the latest update to other applications.


I think this is a great suggestion, and I would also prefer that you could just permanently disable (via config, even if somehow discouraged) the default auto-update behavior.


> Changing a paradigm usually involves pushing the envelope and breaking some existing assumptions; systemd is everybody's favorite example of that in the Linux world.

At the risk of reigniting this particular flamewar, systemd changed that paradigm for the worse, using flimsy arguments that don't hold much water to anyone who knows better. Comparing snap to systemd doesn't exactly do the former a whole lot of favors.

> Browsers like FF and Chromium [on Windows] simply self-update

If I was okay with this being the norm then I'd still be using Windows.

> Ubuntu, since 16.04 LTS, ships with unattended-upgrades enabled

That's horrifying.

> and how reluctant users (like my dad and my wife!) are to click on "Install now" in the update-manager dialog.

Your dad and your wife are reluctant for good reason. Having experienced first-hand how prone Windows updates are to break things, and now seeing an admission here that y'all want to make Ubuntu more like Windows, this doesn't bode well in the slightest for a good user experience.

Like, one of the main points I make to people to convince them to at least try a Linux distro is "well unlike Windows it won't shove updates down your throat, and the updates are quick and easy and painless anyway". And then here comes Canonical wrecking the former assumption (and who knows how it's impacting the latter, but I don't exactly have high hopes).

Not that it matters much since I've given up on Ubuntu (in favor of openSUSE) in my recommendations to others (and switched to Slackware for my own use) ever since God-Emperor Mark chose to double-down on the Amazon Lens instead of listening to His users. Every once in awhile I take a look at Ubuntu again, hoping that maybe Canonical's figured things out, but always come away disappointed. It's always a bummer, given that my first distro was Ubuntu 7.10, and every once in awhile I'll fire that one up in a VM and remind myself what Ubuntu used to be, before it seemingly became a soulless husk of a distro.

But I digress.


This is a calm, measured perspective on a hot-button emotional issue. Thanks for that. :)


> Server apps are more complex and are a strong argument counter to the existing behavior, as is the fact that many apps cannot be refreshed without user impact.

Updates to non-server applications can also have a big user impact and there needs to be a way to avoid/delay them when you know you won't have time to deal with any potential fallout.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: