After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions.
Just run unsnap and experience actually secure apps.
Did you know that Snaps are only sandboxed on Ubuntu with Apparmor? This makes them more versatile than Flatpaks using Bubblewrap (the whole system is sandboxed like that) but will break all sandboxing if systems dont use Apparmor, or dont include all patches.
Yes. Now if you use apt to install Firefox or Thunderbird, it will reinstall snap and install the snap versions of those programs.
If you blacklist snap, it’ll throw an error when you try to install Firefox or Thunderbird cause it can’t resolve their “dependencies”.
You’ll have to install those programs from outside of Ubuntu’s repositories, and the list of affected programs is growing.
Ubuntu’s stated goal is to eventually use snap for all userland apps.
This thread is a good example of just how circlejerky and bubble like lemmy has become.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you’d think the opposite.
Most of us do live in bubbles (not exclusive to lemmy or tech nerds). I first picked up Ubuntu in 2004. It was a massive leap forward at the time as Gnome was moving a lot faster than Debian stable and I was running Sid to keep up. I am genuinely surprised everytime I learn Ubuntu is still “popular” as they have made so many NIH misteps over the years (mir,upstart,unity,snap) and frustrated their users. I moved back to Debian years ago for server/dev as Ubuntu re-packaging wasn’t adding any value and once I was on another distro for desktop I lost all interest.
Ubuntu started off with some amazing community building. It felt more like a peoples distro than Canonicals for a time. I felt more invested in it in those days so I can relate to Ubuntu users but I also understand some of the criticism aimed at Canonical and their choices.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you’d think the opposite.
So which part of the internet is Steam Hardware & Software Survey then?
The most popular Ubuntu version is at a whopping 5% of all Linux users.
Ubuntu went from the most popular desktop distribution to the most or at least one of the most popular container distributions, ie. for hard-core users and tech nerds. Meanwhile Steam Deck sold millions and I’m confident to say that a good chunk of the users have no idea what Steam Deck runs, let alone SteamOS being an Arch Linux derivative.
Very few linux installs include steam and this survey only represents a few thousand gamers. The only thing it shows is that steam users like steam os.
No, I’m not. Had you read my comments correctly, you’d know that I was stating repeatedly that Ubuntu is popular for containers but that’s is a completely different topic.
That’s not a meaningful comparison because it splits Ubuntu by version but all of Arch is a single category. We’d need to roll up the Ubuntu users for it to be apples to apples.
You don’t honestly believe that, right? Like you’re aware that the Steam hardware survey only includes Steam users that have it installed and choose to participate in the survey? There are way more computers and servers running Ubuntu than there are steam decks.
Context is computers dual booting Windows and Ubuntu, so obviously consumer hardware and not servers and also not multiple containers on one device. There are millions of Steam Decks sold already and Steam Deck is consumer hardware which means that there are millions of individual devices running SteamOS.
servers running Ubuntu
Sure there are hardcore users that run dozens of containers simultaneously and Ubuntu is quite a popular choice among those. Completely different topic from the one I’ve replied to, though.
Steam numbers are completely meaningless. There’s absolutely no way SteamOS outnumbers Ubuntu even if we limit this comparison to desktop installs. Ubuntu’s been around for a very long time and many of its users wouldn’t show up on Steam because they don’t game.
If you look at just my household, Ubuntu and its derivatives outnumber SteamOS by a factor of 7:1, not even counting numerous VMs and containers, or 3:1 if you’re just counting desktops, laptops and tablets. But if you look at my steam usage, Ubuntu hasn’t shown up there in over a year.
I probably spend 10x as much time on Ubuntu machines as I spend on my Steam Deck, but the Steam hardware survey would never surface that fact, nor is it intended to.
As I’ve already explained to you elsewhere, that’s not how this works. You are the one who made the claim. The burden is on you to provide a good backing for said claim. When people asked for that backing, you provided something that does not back up that claim. It’s not on anyone else to provide an alternative claim, as that would be a variation of attempting to shift the burden of proof.
Personally, I’m not sure if good enough data to provide an answer to everyone’s satisfaction exists. But that doesn’t mean we get to shortcut the process by claiming that a data set means something it doesn’t. Some other data that one could theoretically provide that would be of similar quality to what you’ve provided (that is, decent quality data that measures something related but cannot be reasonably extrapolated to verify or falsify your claim) include:
Distro breakdowns from the Snap store (this would overrepresent distros with Snap preinstalled)
Distro breakdowns from Flathub (this would overrepresent distros with Flatpak preinstalled and flathub preconfigured)
Distro breakdowns from web statistics (this would underrepresent privacy-centric distros and hide the distro for people who, for example, use a flatpak of their browser)
That should be possible by changing the repos, shouldnt it? I will try this in a VM.
Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.
Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.
Plus, who cares? It’s a server. I don’t interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That’s just asking for headache.
snap does not cryptographically verify all packages, unlike apt
This isn’t correct. Run snap download htop from your terminal and you’ll receive two files: The actual squashfs image that gets mounted in /snap/htop/ and a .assert file that cryptographic signature data about this snap file. Modify the squashfs image and snap won’t let you install it without passing --dangerous to bypass that check, just like apt-get’s --allow-unauthenticated.
The problem here exists at a different level: the level of what’s getting signed. Conceptually speaking, running sudo snap install htop is a bit like running sudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let’s Encrypt uses).
There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can’t just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious libc6 update.
These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.
Those are snaps. I don’t use those on my server. AFAIK, they’re mostly used for GUI applications. I don’t even have a GUI on my server. I wouldn’t even know how to install or run a snap from command line.
Most things that run in my server are containerized services that I wrote personally. So as long as there isn’t a vulnerability in podman or my reverse proxy, and as long as keep my base containers up to date (they pull the latest base image each time the image is built), I’m mostly fine.
I use it because a class wanted me to either use it in a VM or use WSL but WSL didn’t work and I figured it was easier to set up a dual boot than setting up a VM since I’ve installed Linux quite a few times.
They’re currently number 6 on DistroWatch’s Last 6 Months. So people are at least still interested in it.
The DistroWatch Page Hit Ranking statistics are a light-hearted way of measuring interest in Linux distributions and other free operating systems among the visitors of this website. They correlate neither to usage nor to quality and should not be used to measure the market share of distributions. They simply show the number of times a distribution page on DistroWatch was accessed each day, nothing more.
They simply show the number of times a distribution page on DistroWatch was accessed each day, nothing more.
Which can be manipulated by scripting or setting the browser’s home page to the DistroWatch page of a distribution. No way in hell is MX Linux actually popular.
Anyone using Ubuntu
I use Ubuntu.
Downvotes to the right mocking laughs to my face.
Ubuntu may be good at being semi-stable.
Just run unsnap and experience actually secure apps.
Did you know that Snaps are only sandboxed on Ubuntu with Apparmor? This makes them more versatile than Flatpaks using Bubblewrap (the whole system is sandboxed like that) but will break all sandboxing if systems dont use Apparmor, or dont include all patches.
But not voluntarily. Since it’s.integrated with apt you randomly get snap garbage installed instead.
Last I used Ubuntu, removing snap was a one time thing that took 5 minutes, of which 4 of them was looking for my notes from the time before.
I ditched Ubuntu, but it wasn’t because of snap. Maybe this has changed in the last 3 years?
Yes. Now if you use apt to install Firefox or Thunderbird, it will reinstall snap and install the snap versions of those programs.
If you blacklist snap, it’ll throw an error when you try to install Firefox or Thunderbird cause it can’t resolve their “dependencies”.
You’ll have to install those programs from outside of Ubuntu’s repositories, and the list of affected programs is growing.
Ubuntu’s stated goal is to eventually use snap for all userland apps.
Before the current itteration of my homelab I used Ubuntu. Never used snap tho.
People still use Ubuntu?
One of the top most used distros probably
This thread is a good example of just how circlejerky and bubble like lemmy has become.
You are correct. Outside of the hard-core users and tech nerds, Ubuntu is massively popular. But you listen to this community, and you’d think the opposite.
Most of us do live in bubbles (not exclusive to lemmy or tech nerds). I first picked up Ubuntu in 2004. It was a massive leap forward at the time as Gnome was moving a lot faster than Debian stable and I was running Sid to keep up. I am genuinely surprised everytime I learn Ubuntu is still “popular” as they have made so many NIH misteps over the years (mir,upstart,unity,snap) and frustrated their users. I moved back to Debian years ago for server/dev as Ubuntu re-packaging wasn’t adding any value and once I was on another distro for desktop I lost all interest.
Ubuntu started off with some amazing community building. It felt more like a peoples distro than Canonicals for a time. I felt more invested in it in those days so I can relate to Ubuntu users but I also understand some of the criticism aimed at Canonical and their choices.
True. I’ve always felt more at home in Ubuntu and its derivatives. Debian is quite nice too.
So which part of the internet is Steam Hardware & Software Survey then?
The most popular Ubuntu version is at a whopping 5% of all Linux users.
Ubuntu went from the most popular desktop distribution to the most or at least one of the most popular container distributions, ie. for hard-core users and tech nerds. Meanwhile Steam Deck sold millions and I’m confident to say that a good chunk of the users have no idea what Steam Deck runs, let alone SteamOS being an Arch Linux derivative.
Very few linux installs include steam and this survey only represents a few thousand gamers. The only thing it shows is that steam users like steam os.
Millions of sold Steam Deck units run Linux and default to Steam. It’s easily the most popular personal computing device running GNU/Linux out there.
So regular users, “outside of the hard-core users and tech nerds”.
i wonder how many old thinkpads are still running linux… Honestly, it’s possible some arbitrary single model may still outnumber steam decks.
I think you’re forgetting about AWS, GCP, Azure.
No, I’m not. Had you read my comments correctly, you’d know that I was stating repeatedly that Ubuntu is popular for containers but that’s is a completely different topic.
That’s not a meaningful comparison because it splits Ubuntu by version but all of Arch is a single category. We’d need to roll up the Ubuntu users for it to be apples to apples.
Like Windows, Ubuntu is installed by default on many computers. In my university, all the computers have a dual boot Ubuntu Windows.
Haha in mine they have Ubuntu stickers on them but no Ubuntu to be found.
SteamOS is installed on more computers, though.
You don’t honestly believe that, right? Like you’re aware that the Steam hardware survey only includes Steam users that have it installed and choose to participate in the survey? There are way more computers and servers running Ubuntu than there are steam decks.
Context is computers dual booting Windows and Ubuntu, so obviously consumer hardware and not servers and also not multiple containers on one device. There are millions of Steam Decks sold already and Steam Deck is consumer hardware which means that there are millions of individual devices running SteamOS.
Sure there are hardcore users that run dozens of containers simultaneously and Ubuntu is quite a popular choice among those. Completely different topic from the one I’ve replied to, though.
Steam numbers are completely meaningless. There’s absolutely no way SteamOS outnumbers Ubuntu even if we limit this comparison to desktop installs. Ubuntu’s been around for a very long time and many of its users wouldn’t show up on Steam because they don’t game.
If you look at just my household, Ubuntu and its derivatives outnumber SteamOS by a factor of 7:1, not even counting numerous VMs and containers, or 3:1 if you’re just counting desktops, laptops and tablets. But if you look at my steam usage, Ubuntu hasn’t shown up there in over a year.
I probably spend 10x as much time on Ubuntu machines as I spend on my Steam Deck, but the Steam hardware survey would never surface that fact, nor is it intended to.
No, I won’t because anecdotal evidence is no statistic.
No, they are an actual statistic, whereas you deniers just have gut feeling and literally nothing else.
[citation needed]
I don’t know if millions is as big a number you think it is
I don’t know the methodology, but this article from about a year ago estimated 40 million Ubuntu users. https://www.bleepingcomputer.com/news/security/almost-40-percent-of-ubuntu-users-vulnerable-to-new-privilege-elevation-flaws/
Which compares to what, 2 million Steam Deck sales? 3 million? And how many of them remain active users? Doubt it’s even double digit percent.
[Citation Needed]
Irrelevant Citation
Provide a better one or keep quiet.
As I’ve already explained to you elsewhere, that’s not how this works. You are the one who made the claim. The burden is on you to provide a good backing for said claim. When people asked for that backing, you provided something that does not back up that claim. It’s not on anyone else to provide an alternative claim, as that would be a variation of attempting to shift the burden of proof.
Personally, I’m not sure if good enough data to provide an answer to everyone’s satisfaction exists. But that doesn’t mean we get to shortcut the process by claiming that a data set means something it doesn’t. Some other data that one could theoretically provide that would be of similar quality to what you’ve provided (that is, decent quality data that measures something related but cannot be reasonably extrapolated to verify or falsify your claim) include:
I do
why?
Still in the process of moving my server from Ubuntu to Debian.
That should be possible by changing the repos, shouldnt it? I will try this in a VM.
Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.
It works for me, and my tinkering times are behind me.
Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.
Plus, who cares? It’s a server. I don’t interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That’s just asking for headache.
Because its a server. And you want your server to stay online and not get hacked. that’s why
What about Ubuntu is more vulnerable? Ubuntu isn’t vulnerable to this newly discovered CVE.
Everything downloaded in snap is vulnerable because snap does not cryptographically verify all packages, unlike apt.
Also Ubuntu has newer packages in apt than Debian, which is more dangerous.
This isn’t correct. Run
snap download htop
from your terminal and you’ll receive two files: The actual squashfs image that gets mounted in/snap/htop/
and a.assert
file that cryptographic signature data about this snap file. Modify the squashfs image and snap won’t let you install it without passing--dangerous
to bypass that check, just like apt-get’s--allow-unauthenticated
.The problem here exists at a different level: the level of what’s getting signed. Conceptually speaking, running
sudo snap install htop
is a bit like runningsudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop
. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let’s Encrypt uses).There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can’t just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious
libc6
update.These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.
You’re literally replying under a submission that’s about unreviewed malware that got accepted in their repo.
Those are snaps. I don’t use those on my server. AFAIK, they’re mostly used for GUI applications. I don’t even have a GUI on my server. I wouldn’t even know how to install or run a snap from command line.
Most things that run in my server are containerized services that I wrote personally. So as long as there isn’t a vulnerability in podman or my reverse proxy, and as long as keep my base containers up to date (they pull the latest base image each time the image is built), I’m mostly fine.
deleted by creator
I use it because a class wanted me to either use it in a VM or use WSL but WSL didn’t work and I figured it was easier to set up a dual boot than setting up a VM since I’ve installed Linux quite a few times.
Yes, just not the people who hang out on Linux communities on federated social media.
They’re currently number 6 on DistroWatch’s Last 6 Months. So people are at least still interested in it.
Which can be manipulated by scripting or setting the browser’s home page to the DistroWatch page of a distribution. No way in hell is MX Linux actually popular.
DistroWatch is extremely weird. Who actually uses MXLinux and all these obscure Distros?
Found the Arch user.
Did you just assume my distro?
For the record, I use Debian
Removed by mod