Canonical's Steam Snap is Causing Headaches for Valve

danielfgom, 1 year ago (edited 9 months ago)

The problem is that 3rd parties are doing the packaging both on Snap and Flatpak whereas if they had followed proper security practice ONLY THE REAL DEV should ever be allowed to package their app as a Flatpak or Snap.

This would ensure security, as well as a proper functioning flatpak/snap and also all feedback would be directed to the Dev.

I’ve never liked the fact that Canonical and whoever can make Snaps and Flatpaks of other people’s software. There is zero security guarantee, zero guarantee they’ll update it and zero guarantee it will work.

Just because Snap and Flatpak exist doesn’t mean just anyone should be able to just make them.

If Valve only chooses to make a deb then so be it! It’s their product!

anothermember, 1 year ago

The problem is that 3rd parties are doing the packaging both on Snap and Flatpak whereas if they had followed proper security practice ONLY THE REAL DEV should ever be allowed to package their app as a Flatpak or Snap.

Says who? If it were the case, Linux would either be a nightmare of fragmentation or become centralised on one distribution. Distros need to be able to package their own software, and these are kind of like distributions. Also since we’re talking about proprietary software here, is it really any better security practice if the “real dev” packages it or somebody else, they both could contain malicious code.

danielfgom, 1 year ago

Valve are not going to put malicious code on their app. Neither is VLC or any other FOSS developer.

The distros should stick to packaging their repo apps and leave the Snap/FlatPak tech as an alternative to the original dev if they decide they want to use that.

We can’t have Bob from nowhere packaging Valve, then not updating it or patching it because he doesn’t have time. Or 5 Bob’s all doing the same thing with 5 copies of Valve on the Store.

It’s crazy. This is what causes fragmentation. Flathub should vet every app and if you are not the dev of the app, you may not host it on Flathub. You’re still welcome to make a Flatpak for home use on your own pc but not for wide distribution.

jyte, 1 year ago

isn’t that kind of what AUR is, and exactly what people love about arch ?

danielfgom, 1 year ago

Yes but if you use an Arch distro like Endeavour, they won’t support you with issues caused by AUR apps. Because of these reasons I mentioned.

anothermember, 1 year ago

Valve are not going to put malicious code on their app. Neither is VLC or any other FOSS developer.

How would you know that? It’s not like it’s something that doesn’t happen.

Or 5 Bob’s all doing the same thing with 5 copies of Valve on the Store.

It’s crazy. This is what causes fragmentation.

I don’t know what snaps are like but that’s clearly a non-existent problem on Flathub.

Flathub should vet every app and if you are not the dev of the app, you may not host it on Flathub. You’re still welcome to make a Flatpak for home use on your own pc but not for wide distribution.

I don’t know why you feel like there’s permission involved. You don’t have to use Flathub, therefore Flathub can have what ever policies it likes. Users can set up a different flatpak repo if there’s a need.

danielfgom, 1 year ago

That’s not my point. I use Flathub but I try to only use verified apps which were packaged by the actual dev.

I’d rather get a deb from the official dev than a flatpak from flathub packaged by someone who is essentially anonymous and could easily inject malicious code.

If you think the dev himself could inject malicious code in the official app, then you should be super aware that an anonymous Joe can too, and is far more likely to.

Anyway flatpak ideally was supposed to save Devs the work of packaging for every distro so it makes sense that the real actual verified dev of the app would package the flatpak/snap himself

NotJustForMe, 1 year ago

How is “the dev of the app” defined, exaxtly?

danielfgom, 1 year ago

The official Developer of the app. E.g. the official dev of Blender is blender.org. The flatpak people give them a line of code to embed in their website and they use that to verify that the dev really is blender.org and not a malicious actor.

OsrsNeedsF2P, 1 year ago

Wait until you find out how distro packaging works

Yearly1845, 1 year ago

deleted_by_author

danielfgom, 1 year ago

How so? How does ensuring they only the real dev of the app is also the only one allowed to package it hurt desktop adoption.

It’s very easy to enforce. Flathub need to verify the identity of the person submitting the Flatpak to make sure it’s the app’s dev uploading it and not Joe Smith or nsa.gov…

merthyr1831, 1 year ago

This is a big issue with Snap. It may be like Flatpak, allowing devs to set their own dependencies for ALL distros, but its poor uptake outside of Ubuntu’s ecosystem means that it’s no different to yet another distro repackaging system.

Flatpak, or even Nixpkgs, are the future because they allow devs to have control over the distribution of their software. Snap being such a closed ecosystem in comparison only means it will replicate many of the problems we’ve found with traditional (re)packaging systems.

mac, 1 year ago

I can’t speak for Flatpak as I haven’t tried it but nixpkgs are beautiful to work with and configuration of my system has become completely reproducible in a clean format.

merthyr1831, 1 year ago

As a dev, you can just distribute a nixpkg with whatever build tool inside. That beats the current system of “native” packages where your software is repacked and then maintained by half a dozen teams for different distros that use different dependencies and update cadences.

Bottles has gone as far as to demand its fedora package be removed and now shows a warning if you’re not using the flatpak version because repackers just don’t properly test all their software (how can they? there are thousands of apps in these repos!)

mac, 1 year ago

Yeah there are some issues with compatibility, I’ve found a couple of apps that error on my Mac.

How does it compare to Flatpak?

merthyr1831, 1 year ago

nix is a “native” packaging format. Apps are compiled for your host OS and run in that environment with no restrictions, for better or worse.

Flatpaks are containers. They provide a virtual OS to the application such as the file system, and accessing host OS features is done through “portals” which just means you can give/revoke the ability of the app to access your host OS resources such as networking, file access etc.

Flatpaks are therefore much safer in theory. But Nix packages are lower overhead, and can interact like any built-in software binary that you’d have when you spin up a fresh install of, say, debian.

Nix packages are harder to use IMO thanks to their poor documentation and lack of GUI package manager support (not that it’s impossible, just that it’s been a niche system for most of its life) and since most people are accustomed to flatpaks and their permissions system (and the fact it comes preinstalled on most distros) so flatpak is still pretty ubiquitous, even for NIxOS users

boaratio, 1 year ago

Good. Snap is an abomination.

thecookingsenpai, 1 year ago

Tbh i never found an app that runs better on snap than on deb

Same goes for almost anything like snap

mlg, 1 year ago

I’m really hoping this all forces Ubuntu out as the face of desktop Linux.

It’s been pretty low tier for years now, and Canonical just proves corporate backing doesn’t guarantee a good distro.

Snap is pretty garbage, default GNOME is horrendous, the repos break every other month, apt is still pretty lame despite being an user upgrade for apt-get, the packages are neither stable nor cutting edge, they change core OS backends like every update which breaks configs and makes documentation obsolete.

I’d like to suggest Fedora as the new goto, but I feel like it’s a bit too privacy and FOSS oriented which may scare away new users.

Debian is great but it doesn’t have latest packages which isn’t optimal as performance upgrades would take time to release or need to be manually installed.

phr0g, 1 year ago

Well, I’d prefer Canonical to fix their shit, instead of forcing immature products onto users. I’m not against snap per se, as there are valid reasons for sandboxing, especially for games (remember when Steam accidentally wiped some user’s home folders back in 2015? Sandboxing would have prevented that).

However, in its current state, snap causes just too much friction. For example Firefox can’t remember the last used directory for up/downloads, Steam snap will just create a new data directory (forgetting about the games already downloaded), there’s no way to allow additional folders (like /net from autofs) in snap apps etc. It’s just a myriad of issues which make working with the system unnecessarily complex and frustrating, and there seems to be little progress fixing those.

LeroyJenkins, 1 year ago

unfortunately, industry loves shit like Ubuntu and RHEL because of their corporate backing. comps love having the insurance of someone to blame or somebody to fix their shit when things hit the fan. I’ve worked for many comps who choose RHEL for that alone. Should we choose the OS built by a bunch of randos in their basement, or something backed by Red Hat where I can just pay them money to handle my support tickets faster if shit blows up? or who tf do I have my cyber liabilities insurance guys sue if the OS has a huge fuckin problem? I want a company behind that shit.

Zetta, 1 year ago

Fedora is the best!

(In my opinion)