2

I reported a bug with LibreOffice (the 'official' bionic-upgrade version) and LO support person suggested upgrading to a current version from their site. They said I was using an old version.

I prefer to upgrade via 'Ubuntu Software' in an attempt to reduce risk (security and stability) so I looked there.

It caused me to wonder if the more up-to-date, snap version, which also appears in 'Ubuntu Software' alongside , is (more) trustworthy than the Canonical distributed one.

Basically, how much trust can be placed in snap of a provider? This obviously requires comparing it to the trustworthiness of Canonical Corp...!

p.s. Please don't simply suggest to learn to read code and I won't suggest you learn DIY open heart surgery; humans specialise.

Little me
  • 115

2 Answers2

2

https://readyspace.co.id/en/a-technical-comparison-between-the-snap-and-the-flatpak-formats/ gives an overview of Snaps and speaks to the security advantages. In part:

From the security perspective, snaps are isolated from the system using a combination of several mechanisms, including AppArmor, SecComp, cgroups, and others. By default, snaps cannot access resources outside their sandbox. Granular access is provided through interfaces.

Also, Snaps are distributed through a repository operated by Canonical. Since Canonical builds Ubuntu, the same level of security for Ubuntu itself should be provided to the users of Snaps.

Therefore, I conclude the security of a Snap-installed app is on a par with an app included with the original installation of Ubuntu, or an app installed or updated post-installation through Ubuntu Software, and the added sandboxing of a Snap can add to your system's security. Certainly it is more secure than an app installed by installing a downloaded .DEB or using a PPA.

https://www.darkreading.com/application-security/how-hackers-infiltrate-open-source-projects-/d/d-id/1335072 also adds a little insight:

In almost all open source projects, contributors must have their work vetted by other members before the code is accepted as part of the project. The level of review varies with the individual's reputation — as they become more trusted, fewer layers of review may be required. Especially in the larger, more well-known open source projects such as major Linux distributions, the procedures are well-defined and the labor pool large enough to enforce those procedures on a consistent basis.

K7AAY
  • 17,705
1

Most folks are familiar with the Ship Of Theseus question: If you replace all the parts, is it still the same ship? If you took all the original parts and rebuilt the original parts, which is the original ship?

This question about "safest" heads down some of the same meta paths. There are three alternatives, and they all arrive at the same location, but at different times.

When a high-priority vulnerability in --let's say-- LibreOffice 6.0 is disclosed and a patch created, the patch moves in several directions:

  1. The Ubuntu Security Team uses the patch, and issues a security fix without bumping the version number. Version 6.0 remains version 6.0, but the vulnerability is now gone.

    Under the hood, you can see this in the package version that apt sees: 6.0.7-0ubuntu0.18.04.10. It's not stock 6.0 (with the vulnerability) anymore.

    This patched package goes out through the -security pocket of the Ubuntu repositories, and most folks get it installed in the background without even noticing that anything changed.

  2. LibreOffice adds the patch to all their other changes and issues a new, exciting release a few weeks later: Version 6.1! Everybody should update! New security fixes!

    This update gets packed in the next release of Ubuntu, and gets pushed to Snap users. Example: Ubuntu 19.10 uses LO 6.3, and Ubuntu 20.04 is testing LO 6.4. The current LO snap is also 6.4.

    What the update hype does not mention is that Ubuntu users of 6.0 and 6.3 get most of the SAME security fixes as 6.4 users, right away (see #1 above). Their systems are just as safe as newer versions.

The upshot is that it doesn't matter which Ship Of Theseus you are standing upon. They all travel safely. Your choice of LTS Release/Interim Release/Upstream Release/Snap does not need to be based upon the criteria of safety. They are all safe. Your choice should be based upon convenience -- which kind you are most comfortable working with.

Admittedly, lots of folks (like that well-meaning LO support person) don't quite understand how Ubuntu security works. Their insistence that newer-is-better is understandable from the upgrade-hype, though still perhaps misguided. As long as you have -security enabled and Unattended Upgrades enabled, your 18.04 version of LO is SAFE. Just as safe as everybody else's newer versions and snaps.

user535733
  • 68,493