Snapstore installing problem

Forum Forums Official Releases antiX-21/22 “Grup Yorum” Snapstore installing problem

  • This topic has 12 replies, 6 voices, and was last updated Mar 19-5:45 pm by Robin.
Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #127954
    Member
    Vickykarthi@32

      sudo apt-get install snapd
      Reading package lists… Done
      Building dependency tree… Done
      Reading state information… Done
      Some packages could not be installed. This may mean that you have
      requested an impossible situation or if you are using the unstable
      distribution that some required packages have not yet been created
      or been moved out of Incoming.
      The following information may help to resolve the situation:

      The following packages have unmet dependencies:
      snapd : Depends: systemd
      E: Unable to correct problems, you have held broken packages.

      #127958
      Forum Admin
      anticapitalista

        snaps require systemd.
        antiX refuses to use systemd.

        Philosophers have interpreted the world in many ways; the point is to change it.

        antiX with runit - leaner and meaner.

        #127959
        Member
        Xunzi_23

          Would add, opening a snap package to inspect contents is difficult. instructions are not freely available.
          Exploiting systems using that packaging system is known problem, both due programming errors and attacking
          developers/Packagers.
          Do an internet search, you will find interesting reasons NOT to install snap crap.

          Snap is not a free packaging format. The snap store is as closed as apples app store, it is the only
          distribution channel, hosted and controlled by buntu… Secure safe and really open. No way.

          • This reply was modified 6 months, 1 week ago by Xunzi_23.
          #127963
          Member
          PPC

            antiX users (specially new ones) would do a service to themselves by at least searching the term they want in the unofficial antiX 23 FAQs (https://www.antixforum.com/forums/topic/unoficial-antix-23-frequently-asked-questions/):

            *Can I install Ubuntu repositories, PPA’s, Snap files or other Ubuntu specific software?
            Sure, it’s a free world. Install Ubuntu or any of it’s countless derivative OS’s.
            Install .deb files meant for others OS’s on antiX at your own risk, because you can harm your system.
            You can’t use Snap packages in antiX because they depend on the systemd init system, that antiX does not use

            You would instantly have the answer to your question, without having to wait for someone else to answer you.

            EDIT: in this particular case, the Terminal even tried it’s best to explain the problem: “Some packages could not be installed. This may mean that you have
            requested an impossible situation”. It was right. It’s “impossible” to install snap support in antiX.

            NOTE:
            Probably, someone will eventually figure a way to extract the required files from snaps, and use them on any Linux system: https://www.theregister.com/2023/11/10/snap_without_ubuntu_tools/

            @Xunzi_23 – I think that snaps are, in fact a “free packaging format”- it’s problem it’s the back-end, the “store” that Canonical implemented, is closed source, From the above link, I suppose that someone with an Ubuntu system can download any snap and then make it available in any other OS – it seems it’s just a matter of uncompressing them (like we can do with .appimages)… And people are already trying to do that: https://unix.stackexchange.com/questions/560065/how-can-i-manually-download-a-snap-package-for-example-with-wget

            P.

            • This reply was modified 6 months, 1 week ago by PPC.
            • This reply was modified 6 months, 1 week ago by PPC.
            • This reply was modified 6 months, 1 week ago by PPC.
            #127977
            Member
            Xunzi_23

              Thanks PPC, to open an appimage, it suffices in most cases to rename the package appimage.xyz.zip and unpack.

              Seems snap code is now available, for the experts who can read it.

              Fairly recent exploits used snaps with manipulated obfuscated contents and were delivered by the official store.
              As far as I am aware Clem Lefebre is still protecting Mint users due experience, I trust him far more than any
              press reports and as the content of snaps is more than just a program package they are very hard to check even
              unpacked.

              All the appimages I have opened to date have only neccesary packages included and in majority of cases I run
              unpacked after checking. They also do not contain any update mechanism which can possibly load “special Versions”
              containing ransomeware or other exploits.

              If users install snap they are outside of antiX as such and get no support from me.

              #127981
              Moderator
              Brian Masinick

                Yeah, about the only image formats I’ve had success with other than standard .deb packaging are the classic forms of tar archives (they work either compressed or not compressed; several different compression formats work, such as .gz, xz, lz4, which are the things we use. The other format that works for me is the AppImage format that Ungoogled Chromium offers as an alternative. Interestingly enough, when I tried the antiX s6 respin recently, I had to run modprobe and a few other things in order to get the image working but it does work. I tried Flatpaks a while ago; some of them work, but they are a pain in the behind. Didn’t pursue snap because these formats, which claimed and alleged to make packaging universal turned out to be a complete falsehood, so I didn’t try them for very long at all; the ONLY time I use ANY of the other alternatives is if I am giving one of the other distributions or operating systems a short run; it’s not like I keep very many of those systems around for long.

                So for the most part I’m sticking with the format I became familiar with in the early 2000s and have remained with distributions that use it – .deb.
                Snapstore? I have my reservations for the reasons I mentioned above, but then I saw “systemd” and right there I said to myself, “If I use them at ALL it sure WON’T be on my antiX distribution (and probably not at all, except perhaps a quick evaluation test, then removal!)

                --
                Brian Masinick

                #137149
                Forum Admin
                anticapitalista

                  More reasons not to use snaps.
                  https://popey.com/blog/2024/03/exodus-wallet-part-three/

                  Philosophers have interpreted the world in many ways; the point is to change it.

                  antiX with runit - leaner and meaner.

                  #137155
                  Moderator
                  Brian Masinick

                    I tried Flatpaks a long time ago, and that was it for me; I cannot remember for certain; I may have tried one or two snaps and didn’t like them either; that was YEARS ago.

                    Besides .deb and .tgz, the one other format I will use, but only for a very few trusted applications is the AppImage format; that one seems to be OK – with the major caveat that FIRST the organization or individual must be well trusted, as should be the case before installing any software, including .deb and .tgz packages.

                    Thanks for the reminder, and an added caution to all – no matter what the format, make sure it comes from a trusted source, otherwise it’s better to wait until the source can be verified and validated.

                    --
                    Brian Masinick

                    #137156
                    Member
                    PPC

                      Sigh…
                      This is bound to happen, if any kind of “App Store” is big enough that hackers think it’s worth using as “bait” to their victims. I still think some kind of universal application store is the way to go to ensure Linux’s growth. I hope flatpaks are more careful with what they allow into their “store”- I remember reading something about them having “verified apps” there, so I just took a look at https://flathub.org/ – they do have “verified apps” with a small “check” that supposedly lets users know they are from legitimate sources.
                      Some apps are verified, like Firefox, Thunderbird, LibreOffice, and that’s nice, but very important apps, that access sensitive data (browsers like Chrome and Brave) are not yet verified- and that’s dangerous.
                      When my mind is ready for the effort, I’ll try tackling really manually installing a snap, without systemd or third party dependencies – I assume it can be done, and would allow antiX to access to all that software- but it’s always the users responsibility, knowing what they download and install…

                      P.

                      • This reply was modified 3 months, 3 weeks ago by PPC.
                      #137161
                      Moderator
                      Brian Masinick

                        Right now I use one non .deb package – Ungoogled Chromium in AppImage format and that’s it.

                        --
                        Brian Masinick

                        #137172
                        Member
                        Robin

                          Why flatpack/snapstore/appimage & Co is not the future:

                          https://ludocode.com/blog/flatpak-is-not-the-future

                          Read and understand. I highly appreciate antiX doesn’t support this concept, under whatever name it comes.

                          And even if you don’t care for all the security issues raised by the bundle-all-libraries-to-the-executable-and-hide-it-in-a-huge-blackbox concept:

                          »If you install GIMP in Fedora 34’s Software store, it defaults to Fedora’s Flatpak of GIMP. This pulls in Fedora 35’s 650 MB runtime, not any freedesktop.org runtime. Nothing will be shared with our freedesktop runtime KCalc we installed from Flathub earlier. On my machine /var/lib/flatpak is using over 3 GB of disk space for just these two apps.

                          This is apparently working as intended. They want runtimes to be a free-for-all, filling your hard drive with gigabytes of custom junk for every app. I can’t imagine what system updates will be like in the future when you have a few dozen apps storing tens of gigabytes of runtimes that all want to be kept up to date

                          No way to ever use that kind of stuff.

                          Windows is like a submarine. Open a window and serious problems will start.

                          #137177
                          Member
                          PPC

                            @Robin – very nice article (that I just skimmed).
                            I agree with everything there- yes universal packages are bloated, they use lots of space, they can be unsafe, etc, etc… I never claim that flatpaks or appimages are perfect. What I say is that my personal opinion (based in what I know from the consumer market and basic human behavior) is that for a system to be successful, it has to have an easy way to access and install the most possible apps easily. Currently we have that, in antiX? Yes- we have access to the Debian repository, most applications available under Linux are there… but not all. There are apps that are only available in snap or flatpak (and I assume, also only in appimages) etc. There are apps that are available for Arch but not Debian, Debian but not red hat, etc, etc, etc.
                            Currently Linux has a market share of 4% of desktop computers. If we also consider closed source Linux OSes, like ChromeOS, and unidentified Oses, my guess is that’s almost 10% of all desktop users world wide. MacOS has more than that.
                            For Linux to be a success story in the desktop (like it is in the Server and mobile markets) we have to swallow our pride and consider closed source Linux bases OSes as being Linux, because they are a success story- they come included in the hardware, out of the box. The “average Joe” does not know how to install an OS. He hardly know how to do something else other than pressing or clicking icons. The newer generations, with free access to the greatest repository or human knowledge in history basically are getting dumber: they take everything at face value: the earth is flat; the sun revolves around the earth, vaccines are dangerous untested, decease causing ways of inserting magic GPS trackers that also manipulate our minds, ships capable of traveling across stars keep crashing into the USA, or being downed by simple fighter planes, etc, etc, etc…
                            Kids (man, I’m old, I mean people with less than 25 years or so) basically lived their lives with a tiny touch computer glued to their hands. Parents are leaving smartphones near 2 years old babies beds so the kid wakes up at night and, instead of crying, picking the damn thing up and plays or watches videos.
                            The latest generation of humans, in most places on Earth, can’t do basic computing tasks, even living their all lives using some kind of computers…

                            Linux can’t be successful if it has half a dozen main ways of installing apps, all incompatible with each other. I don’t mind myself. I love installing stuff from our Package installer, searching for stuff using apt and manually installing what I need, but I also love downloading UngoogleChromium and LibreOffice in a single file that I can just run. Why? Because it’s easy and convenient.
                            Also- one of the biggest “app stores” in the planet, Steam, dedicated to games, also runs in Linux. By now it has some 20.000 games or so, that run on Linux (that’s about the same number as 1/3 of all packages available in the Debian repository!). The problem with games? Most good games are commercial. We need a way to access commercial apps in Linux. This means that we can have package managers, but we require at least one other way, a universal way to easily install stuff on any kind of Linux, including, of course, games.

                            One possible way of having Universal apps? It’s already here… It’s called “web apps” – yes, Linux can run MS-365, MS Outlook, Skype, Netflix, HBO (or whatever it’s called now), even Adobe products – because their web apps are basically web pages, they run anywhere, including in Linux. But they tend to be heavy and “run” slow and require constant internet access, and that’s a problem on some hardware (that antiX aims at) or in parts of the world where connectivity is not a given… Oh, and users also have to pay every month, until the end of times…

                            No sane commercial software creators will create half a dozen of versions of their software just to sell to a market that’s not even 10% of all possible users. That’s why Linux has almost no commercial software. The world runs on FOSS? Yes it does. But it also runs on Commercial software…

                            Parts that I liked on the article @Robin recommended:

                            “Is Flatpak Fixable?
                            Here’s the thing. I actually think Bubblewrap, the sandboxing tool used by Flatpak (and now Steam), is pretty good. It’s the key technology to make app sandboxing good enough to compete with Android or iOS.”

                            “Personally, I’m much more interested in how to get Excel and Photoshop on Linux rather than untrustworthy drive-by apps and games, so I don’t really care about sandboxing, permissions, portals, app stores, alternate runtimes or really any of the stuff Flatpak does. Those are all counter-productive to convincing Microsoft and Adobe to port their software suites to Linux. Attracting these vendors will only happen by empowering them with a stable platform, not locking them in a box.”

                            P.

                            • This reply was modified 3 months, 3 weeks ago by PPC.
                            • This reply was modified 3 months, 3 weeks ago by PPC.
                            #137195
                            Member
                            Robin

                              but I also love downloading UngoogleChromium and LibreOffice in a single file that I can just run. Why? Because it’s easy and convenient.

                              Not the very best idea, really. Maybe easy, maybe convenient. But you are surfing the web with these versions way more unsafe than using the native versions installed by apt:

                              »About web-browsers coming in Flatpacks

                              Flatpaks are isolated from the system using Bubblewrap. Bubblewrap is a newer and much safer alternative to firejail. Bubblewrap not only isolates memory access, but also “system calls”.

                              One of these system calls is the creation of “unprivileged user namspaces”. So isolated containers in which apps or individual processes can run. User Namespaces means that apps without root access can create these containers.

                              User namespaces are blocked by Flatpak because they are often not needed and could exploit possible vulnerabilities in programs then made available to break out of the Bubblewrap sandbox and gain root access.

                              The Chromium Sandbox

                              As much as I like Firefox, it is significantly less secure than Chromium, especially on the Linux and Android operating systems.

                              Chromium uses user namespaces to run each tab in a separate process. They have a high focus on security, ironically that was always used as a “Chrome needs so much RAM” meme back then, without even understanding that Firefox is just crazy insecure.

                              (The RAM management has been aligned with Firefox. And Firefox has certainly gotten better, but it’s far too slow and not on Android)

                              (Comparable to how Linux kernel efficiency is glorified in Windows games. Sure, WINE is cool, but Linux puts every driver in the kernel, while Windows runs the drivers in isolation (a look at the task manager). That means all drivers for all hardware are in one big blub, and have full access to everything, including your cat.)

                              So, Chromium sandbox. It’s pretty cool because it’s essential that any malicious code doesn’t get to your browser passwords. Each tab runs in its own process.

                              (Please still use NoScript, also for privacy reasons. But there are also CSS exploits)

                              So what does Flatpak do? They use Zypak, a very experimental project that bypasses the Chromium sandbox to run Electron apps and Chromium browsers in Flatpak. It simulates the namespace sandbox, but isolates the processes in Flatpak sandboxes.

                              This is certainly useful for Electron apps that simply use Chromium, because it makes it easy to write platform-independently and with web libraries. But this means that the Chromium Sandbox will be replaced by the Flatpak Sandbox.

                              The reason for this is that Flatpak prevents system calls that are necessary for user namespace creation.

                              […]

                              WARNING

                              All Flatpak Chromium browsers, except Chromium itself, use Zypak instead of the proper sandbox and are therefore likely insecure.

                              Chromium probably has an alternative in flatpak, but this must also be assumed to be less secure than the official Chromium sandbox.

                              Firefox is officially supported and uses a different sandbox that is arguably more compatible with Flatpak filters. But there are no explanations from Mozilla about this, so it is also very untrustworthy.

                              Risks of user namespaces

                              User namespaces can pose a risk. This is de facto accepted, see:

                              Chromium Sandbox, ChromeOS
                              Docker
                              Podman
                              Flatpaks bubblewrap itself

                              However, there are problems because user namespaces allow processes to gain access to libraries and programs that they otherwise do not have. This can lead to privilege escalation.

                              https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/
                              https://nvd.nist.gov/vuln/detail/CVE-2022-1055
                              https://nvd.nist.gov/vuln/detail/CVE-2021-41805

                              That’s why the Fedora variant Secureblue has one with user namespaces and one without for each edition.

                              There they modified Bubblewrap to work without it, and Chromium uses a suid sandbox. This sandbox was used previously, is still included but is rarely used since all (?) Linux distributions now have user namespaces activated.

                              Conclusion

                              Currently only native browsers can be recommended. However, it may be that Chromium-based browsers will also become Flatpak secure in the future. However, until these are secured and officially supported, the native solution is recommended.«¹

                              Quotation originates (in German language) from an analyst in the Kuketz-forums, driven by a Professor of IT security at dual college (university) Karlsruhe.
                              His motto of blog and forum:

                              »I address issues that others don’t dare to speak out about and am a staunch advocate for IT security and data protection.«

                              So, never ever use browsers installed by Flatpak & Co. when surfing in the internet.

                              Windows is like a submarine. Open a window and serious problems will start.

                            Viewing 13 posts - 1 through 13 (of 13 total)
                            • You must be logged in to reply to this topic.