Slashdot Mirror
Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure' (betanews.com)
Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
Dependency Hell.
Doing a make configure && make && make install (or whatever version you prefer) will often fail after a long time realizing that there is one stupid library is missing.
RPM you can get the problem of recursive dependencies. Where Package A need Package B need Package C which needs Package A. And it is up to you to know witch one for force.
Static Binaries, can get big, and also make doing a security patch near impossible.
Install scripts are often not well configured to your distribution.
App Repositories, where the Apps are configured and load in all the Dependencies in the right order, As well perform all the necessary distribution particular configuration. Has greatly simpleminded the process.
Although this particular occurrence had some bad code, when spotted and removed it was fixed, vs downloading it from the source, where the bad code was there to stay.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.