Snap uses Go -- is it safe?

I ran into a react-virtualization error installing Zotero from AUR, so I installed snapd and used that instead. But there have been security issues about Go, which it uses, and what Snap is doing behind the scenes is unknown to me. Is it safe? Do I have to set fire to my PC?

Lysol, definitely Lysol! (which may not be a brand name in whatever country you are from).
Snaps are probably the least favorite of the sandboxed application types. Personally, just give me native applications in my own filesystem.

GO is perhaps not the only concern [1], according to Linux Mint people:

Although it is open-source, Snap on the other hand, only works with the Ubuntu Store. Nobody knows how to make a Snap Store and nobody can. The Snap client is designed to work with only one source, following a protocol which isn’t open, and using only one authentication system. Snapd is nothing on its own, it can only work with the Ubuntu Store.

They disallowed the snap store…

[1] https://linuxmint-user-guide.readthedocs.io/en/latest/snap.html

Personally, I’d go Flatpak. Snap is not something I’d ever use. Not that it’s not “safe”. It’s an Ubuntu/Canonical thing. And I prefer to stay away from that. Just my 2 cents.

I think snaps were dumb idea and decision by Canonical and reason why I used Mint before EOS.

Well, it depends how you see the thing. If it bothers you I would say that maybe it would be better for your feel of privacy. But if you don’t have a itch that makes you feel uncomfortable, then I don’t see a problem to use it.

The problem with the snaps is that they have to go through Canonical’s acceptance process before they go to Store. And although I am (almost) certain that they don’t spy me I don’t like the idea that someone decides what I am “allowed” to install.

I used Ubuntu and Xubuntu for 12 years, until 2017, and Snap was the reason for my departure. Snaps always gave me unease and suspicion. I don’t know exactly why, but I do not trust Snaps, and any containerized app framework.

me too, although I know why: canonical is (or was?) known to call home a lot.
I’m leery at appimages as well.
Not everything in the AUR has worked for me, so you gotta trust someone and I trust flatpaks simply because I hear nothing bad about them. they ain’t perfect, but in a pinch I used a couple.

As some others have mentioned go is not really my first issue with snaps .. not even close.

And if we are worried about go .. you know what uses that? yay does.

So your general package management would be suffering the same issues if you use yay.

( And it is one of the reasons I prefer paru .. also more sanity in some other areas. )

Back to SNAP .. it has also been mentioned that the way snaps are distributed necessitates the use and trust of the SNAP Store. And while that has been given some attention, especially after bad press, its still not something I could trust. Not for some random ‘extra app’, and even less so for any position akin to a bedrock of my OS.

We have many examples of malicious code found in the snap store and any process of ‘vetting’ has been continuously shown to be inadequate - if/when it even exists at all.

https://www.bleepingcomputer.com/news/linux/malicious-package-found-on-the-ubuntu-snap-store/

Then we get to the technology/software of SNAPs themselves. There the story does not get any better.

So even just having SNAP around could itself entail a vulnerability.

And thats not even getting to quality-of-life, performance, or other annoyances.

Especially considering there are better options even if one wants ‘containerization’ I have yet to imagine any scenario where SNAP would be preferable .. or even acceptable, really.

Yeah stay far away from SNAP! It’s slow and unsecure as stated above.

Snap is certainly unwelcome. Even when selecting (x) Ubuntu Server (minimized) when installing Ubuntu Server, snapd still gets installed

It can be removed with:

sudo apt purge snapd

But I suspect it sneaks its way back onto the system with a major update, and so needs to be removed again. Not cool.

I thought the security of snaps was basically useless unless you were using Ubuntu’s kernel with the custom patches, so were snaps ever safe outside of Ubuntu?

Yes, hence my post. But…

I ran into a react-virtualization error installing Zotero from AUR

I have uninstalled all my snaps (using snap), including the core etc. and snapd, stopped and disabled snapd and the socket, and , deleted the snap directory under /var/lib/ deleted the symlinks and deleted the snap directory in my home directory. Thanks for the advice friends. I actually went through all this years ago (but not with Zotero) but naively assumed it would be OK now. I also dislike flatpack etc. I agree, I prefer to stick with pacman and yay.

So, I’ll figure out how to install Zotero and if not I’ll use Jabref instead. (I’ve used the both many times before.) I really liked Zotero though, because you could load a PDF and it would generate all the meta (no, not you Zuckerberg) data automagically.

Zotero is available on AUR https://aur.archlinux.org/packages?O=0&K=zotero

I think the OP knew that since his leading sentence stated he got it from the AUR

The official tarball doesn’t work? https://www.zotero.org/support/installation#how_do_i_install_zotero

@shuvashish76 and others. OK, will do many thanks!

Just to add, the Zotero installation guide is fine, but for Endeavouros the symlink line you need is:
sudo ln -s /opt/zotero/zotero.desktop /usr/share/applications/zotero.desktop
assuming Zotero unpacked was unpacked into ‘/opt/zotero’
and then it works just fine.

Well I’ve to admit that I’m running two snap packages and their dependencies.

1. Nextcloud - installation, updates, backup and restore options are really comfortable
2. Joplin - Joplin in the AUR and as a flatpak is outdated really often, the snap version gets updated faster

I never was into snap packages before using those two, but they simply work.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.