• Pantherina@feddit.de
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        9 months ago

        That should be possible by changing the repos, shouldnt it? I will try this in a VM.

        Downgrading will be harder than rebasing from Ubuntu LTS to Debian Sid for example. But at the same time I imagine its easier to downgrade from Sid to Stable on the same Distro.

    • Dandroid
      link
      fedilink
      arrow-up
      6
      arrow-down
      2
      ·
      9 months ago

      Not the person you are replying to, but my server is on Ubuntu. It was the distro my work used and it was probably the only distro I had heard of at the time I set up my server. At this point I run so much shit that can never go down on my server that I will never consider touching the distro ever.

      Plus, who cares? It’s a server. I don’t interact with the distro. I only ssh in, run services through containers, and add port forwards. Every distro is identical for that stuff. I even prefer old kernel and package versions for ultra stability, as my server can never go down. Sure, Debian would be the same, but why touch it now? That’s just asking for headache.

        • Dandroid
          link
          fedilink
          arrow-up
          4
          ·
          9 months ago

          What about Ubuntu is more vulnerable? Ubuntu isn’t vulnerable to this newly discovered CVE.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            9 months ago

            Everything downloaded in snap is vulnerable because snap does not cryptographically verify all packages, unlike apt.

            Also Ubuntu has newer packages in apt than Debian, which is more dangerous.

            • lengau@midwest.social
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              snap does not cryptographically verify all packages, unlike apt

              This isn’t correct. Run snap download htop from your terminal and you’ll receive two files: The actual squashfs image that gets mounted in /snap/htop/<revision number> and a .assert file that cryptographic signature data about this snap file. Modify the squashfs image and snap won’t let you install it without passing --dangerous to bypass that check, just like apt-get’s --allow-unauthenticated.

              The problem here exists at a different level: the level of what’s getting signed. Conceptually speaking, running sudo snap install htop is a bit like running sudo add-apt-repository ppa:maxiberta/htop && sudo apt install htop. The package is built by the owner of the snap/ppa, and what Canonical is cryptographically verifying to you is that they got this from the owner of the (snap|ppa). This is roughly equivalent to domain verification for HTTPS (the type of HTTPS certificates Let’s Encrypt uses).

              There are some different security considerations. For a snap, you need to be aware of the publisher each time you install something new. For PPAs, on the other hand, you only have to worry about this when you add a new PPA. However, the trade-off also works in the other direction. One snap can’t just replace another snap on your system, whereas a malicious PPA could provide, for example, a malicious libc6 update.

              These are both different (and lesser) assertions than what Ubuntu makes with its standard apt repositories. But they are still cryptographically backed.

                • lengau@midwest.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  I’m not sure if there’s a single document explaining all of that, but this document talks about snap’s assertions. I’m not entirely sure but I believe this file contains the main snapd business logic for actually checking these assertions.

                  On the PPA side I don’t even know whether there is documentation for this - it’s just the result of my understanding of how apt works and my own history creating PPAs.

          • woelkchen@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            3
            ·
            9 months ago

            You’re literally replying under a submission that’s about unreviewed malware that got accepted in their repo.

            • Dandroid
              link
              fedilink
              arrow-up
              4
              ·
              9 months ago

              Those are snaps. I don’t use those on my server. AFAIK, they’re mostly used for GUI applications. I don’t even have a GUI on my server. I wouldn’t even know how to install or run a snap from command line.

              Most things that run in my server are containerized services that I wrote personally. So as long as there isn’t a vulnerability in podman or my reverse proxy, and as long as keep my base containers up to date (they pull the latest base image each time the image is built), I’m mostly fine.

              • lengau@midwest.social
                link
                fedilink
                arrow-up
                2
                ·
                9 months ago

                I want to make something clear before I start: the person to whom you are replying is being quite toxic in this thread and I’m sorry you had to interact with them. (They’re also saying a bunch of incorrect stuff.)

                That said - I personally have more non-GUI snaps installed than GUI ones. Including in my homelab, where having the latest htop is very convenient and where I’ve got several actual server apps installed as snaps (postgres and plex being the first two that come to mind).

                • Dandroid
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  That’s good to know, and I had a feeling I was wrong about that.

              • woelkchen@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                3
                ·
                9 months ago

                Those are snaps. I don’t use those on my server.

                Just because you don’t use them doesn’t invalidate the earlier statement.

                • Dandroid
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  9 months ago

                  And that’s totally fine, but it doesn’t invalidate my claim that I don’t really care, because it doesn’t affect me. 🤷

              • woelkchen@lemmy.world
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                edit-2
                9 months ago

                It got accepted into ALL distros.

                WTF are you talking about? The submission is about malware in Ubuntu’s Snap repository.

                Lets see, it seems very likely that there is a lot more in xz

                You clearly didn’t read the article.

    • SuperSpruce@lemmy.zip
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I use it because a class wanted me to either use it in a VM or use WSL but WSL didn’t work and I figured it was easier to set up a dual boot than setting up a VM since I’ve installed Linux quite a few times.