Home | News | Download | Packages | Forum | Wiki | Github

Malware in Ubuntu's snap store, gives me inspiration


#1

I’ve been very dubious about “stores” where any old Joe (or Joanna) can submit their own packages, and indeed years ago when I evaluated Arch Linux because I found I had to rely on their community repo for the packages I wanted, i was left feeling less than comfortable…

On one hand you want a wide choice of packages, but on the other hand you want them provided from a trusted source both in terms of security and quality, this requires a small core of hard working and dedicated skilled people - and there is only so much they can do…

The (somewhat vague) idea I’m trying to evolve into some kind of more cogent idea that could inspire a web framework works(?) something like this…

There are a core of maintainers, who can push packages into the community repo without audit (core maintainers would do this for to try out new packages before moving it to the core repo if its popular)

there is a larger group of auditing maintainers, if they wish to push a package (they haven’t authored) it needs to be okayed by themselves and one person, either in the audit or core maintainer groups

audit maintainers can push packages they have authored but that requires two okays at least one from the core group

The general public can put together packages for auditing and hopefully acceptance to the community repo

public members earn credits for getting packages accepted and submitting accepted bugs (but not on their own packages!). High scoring public members might be assigned sole authorship of specific packages (still requiring auditing) and over time be invited to become auditors

audits earn credits for auditing but can loose credit for packages they have helped audited and have bugs accepted against them (how this should be scored I’m not sure, as some packages are going to be more prone to bugs) high scoring auditors are possible candidates to become core developers.

upgrades for packages should be preferred ideally (but not always) from their previous submitter and are scored and tracked as if new packages…

I’m hoping something like this could be automated, and would provide a reasonably safe and wider range of packages without putting to much extra onus on the core developers…


#2

Malware in Ubuntu’s snap store? :hushed:
Reference?


(oliver) #3

#4

@oliver Thanks for the link.

So funny…

/snap/$name/current/systemd -u myfirstferrari@protonmail.com

Well, this guy will have to wait to buy a Ferrari… :clown_face:


#5

Haha how true :smile: