Announcement

**NickStone** · Apr 23, 2016, 03:02 AM

Reading a little further the report says...

Garrett says the key reason Snap offers little security on Ubuntu desktop is that it uses the X11 window system.

So, does Ubuntu 16.04 have X11 or has it migrated to Mir? As I have not tested 16.04 at any stage of its development I don't know.

**mparillo** · Apr 23, 2016, 04:36 AM

As I understand it, Unity on the desktop is X11, on the phone it is Mir.

**MoonRise** · Apr 23, 2016, 07:16 AM

Mir to my understanding is still a work in progress. Most systems still use X11. The same I believe can be said about Wayland.

**claydoh** · Apr 23, 2016, 09:56 AM

https://mjg59.dreamwidth.org/42320.html

And his comment on the article in the OP:

The format itself isn't a security risk. Snap is actually a great step forward in making it easier for people to use those third-party applications without having to give up security in the process, but until Mir (or Wayland) those benefits are mostly theoretical. The risk is that people may believe Canonical's claim that Snap packages completely isolate user data from third-party applications and make different decisions based on that. The precise details of the circumvention are pretty unimportant in this respect - that's important is that people are given the information they need to make appropriate decisions about how they treat third-party apps

The cnet headline is a little bit misleading.

I could make a deb package of XEvilTeddy and it would do the same things without Snappy.

It is the security claims by canonical that are jumping the gun a bit until Mir is the default and does not account for X11 in those flavours that will use it

sent from my LG V10 using Tapatalk

**Teunis** · Apr 23, 2016, 05:08 PM

As I understand it any system that shares video is susceptible, X11, Mir and Wayland.

Since the application has access to the X11 window server it has access to the facilities in it including monitoring keystrokes and mouse gestures sent to other X11 applications.
Therefore a "snaps" can be/house a trojan.

The security issue has very little to do with Snap.

**claydoh** · Apr 23, 2016, 07:06 PM

No, it seems, at least in theory, that Mir and Wayland won't have the issue as it is explicitly X11 that is the security problem (as it always has been). Mr. Garrett's m,ain complaint seems to be Canonical adverting snappy itself as the secure thing.

At least for Wayland (Mir should be similar as it seems to b e similar in this area):

Security: Wayland isolates the input and output of every window, achieving confidentiality, integrity and availability in both cases; X lacks these important security features.[29][30] Also, with the vast majority of the code running in the client, less code needs to run with root privileges, improving security.[31]

The source links in the section above are informative.

Announcement

Ubuntu Snap packages a security risk

Ubuntu Snap packages a security risk

Comment

Comment

Comment

Comment

Comment

Comment