I came across this page recently: Why Ubuntu is the only supported distro · nextcloud-snap/nextcloud-snap Wiki · GitHub
How accurate is it? Should I avoid Snaps on, say, Fedora?
Makes sense because of the tight integration?
Yes. That wiki is accurate. Snaps works best on Ubuntu and this will remain true only for that distro for the foreseeable future.
It seems like their disclaimer is based on two points, this:
[1] Most non-Ubuntu distributions don’t have all the underlying security tech that snaps require (most of the time what’s missing is apparmor).
And this:
[2] but your kernel needs to be properly configured
On the first point, there are many other distros that use Apparmor by default (Most distros in the Debian/Ubuntu family), Some OpenSUSE variants, and with Arch there is no default but Apparmor is available.
On the second point, they don’t specificy but I believe they are referring to a Kernel patch that Ubuntu has been trying to get upstreamed for some time. It is available as a standalone patch for any distros that wants to implement it, but if it could be upstreamed all distros would benefit by default. There is a thread tracking progress and discussing the issue here
I believe you can use this command to check your own system setup (if you have snapd installed):
snap debug confinement
the desired output is “strict”
From my reading of the thread, there needs to be 1) a specific patched version of AppArmor present on the system in order for Snaps to be confined properly, which only Ubuntu and Ubuntu-derivatives have available in their repositories (or maybe this has changed) and 2) a set of kernel patches that Canonical has not managed to get upstreamed in over 4 (maybe as long as 7?) years.
I was interested in packaging my software with Snap, but if only Ubuntu and its derivatives will benefit and I’ll be putting other users at risk, it seems like only using Flatpak is the best option. I’ll also be sure not to install Snap on my own non-Ubuntu systems.
Thanks for the detailed run-down!
I just checked Debian and OpenSUSE Tumbleweed in a VM. In both cases snap reported partial confinement. Its unclear to me what level of security that provides, and if it is better or worse than traditional (unsandboxed) deb and rpm packages, or how it compares to Flatpak sandboxing.
If your goal is cross-distro and secure, I’d think that publishing both a flatpak and a snap (and getting them verified by both flathub and snapcraft) seems like the approach that would provide the most security by default for the most people. But of course that means you need to maintain both packages, and guide users towards the proper choice for their distro.
2 Likes