Linux Mint 20 Blocks And Removes Snap Citing Backdoor To Canonicals SnapCraft Store
The popular Linux Mint operating system has decided to purge the snap package manager from its repositories and forbid installation of it. The motivation for this drastic move is that the upstream Ubuntu Linux distribution Linux Mint is based on will stealthily install snapd and use that to install Chromium from the Canonical-controlled SnapCraft instead of installing a regular Chromium package like most users expect.
Indian fans of the Linux Mint operating systems liked it so much that they opened a resturant in its honor.
The Ubuntu Linux distribution maintains several Long Term Support (LTS) versions of its distribution. Corporate customers expect to receive support and updates for older Ubuntu versions long after some of the packages in those LTS versions have been abandoned upstream. The result is that some packages, like the Chromium web browser, simply won't build against the libraries shipped with those older LTS versions. Canonical has "solved" that problem by shipping certain packages using the distribution-independent
snap package manager, which is closely linked to their SnapCraft store, instead of regular
.deb packages in the distributions regular repositories.
A practical of Canonical going with snap packages instead of regular packages is that a user who tries to install the Chromium web browser using the regular
apt package management system will get
snapd installed instead of Chromium.
snapd will then pull a Chromium package from the SnapCraft store and install that snap package instead of a regular package. This is not what most users expect.
Linux Mint is essentially Ubuntu with some graphics replaced and some tweaks applied which means that bad or controversial decisions by Ubuntu-owner Canonical are carried over to the Linux Mint distribution. This put the Linux Mint developers in a position where they, eventually, were forced to take a stand. Their decision, as announced in a blog post titled Monthly News JUNE 1, 2020 BY CLEM, states that:
"the Chromium package is indeed empty and acting, without your consent, as a backdoor by connecting your computer to the Ubuntu Store. Applications in this store cannot be patched, or pinned. You can’t audit them, hold them, modify them or even point snap to a different store. You’ve as much empowerment with this as if you were using proprietary software, i.e. none. This is in effect similar to a commercial proprietary solution, but with two major differences: It runs as root, and it installs itself without asking you."
This decision has some wider implications. As an example, the Flutter SDK Google and Canonical conspired to make capable of compiling native GNU/Linux applications is only available in the Canonical SnapCraft store. Most of the software developed using the Flutter UI/SDK will much likely only be available in the SnapCraft-store.
The Linux Mint team notes that they will document way to by-pass their
snapd in the release-notes. Linux Mint 20 users who really want a
snapd-infected operating system will be able to install the Canonical malware manually.
The decision to eradicate
snapd from Linux Mint 20 appears to be slightly controversial. The "Monthly News" blog post has 450 comments as of today - most of which praise the Clem and the Mint team for their wise decision. Richard Stallman would be pleased.