this post was submitted on 20 May 2026

31 points (87.8% liked)

Linux

65392 readers

729 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

TIL: It is 2026 and you still can not run Snaps in strict mode on Debian-based systems (feddit.org)

submitted 18 hours ago* (last edited 18 hours ago) by Lemmchen@feddit.org to c/linux@lemmy.ml

30 comments fedilink hide all child comments

Debian 13:

$ uname -r
6.12.88+deb13-amd64

$ snap debug sandbox-features|grep confinement
confinement-options:  classic devmode

$ snap debug confinement
partial

$ aa-enabled
Yes

Ubuntu (24.04):

$ uname -r
6.8.0-117-generic

$ snap debug sandbox-features|grep confinement
confinement-options:  classic devmode strict

$ snap debug confinement
strict

$ aa-enabled
Yes

What does this mean, you ask? Well, basically every Snap package you thought was running isolated in it's own little sandbox were running unconfined the whole time. The prorpietary app you removed the :home connection from, so it wouldn't be able to access your home directory? Well, it could have exfiltrated all our private files in the meantime.

How is this not a bigger deal and how are Snaps ever to become mainstream when even today, more than 10 years after the introduction of snaps, you can't run them sandboxed on a huge portion of Linux distros?

top 30 comments

sorted by: hot top controversial new old

[–] adarza@lemmy.ca 2 points 47 minutes ago (1 children)

have you actually looked at a snap's status?

root@cave:~# lsb_release -d
Description:    Debian GNU/Linux 13 (trixie)
root@cave:~# uname -r
6.12.88+deb13-amd64
root@cave:~# snap debug sandbox-features|grep confinement
confinement-options:  classic devmode
root@cave:~# snap debug confinement
partial
root@cave:~# aa-enabled
Yes
root@cave:~# snap info --verbose hello-world
name:    hello-world
summary: The 'hello-world' of snaps
health:
  status:  unknown
  message: health has not been set
publisher: Canonical✓
contact:   snaps@canonical.com
links:
  contact:
    - mailto:snaps@canonical.com
license: unset
description: |
  This is a simple hello world example.
commands:
  - hello-world.env
  - hello-world.evil
  - hello-world
  - hello-world.sh
notes:               
  private:           false
  confinement:       strict
  devmode:           false
  jailmode:          false
  trymode:           false
  enabled:           true
  broken:            false
  ignore-validation: false
snap-id:      buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ
tracking:     latest/stable
refresh-date: today at 07:43 CDT
installed:    6.4 (29) 20.5kB -
root@cave:~# snap run hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
/snap/hello-world/29/bin/evil: 9: /snap/hello-world/29/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied
root@cave:~#

[–] Lemmchen@feddit.org 1 points 17 minutes ago

I tried running chromium, removing :home and was still able save and open webpages in ~/test.html. However, this happened through the native file picker dialog.

[–] lagoon8622@sh.itjust.works 1 points 28 minutes ago

What is this, troll day? Nobody cares about snap bc none of us use it. It's a colossal fuckup and nobody cares about it

[–] chronicledmonocle@lemmy.world 2 points 1 hour ago

Who TF cares? If you want containerized apps, run Flatpak. There is no application packaged for Snap that I've not seen packaged for Flatpak, too. And Flatpak is better in basically every way.

[–] makingStuffForFun@lemmy.ml 10 points 7 hours ago* (last edited 7 hours ago) (1 children)

Thank the gods. Nobody wants that proprietary walled garden in Debian.

It's just a tool for Ubuntu to control, and maybe even sell itself one day to Goog's or MS or similar.

Don't want it in Debian.

[–] Lemmchen@feddit.org 1 points 6 hours ago (1 children)

It's not proprietary, though.

[–] mikey@sh.itjust.works 8 points 6 hours ago

Last time I checked the Snap Store was proprietary. While you could modify the Snap client, you can't host your own store and you're at the whims of Canonical for which apps you can get.

Meanwhile, both the Flatpak client and server are open, and you could (and some distros do) host your own repo. For example, Fedora has its own repo for Fedora-packaged Flatpak apps alongside Flathub.

[–] pogmommy@lemmy.ml 15 points 14 hours ago

I mean I get the concern but I'd be surprised if even 1% of Debian users had any interest in running snaps

[–] hendrik@palaver.p3x.de 32 points 18 hours ago* (last edited 18 hours ago) (1 children)

If I had to guess, this isn't a bigger issue because Snap is mostly pushed by Canonical. And in a bit of a weird way (proprietary backend, exclusive apps) so... reception in the rest of the Linux community is ...mixed. To put it charitably. It's probably not that relevant for most people outside of Ubuntu ecosystem. And probably also not a priority for Canonical or the proprietary software vendors.

[–] comrade_twisty@feddit.org 24 points 18 hours ago (1 children)

Exactly! I don't understand why anyone in their right mind would use snap.

[–] hendrik@palaver.p3x.de 12 points 17 hours ago (1 children)

It may not be wise to use a Snap without first understanding the reputation/limitations of Snap.

seems the Debian documentation has pretty much your take on it 😅

[–] mecen@lemmy.ca 3 points 4 hours ago (1 children)

"Important note: Many users are wary of Snaps. Use at your own discretion. They update on their own schedule, and install files to nonstandard locations. It may not be wise to use a Snap without first understanding the reputation/limitations of Snap."

[–] hendrik@palaver.p3x.de 1 points 4 hours ago* (last edited 4 hours ago) (1 children)

Yeah. And I'd say with the SELinux problems and with what OP wrote, the security model including things like a failure mode to fall open, ...silently... There's more things to be wary of, than what they wrote in those 4 sentences.

[–] mecen@lemmy.ca 2 points 2 hours ago

There is also

Linglong which is flatpak/snap/appimage alternative but I don't know it's adoption on distros other than deepin

https://www.deepin.org/en/deepin-linglong/

[–] davel@lemmy.ml 25 points 18 hours ago* (last edited 18 hours ago) (2 children)

Hardly anyone but Ubuntu users use snap, because snap was created by Ubuntu, and their efforts to get other distros to adopt it never gained traction. Debian users are especially uninterested in using snap, and some people on Debian are ex-Ubuntu users who switched because they didn’t like snap.

[–] Slashme@lemmy.world 2 points 6 hours ago

Yeah, that tracks - I came back to Debian after a few years on Ubuntu, and even before I returned, I removed snap from my Ubuntu system.

[–] Kirk@startrek.website 4 points 17 hours ago

Yeah this is it. I like snaps just fine but I also like Flatpaks and well, everyone else is using Flatpaks.

[–] whatiswrongwithyou@lemmy.ml 16 points 17 hours ago

It’s not a big deal because the answer to the problem is “don’t run snaps”.

[–] Eggymatrix@sh.itjust.works 16 points 18 hours ago

Because snap is an absolute abomination and no one in their right mind is loosing time maintaining it. If canonical whants to push their crap on debian too, they will need to put in the time to make it work. I really hope they are not making debian developers loose their precious time on this cancer.

[–] Buffalox@lemmy.world 7 points 16 hours ago* (last edited 16 hours ago) (1 children)

Snaps is something you drink.
AFAIK only users who have it shoved down their throat by Ubuntu use snap packages.

[–] MonkderVierte@lemmy.zip 2 points 14 hours ago* (last edited 14 hours ago) (1 children)

Isch Schnaps.

[–] Buffalox@lemmy.world 4 points 6 hours ago (1 children)

Yes, that's how it's pronounced after you drink it.

[–] MonkderVierte@lemmy.zip 2 points 4 hours ago* (last edited 4 hours ago) (1 children)

No, swiss german.

[–] Buffalox@lemmy.world 2 points 4 hours ago

It was a joke. 😋

[–] RIotingPacifist@lemmy.world 9 points 18 hours ago* (last edited 18 hours ago)

Because snaps is a Ubuntu thing, and not particularly widely used on Debian.

#rank name inst vote old recent no-files

2 util-linux 4000213 2110588 1172784 345252 371589

2258 snapd 19307 17314 846 1033 114

I actually don't understand what use case snapd on Debian covers better than docker on Debian or snapd on ubuntu

[–] placebo@lemmy.zip 5 points 17 hours ago

Companies are more likely to use Ubuntu instead of plain Debian or another Debian-based distro on their workstations. No one in this chain aims to bring snap packages to other distros and ensure that they work properly there.

[–] adarza@lemmy.ca -1 points 15 hours ago (1 children)

file a debian bug report against snapd.

[–] hendrik@palaver.p3x.de 0 points 4 hours ago* (last edited 4 hours ago) (1 children)

No need. It's already reported. And known since Dec 2019. 👀

#947325

[–] adarza@lemmy.ca 1 points 57 minutes ago (1 children)

i know that. i suggested the bug report because snaps themselves do report strict confinement even though snap debug doesn't list that confinement option's availability.

[–] hendrik@palaver.p3x.de 1 points 5 minutes ago* (last edited 1 minute ago)

Uh yeah. That is more information... Sorry, I'm not that familiar with Snaps. It looks to my untrained eye a bit like the report on the Snap itself, maybe it advertises to support running in strict confinement. Which it could... but doesn't do. (Alike the other channels, which you could install, but didn't... It's kind of buried with that kind of information.)

It's confusing at least. And the user definitely wouldn't expect it from that wording. So I'd view it as a separate bug as well. And dropping confinement without notice would be the third thing, I'd consider a bug.)