Avoiding snaps in Lubuntu 22.04?

Hi all,

as Lubuntu 20.04 reaches EOL next April my plan was to do a fresh install of Lubuntu 22.04 by then.

Alas, taking a look at Lubuntu´s package-list for version 22.04 LTS on DistroWatch.com: Lubuntu I sadly had to realize Lubuntu is making extended use of snaps.

Don´t like them … but for other reasons that the often cited “they´re slow to open on first run”.
For me the important points are:

• they don´t work with the firejail sandbox (I certainly wouldn´t give up using firejail for the “sandboxing” features of snaps)
• snaps cost me too much of download data as the internal snap update feature cannot be turned off.

Well, I could (permanently) disable snap packages thus:

sudo systemctl stop snapd.service
sudo systemctl disable snapd.service

but

after a reboot they´d be automatically re-enabled. I´d have to mask the service with

sudo systemctl mask snapd.service

to make it reboot-safe.

Hmm, in this case I´d avoid unwanted and data-intensive snap updates but any programme installed as snap wouldn´t be available then.

I know there are still ways to install firefox, which is installed as a snap in 22.04, as a DEB package but now I found out there´s a bit more than just firefox:

Lubuntu (7 items) - DistroWatch.com: Lubuntu

• snap:bare stable
• snap:core20 stable
• snapd 2.55.3+22.04
• snap:firefox stable/ubuntu-22.04
• snap:gnome-3-38-2004 stable/ubuntu-22.04
• snap:gtk-common-themes stable/ubuntu-22.04
• snap:snapd stable

Initially I was of the opinion it was just firefox which had fallen victim to snap. But what about the gnome package or the gtk-common-themes …?

Seems a little bit more is snap-dependent.

So my question is:

Wouldn´t I run into problems if I completely turned off snap by masking the snapd.service? That would be huge then.

Many thanks for your help in advance and many greetings.

Rosika

Why use distrowatch to get a list of what’s found on a Lubuntu ISO?

Personally I’d go to the download site & look at what we include on our ISO, ie. https://cdimage.ubuntu.com/lubuntu/releases/22.04/release/lubuntu-22.04-desktop-amd64.manifest

Yes you’ll see the six snap packages we include

|snap:core20|stable|1405|
|snap:snapd|stable|15177|
|snap:firefox|stable/ubuntu-22.04|1232|
|snap:gnome-3-38-2004|stable/ubuntu-22.04|99|
|snap:bare|stable|5|
|snap:gtk-common-themes|stable/ubuntu-22.04|1534|

The package firefox has connections it requires; ie. (pasted from the snap connections firefox command is the following)

content[gnome-3-38-2004]  firefox:gnome-3-38-2004         gnome-3-38-2004:gnome-3-38-2004  -
content[gtk-3-themes]     firefox:gtk-3-themes            gtk-common-themes:gtk-3-themes   -
content[icon-themes]      firefox:icon-themes             gtk-common-themes:icon-themes    -
content[sound-themes]     firefox:sound-themes            gtk-common-themes:sound-themes   -

ie. the gnome-3-38-2004 & gtk-common-themes are required by firefox. They could be fully enclosed within the firefox snap, but sort of like how deb packages use depends rules for dependencies, snap packages can use connections to other common snap packages reducing the disk space you’re using them on your system (ie. less duplication), with gnome-3-38-2004 & gtk-common-themes being its requirements/connections.

We’ve had a post before (on this discourse where I used a different command to this thread to view connections, ie. grep default-provider /snap/firefox/current/meta/snap.yaml) that asked about removing firefox snap & even avoiding snaps; I commented about a test where I disabled snaps in testing, and had no issues with it, for the short time I lived with it (ie. merely days).

I did mention it left what I called a minefield, that I feared could hit come release-upgrade time (if not before, depending on what the user did), as there are a number of Ubuntu tools where snap packages are assumed for normal operation, and release-upgrade is one such example, however none of us really know the future, and coming upgrades could re-enable snapd & at worst, and you’ll find you need to disable/mask it again.

I’ve disabled snaps before on my systems (esp. those that lacked resources; ie. 2GB of RAM or less), but I never found I lived with that long, as I found reason to re-enable them again, usually within 1-2 months. Most of my usage/testing (in the months anyway) was on releases prior to jammy or 22.04 though, with my jammy testing being mere days.

I’m using a 2009 dell desktop, so my box is hardly loaded with spare resources, but I still find it useful on this box to have snap packages enabled. I’m also a Debian user (on a 2008 dell desktop), a system that comes without snapd or snap packages, yet I’ve added them there too, as they are a convenient solution to some problems, and the more choice I have the better I am.

As for snaps downloading & control; have you read Alan Pope’s articles on snapd, especially the ones written after he left Canonical. He provided a wealth of knowledge on such subjects. None of it really was new as had been documented before, but in a number of posts he combined information that only only been dripped out before to those who lived with limited/metered bandwidth etc. (example here)

Hi Chris,

thank you so much for your detailed (and very quick) answer to my question.

Well, I was doing some comparisions as what other distros like Ubuntu Mate, Ubuntu proper, and Linux Lite have installed snap-wise. Therefore the quick reference to distrowatch.
But thanks a lot for the Lubuntu manifest link.

I see now - thanks to your explanation - that the other snap packages I was a bit concerned about are required by firefox.

I also read the link you provided (How to install firefox (non snap)). Thanks a lot for that.

Hmm, that might give me some cause for worrying.

I´m not so much worried about the release upgrade as I never choose the upgrade path. Every two years I perform a clean / fresh install.

It´s rather the “if not before” part that concerns me more…

Well, at least that would be doable.

Thanks for providing the link. I´ve just read it and it seems to provide some interesting insights.

From all I´ve learnt so far it seems getting rid of snaps in Lubuntu 22.04 is possible but there wouldn´t be a 100% guarantee for not running into any problems at all, right?

Thanks a lot for your help, Chris.

Many greetings from Rosika

What is the advantage of firejail over the sandboxing that snaps provide for free?

How much more download data do snaps cost you? And how are you calculating this?

Avoiding the Firefox as snap you have a lot more work and you are responsible to keep all the software up to date and secure.

To avoid all the additional work, I would simply use a distribution, which does not use snaps.

You can follow my guide on how to install firefox. There in the replies i also posted how to remove snap and prevent it from coming back.

Hi all,

@apt-ghetto:

Uh, I can´t even begin to ennumerate all the advantages firejail provides.
Arguably one of the best documented pieces of software (https://firejail.wordpress.com/) it´s highly configurable and you can provide the degree of isolation to your liking.

It comes with a huge number of preconfigured profiles for various apps and programmes; you can also build them yourself.

Using the --private option for the firejail command provides an insanely highy security level for online banking , etc.
Can´t image how snap´s “sandboxing” could compete with that. Sorry.

So to me snaps are not worth taking any risks,

Yes, sad as it is, this would seem my last escape then.

Can´t remember exactly. But it installed snapd in a Debian virtual machine for experimental purposes and the (unwanted) updates cost me quite a bit.
I looked it up with nload at the time.

For my daily driver I cannot afford such “nonsense” as my only ineternet connection is established via a 4G-stick wich gives me 5 GB per 28 days. I´ll have to make do with that.

Thanks a lot.

@BasilCat:

Thanks.
You´re referring to How to install firefox (non snap) , right?
I´ve read it through. Perhaps there´s still a glimmer of hope left. I´d like to stick with Lubuntu - if at all possible - but it has to be snap-free.

Many greetings to all
Rosika

Yes. It also works for other 'buntu flavours.

@BasilCat:

Thanks for the confirmation.

Yes, the “highly configurable” can be seen as an advantage. But complexity is often seen as enemy to security.

By the way, firejail is a giant suid binary (and written in C). There can’t go anything wrong, or can it?

And another by the way: Is CVE-2022-31214 fixed in your used firejail version?

A huge number of preconfigured profiles is useful, if you have installed a huge number of apps. If you only use Firefox with firejail, then one profile is enough.
Building own profiles is cool, if you know what you are doing. With a wrongly configured profile you feel secure, but are not secure.

How? On what exactly is the security of “online banking” based? Is it based on files on your hard disk? Or is it based on user identity and asymmetric and symmetric cryptography?

And why do you use online banking? You do not trust the Firefox snap (packaged and signed by Mozilla), but you trust a “Firefox .deb” from any third party (of course “protected” by firejail either from a third party source or from universe)?

Well, if you do not understand, how snap sandboxing works, how can you decide, that firejail is better?

In other words, you have no idea how to measure the download sizes of a .deb package versus snap package.

I do not want to convince you to use snaps (only you can convince yourself). But I try to make it clear, that your decisions are based on feelings and not on facts.

Hi @apt-ghetto,

thanks very much for your comments.

O.K… Point taken. On the other hand: is there anything (OS, binaries, programming language etc.) you can safely say of: it´s guaranteed not to go wrong ?

Seems so, yes.

cve-status
says:

CVE-2022-31214 – was fixed in 0.9.70, reported by Matthias Gerstner and Birk Blechschmidt

No, actaully I use firejail for a variety of apps and programmes.

I make use of the --private-option when running falkon for online-banking:

firejail --private --dns=1.1.1.1 --dns=9.9.9.9 falkon -no-remote

Private Mode

Private mode is a quick way to hide all the files in your home directory from sandboxed programs. Enable it using --private command line option:

$ firejail --private firefox

Firejail mounts a temporary tmpfs filesystem on top of /home/user directory. Any files created in this directory will be deleted when you close the sandbox.

(Firejail Usage | Firejail )

It´s basically like a fresh install of the browser with no “legacy issues” whatsoever. No bookmarks, no history, no extensions etc.
… in a newly created strictly confined environment which gets completely deleted when closing the browser.

No idea how a snap-based browser would create such a scenario…
I for one wouldn´t trust snap so far.

I´m afraid you got me wrong there.

I wasn´t talking about download sizes of the packages but rather of the “forced” updates whenever snaps are updated.
Snap core alone cost me a lot of data if I can remember correctly (don´t know exactly how much). But I was very angry at the time.

For people having to deal with a limited amount of data allowance (per a certain period of time) it´s a huge thing.

Assuming each and every person in the world has a DSL connection with an unlimited data plan available is just not right.
Canonical forcing snaps and snap-usage on people thus borders on arrogance (on the part of Canonical) and I certainly don´t want to support or even encourage such a behaviour.

Thanks a lot for your opinion.

Many greetings from Rosika

No, there is no such thing like a safe (better secure) program or application. But there are several risks to consider:

• suid software is a risk. Cyber criminals try to find vulnerabilities in these kind of software, because if they can exploit a vulnerability, the impact is way bigger.
• The bigger a binary/source code is, the more errors and vulnerabilities are there.
• C is quite cool, easy to learn and also very near to hardware programming. Unfortunately it is very easy to make mistakes. It is though not always very easy to spot such mistakes, as not every mistake can be seen in “normal” usage.

You seriously use Falkon for online banking? Falkon is based on qtwebengine, which itself is based on Chromium’s webengine.

A quote taken from QtWebEngine - Qt Wiki

We do update to the latest Chromium version in use before a Qt release. After a release some bug fixes and security patches are backported. For LTS releases of Qt we might also update Chromium in a patch level release.

As you can read, “some security patches are backported”.

Now, you can investigate yourself, which qtwebengine and which falkon versions are part of the Ubuntu archive. And the fun continues, if you try to figure out, which webengine security fixes are part of these versions and which not. Good luck!

All of your examples are not really relevant for the security in online banking.

For online banking

• keep all your software up to date (good luck with falkon)
• use a strong and unique password
• use 2 factor authentication, do not rely only on a password (better with a second device, not on the same device)
• do not click on suspicious links
• check the correct website and check also the certificate on the website
• check your banking account transfers for suspicious behaviour

As you probably see now, firejail is not a big help in this regard. Firejail helps to prevent persistent threats and also does not allow you to store passwords on your disk.

A limited amount of data is a problem, but that is your problem and not a problem of snap itself. One main point of snaps is, that users have the newest software in a fast and reliable way. That has the “disadvantage” that some libraries are delivered several times on the same system. On the other hand, software is not restricted to the version of the “one and only system” library.

If snaps are using too much of your data, then you should choose a distribution without snaps. Or you can increase the data limit (either by paying more or by wisely choose a different provider). Or you can restrict your internet usage to the minimum.

You are free to choose an alternative to Canonical and Ubuntu. There are a lot of other distributions without snaps.

• Gentoo is very cool, because you download only the source code and not blobs.
• Or you can choose Debian, which is familiar to you.
• Or you can also choose Fedora. Fedora has a big community and is up-to-date with most of its packages.
• Or you can choose Arch Linux, but you will probably download more, as the packages are updated more often.

Hi @apt-ghetto,

Thanks for your latest views on the matter.

I see. Well, that´s good to know.
After having had a of conversations with firejail maintainers I still put my trust in this sandboxing technique. It´s very well maintained and as you see your point

wasn´t valid any more.

Nevertheless it was good of you to point out the facts. Thanks.

That was just an example.
Of course running firejail instead of falkon for online banking purposes would be a better option. No doubt about that.
But that´s certainly not an argument against employing firejail, right?

Well, I beg to differ.

Certainly you cannot deny the fact that using the equivalent of a freshly installed browser (let it be firefox then) which had never seen any other site than the banking site before has some advantages (see firejail --private).

So running a snap firefox instance - when firefox had vistited shady, untrustworthy and dangerous sites before - should be safer (or at least as safe) as running

firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote

Really

Well, of course you´re entitled to your opinions. No doubt about that. And thank you for providing them.

I for one definitively won´t jump on the snap wagon - if it can be avoided.

But thanks a lot for the general advice regarding online banking.

Those are valid points indeed, and I´ve been following them all the time.

Well, that´s your opinion. But it´s certainly a strong plus-point for additional security.
I´m not so sure whether this could be said of snaps, really.

Not quite true:
Snaps force updates on us. What´s the point of having left WIN 10 or WIN 11 behind (with forced updates on a larger scale)
and changing over to a Linux-based distro if Ubuntu / Canonical seems to go in a similar direction
I mean: You won´t expect any upright and decent behaviour from WIN, that´s clear.
But Ubuntu should be ashamed of itself.

Thanks a lot for the suggestions.
I´ll look into those possibilities.

Many thanks for your help and many greetings.

Rosika

No, I did not say, that firejail is bad. I said, that you should stop using Falkon, if you care about security.

To delete the history and cookies, you do not need firejail. You can delete the profile for the Firefox snap easily and then start Firefox.

From a security point of view, the snapped and firejailed “fresh” Firefox are pretty the same.

Sorry, this is a support forum for Lubuntu, not a conspiracy forum against Windows. And a little hint: Windows is an operating system and snaps are Linux app packages targeted at desktop, cloud and IoT systems.

And to go a bit off topic: I am quite sure, that you will be able to use snaps also on Windows (inside WSL) in the future.

This isn’t a conspiracy - it’s well known that Windows Update is difficult, if not impossible, to turn off. They’re just upset about an automatic update eating massive amounts of network bandwidth out of nowhere, and frankly as someone who’s had to live with tightly metered connections, I agree with them. I have unmetered Internet now, and I burn through 5 GB in a sitting, not in a month. I have updates come through that eat over a hundred MB in one go - nothing to worry about for me, but it would potentially be a big deal if I had 5 GB for a month and was nearing the end of my data when Firefox decided to refresh out of what felt like nowhere.

What’s the difference between removing Snaps entirely, and going with a Snapless distro? Ubuntu provides benefits that I simply wouldn’t want to sacrifice for Debian or another distro even if I was in a data-restricted situation. Increasing a data limit might not be possible for a user with limited options as far as Internet providers (like me, who’s stuck out in the middle of the woods with only dial-up, horribly expensive sattelite, or cellular internet as my options), and with 5 GB to work with, restricting Internet usage to a minimum might not work. Far better to shrink the size of updates IMO.

That being said…

@Rosika2 Do you live in the US by any chance? If so, you might look into https://calyxinstitute.org/ - I’m currently using their 4G Unlimited Hotspot membership as my sole source of Internet, and it’s working fantastic. They’re $50 a month paid 3 months at a time for unmetered Internet over cellular. Their service uses T-Mobile and Sprint, and successfully reaches all the way out to my middle-of-nowhere residence. I’m getting speeds of around 4-16 Mbps with them, though I sometimes get as much as 32 Mbps sometimes (I do have to put the hotspot in a window and have it in juuuust the right spot to get good speeds). My family generally uses 200+ GB in a month. It might work better than your Internet stick if you have T-Mobile cell coverage and are in the US or Puerto Rico. (I am not affiliated with Calyx Institute in any way, I just like their service.)

That’s simply not true. There are several ways to turn it off or to limit the downloads to important ones.

Mainly less effort and amount of additional work you have to “remove” snaps.
With a snapless distro you can use Firefox and/or Chromium without adding third party repositories.
And without snaps, you do not need to worry about snaps. To be fair, the majority of Ubuntu and Ubuntu flavour users do not worry about snaps, although they use snaps.

Ahhhh, the secret benefits of Ubuntu.

Hi all,

thanks for your latest comments.

@apt-ghetto:

Right. Thanks.

O.K. I didn´t know that. Good to know anyhow.
Still, firejail´s procedure seems easier, as everything is taken care of automatically when shutting down a running firefox instance (the --private option is great for this).

That may be true (at least to some extent) for a command like
firejail firefox
but
firejail --private firefox
certainly adds much to browsing more safely.

Wouldn´t go as far as to consider my statements regarding WIN as conspiracy…

That said I wouldn´t trust WIN as far as I can throw it.
… for a variety of reasons; but that´s not the point here, and doesn´t cover the topic discuused here.

I think everyone has made his/her point quite well and everyone is certainly entitled to his/her opinion. So I guess we will just have to agree to disagree on some points .

That said, the topic of this thread is “how to avoid snaps in 22.04”.
And @guiverc has already come up with some good suggestions and insights, as did @BasilCat. Thanks once more.

If anyone has more info regarding that matter I´d be all too pleased to deal with the subject again.

@ArrayBolt3:

Thanks a lot .

That was my understanding as well.

Quite right. One might call that: “outrageous behaviour” as well.
(Still now WIN-bashing, just the truth )

I fear that´s what it´ll come down to.
I´ve been using Lubuntu for six years now as my daily driver.
Not happy to have to let it go but as Lubuntu being a “slave” to Canonical (like so many other official drivatives) I think it would be best to look for alternatives.

Like another user in another forum put it:

Every Ubuntu family niche OS Xubuntu, Kubuntu, all of them with buntu on the end, seem to have to follow what Canonical says, to stay in the Ubuntu family of Distros.
It is wrong in my opinion, as a lot of the other Buntu’s are actually better than the main Ubuntu itself.
[…] we cannot keep deleting or uninstalling Snaps because we don’t want to use it. There has to be a line drawn somewhere? […]
I was disgusted with Firefox being turned into a Snap […]

Thanks a lot, Aaron.

Many greetings to all.
Rosika

How many users have the desktop/firefox setup for more than one login?
All snaps do for the user is make a system harder to use.
Open source software doesn’t need that level of security IMO.

If you want another distro, highly recommend fedora with up-to date software.

@bjlockie:
Hi James,

thanks a lot for your opinion.

@BasilCat:

Thanks for the suggestion; I´ll look into it.

Many greetings to all
Rosika

I followed instructions on this link;

I have six 22.04 Lubuntu machines throughout my house and it worked with all of them. I didn’t like snap for a few reasons - one was, it was always heckling me with popups when it wanted to update, another was, some apps like my Plex server got broken. I never was much of a Snap fan anyway as it always gave me problems with other apps too.