Yes. It also works for other 'buntu flavours.
1 Like
Yes, the “highly configurable” can be seen as an advantage. But complexity is often seen as enemy to security.
By the way, firejail is a giant suid binary (and written in C). There can’t go anything wrong, or can it?
And another by the way: Is CVE-2022-31214 fixed in your used firejail version?
A huge number of preconfigured profiles is useful, if you have installed a huge number of apps. If you only use Firefox with firejail, then one profile is enough.
Building own profiles is cool, if you know what you are doing. With a wrongly configured profile you feel secure, but are not secure.
How? On what exactly is the security of “online banking” based? Is it based on files on your hard disk? Or is it based on user identity and asymmetric and symmetric cryptography?
And why do you use online banking? You do not trust the Firefox snap (packaged and signed by Mozilla), but you trust a “Firefox .deb” from any third party (of course “protected” by firejail either from a third party source or from universe)?
Well, if you do not understand, how snap sandboxing works, how can you decide, that firejail is better?
In other words, you have no idea how to measure the download sizes of a .deb package versus snap package.
I do not want to convince you to use snaps (only you can convince yourself). But I try to make it clear, that your decisions are based on feelings and not on facts.
2 Likes
Hi @apt-ghetto, 
thanks very much for your comments. 
O.K… Point taken. On the other hand: is there anything (OS, binaries, programming language etc.) you can safely say of: it´s guaranteed not to go wrong ?
Seems so, yes. 
cve-status
says:
CVE-2022-31214 – was fixed in 0.9.70, reported by Matthias Gerstner and Birk Blechschmidt
No, actaully I use firejail for a variety of apps and programmes.
I make use of the --private-option when running falkon for online-banking:
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 falkon -no-remote
Private Mode
Private mode is a quick way to hide all the files in your home directory from sandboxed programs. Enable it using
--privatecommand line option:
$ firejail --private firefoxFirejail mounts a temporary
tmpfsfilesystem on top of/home/userdirectory. Any files created in this directory will be deleted when you close the sandbox.
It´s basically like a fresh install of the browser with no “legacy issues” whatsoever. No bookmarks, no history, no extensions etc.
… in a newly created strictly confined environment which gets completely deleted when closing the browser.
No idea how a snap-based browser would create such a scenario… 
I for one wouldn´t trust snap so far.
I´m afraid you got me wrong there.
I wasn´t talking about download sizes of the packages but rather of the “forced” updates whenever snaps are updated.
Snap core alone cost me a lot of data if I can remember correctly (don´t know exactly how much). But I was very angry at the time. 
For people having to deal with a limited amount of data allowance (per a certain period of time) it´s a huge thing.
Assuming each and every person in the world has a DSL connection with an unlimited data plan available is just not right.
Canonical forcing snaps and snap-usage on people thus borders on arrogance (on the part of Canonical) and I certainly don´t want to support or even encourage such a behaviour. 
Thanks a lot for your opinion.
Many greetings from Rosika 
2 Likes
No, there is no such thing like a safe (better secure) program or application. But there are several risks to consider:
suidsoftware is a risk. Cyber criminals try to find vulnerabilities in these kind of software, because if they can exploit a vulnerability, the impact is way bigger.- The bigger a binary/source code is, the more errors and vulnerabilities are there.
- C is quite cool, easy to learn and also very near to hardware programming. Unfortunately it is very easy to make mistakes. It is though not always very easy to spot such mistakes, as not every mistake can be seen in “normal” usage.
You seriously use Falkon for online banking? Falkon is based on qtwebengine, which itself is based on Chromium’s webengine.
A quote taken from QtWebEngine - Qt Wiki
We do update to the latest Chromium version in use before a Qt release. After a release some bug fixes and security patches are backported. For LTS releases of Qt we might also update Chromium in a patch level release.
As you can read, “some security patches are backported”.
Now, you can investigate yourself, which qtwebengine and which falkon versions are part of the Ubuntu archive. And the fun continues, if you try to figure out, which webengine security fixes are part of these versions and which not. Good luck!
All of your examples are not really relevant for the security in online banking.
For online banking
- keep all your software up to date (good luck with falkon)
- use a strong and unique password
- use 2 factor authentication, do not rely only on a password (better with a second device, not on the same device)
- do not click on suspicious links
- check the correct website and check also the certificate on the website
- check your banking account transfers for suspicious behaviour
As you probably see now, firejail is not a big help in this regard. Firejail helps to prevent persistent threats and also does not allow you to store passwords on your disk.
A limited amount of data is a problem, but that is your problem and not a problem of snap itself. One main point of snaps is, that users have the newest software in a fast and reliable way. That has the “disadvantage” that some libraries are delivered several times on the same system. On the other hand, software is not restricted to the version of the “one and only system” library.
If snaps are using too much of your data, then you should choose a distribution without snaps. Or you can increase the data limit (either by paying more or by wisely choose a different provider). Or you can restrict your internet usage to the minimum.
You are free to choose an alternative to Canonical and Ubuntu. There are a lot of other distributions without snaps.
- Gentoo is very cool, because you download only the source code and not blobs.
- Or you can choose Debian, which is familiar to you.
- Or you can also choose Fedora. Fedora has a big community and is up-to-date with most of its packages.
- Or you can choose Arch Linux, but you will probably download more, as the packages are updated more often.
1 Like
Hi @apt-ghetto,
Thanks for your latest views on the matter.
I see. Well, that´s good to know.
After having had a of conversations with firejail maintainers I still put my trust in this sandboxing technique. It´s very well maintained and as you see your point
wasn´t valid any more.
Nevertheless it was good of you to point out the facts. Thanks.
That was just an example.
Of course running firejail instead of falkon for online banking purposes would be a better option. No doubt about that.
But that´s certainly not an argument against employing firejail, right?
Well, I beg to differ.
Certainly you cannot deny the fact that using the equivalent of a freshly installed browser (let it be firefox then) which had never seen any other site than the banking site before has some advantages (see firejail --private).
So running a snap firefox instance - when firefox had vistited shady, untrustworthy and dangerous sites before - should be safer (or at least as safe) as running
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote
Really 
Well, of course you´re entitled to your opinions. No doubt about that. And thank you for providing them.
I for one definitively won´t jump on the snap wagon - if it can be avoided.
But thanks a lot for the general advice regarding online banking. 
Those are valid points indeed, and I´ve been following them all the time.
Well, that´s your opinion. But it´s certainly a strong plus-point for additional security.
I´m not so sure whether this could be said of snaps, really.
Not quite true:
Snaps force updates on us. What´s the point of having left WIN 10 or WIN 11 behind (with forced updates on a larger scale)
and changing over to a Linux-based distro if Ubuntu / Canonical seems to go in a similar direction
I mean: You won´t expect any upright and decent behaviour from WIN, that´s clear.
But Ubuntu should be ashamed of itself.
Thanks a lot for the suggestions.
I´ll look into those possibilities.
Many thanks for your help and many greetings.
Rosika
1 Like
No, I did not say, that firejail is bad. I said, that you should stop using Falkon, if you care about security.
To delete the history and cookies, you do not need firejail. You can delete the profile for the Firefox snap easily and then start Firefox.
From a security point of view, the snapped and firejailed “fresh” Firefox are pretty the same.
Sorry, this is a support forum for Lubuntu, not a conspiracy forum against Windows. And a little hint: Windows is an operating system and snaps are Linux app packages targeted at desktop, cloud and IoT systems.
And to go a bit off topic: I am quite sure, that you will be able to use snaps also on Windows (inside WSL) in the future.
1 Like
This isn’t a conspiracy - it’s well known that Windows Update is difficult, if not impossible, to turn off. They’re just upset about an automatic update eating massive amounts of network bandwidth out of nowhere, and frankly as someone who’s had to live with tightly metered connections, I agree with them. I have unmetered Internet now, and I burn through 5 GB in a sitting, not in a month. I have updates come through that eat over a hundred MB in one go - nothing to worry about for me, but it would potentially be a big deal if I had 5 GB for a month and was nearing the end of my data when Firefox decided to refresh out of what felt like nowhere.
What’s the difference between removing Snaps entirely, and going with a Snapless distro? Ubuntu provides benefits that I simply wouldn’t want to sacrifice for Debian or another distro even if I was in a data-restricted situation. Increasing a data limit might not be possible for a user with limited options as far as Internet providers (like me, who’s stuck out in the middle of the woods with only dial-up, horribly expensive sattelite, or cellular internet as my options), and with 5 GB to work with, restricting Internet usage to a minimum might not work. Far better to shrink the size of updates IMO.
That being said…
@Rosika2 Do you live in the US by any chance? If so, you might look into https://calyxinstitute.org/ - I’m currently using their 4G Unlimited Hotspot membership as my sole source of Internet, and it’s working fantastic. They’re $50 a month paid 3 months at a time for unmetered Internet over cellular. Their service uses T-Mobile and Sprint, and successfully reaches all the way out to my middle-of-nowhere residence. I’m getting speeds of around 4-16 Mbps with them, though I sometimes get as much as 32 Mbps sometimes (I do have to put the hotspot in a window and have it in juuuust the right spot to get good speeds). My family generally uses 200+ GB in a month. It might work better than your Internet stick if you have T-Mobile cell coverage and are in the US or Puerto Rico. (I am not affiliated with Calyx Institute in any way, I just like their service.)
2 Likes
That’s simply not true. There are several ways to turn it off or to limit the downloads to important ones.
Mainly less effort and amount of additional work you have to “remove” snaps.
With a snapless distro you can use Firefox and/or Chromium without adding third party repositories.
And without snaps, you do not need to worry about snaps. To be fair, the majority of Ubuntu and Ubuntu flavour users do not worry about snaps, although they use snaps.
Ahhhh, the secret benefits of Ubuntu.
Hi all,
thanks for your latest comments.
Right. Thanks.
O.K. I didn´t know that. Good to know anyhow.
Still, firejail´s procedure seems easier, as everything is taken care of automatically when shutting down a running firefox instance (the --private option is great for this).
That may be true (at least to some extent) for a command like
firejail firefox
but
firejail --private firefox
certainly adds much to browsing more safely.
Wouldn´t go as far as to consider my statements regarding WIN as conspiracy…
That said I wouldn´t trust WIN as far as I can throw it.
… for a variety of reasons; but that´s not the point here, and doesn´t cover the topic discuused here.
I think everyone has made his/her point quite well and everyone is certainly entitled to his/her opinion. So I guess we will just have to agree to disagree on some points 
.
That said, the topic of this thread is “how to avoid snaps in 22.04”.
And @guiverc has already come up with some good suggestions and insights, as did @BasilCat. Thanks once more.
If anyone has more info regarding that matter I´d be all too pleased to deal with the subject again.
Thanks a lot .
That was my understanding as well.
Quite right. One might call that: “outrageous behaviour” as well.
(Still now WIN-bashing, just the truth )
I fear that´s what it´ll come down to.
I´ve been using Lubuntu for six years now as my daily driver.
Not happy to have to let it go but as Lubuntu being a “slave” to Canonical (like so many other official drivatives) I think it would be best to look for alternatives. 
Like another user in another forum put it:
Every Ubuntu family niche OS Xubuntu, Kubuntu, all of them with buntu on the end, seem to have to follow what Canonical says, to stay in the Ubuntu family of Distros.
It is wrong in my opinion, as a lot of the other Buntu’s are actually better than the main Ubuntu itself.
[…] we cannot keep deleting or uninstalling Snaps because we don’t want to use it. There has to be a line drawn somewhere? […]
I was disgusted with Firefox being turned into a Snap […]
Thanks a lot, Aaron.
Many greetings to all.
Rosika
1 Like
How many users have the desktop/firefox setup for more than one login?
All snaps do for the user is make a system harder to use.
Open source software doesn’t need that level of security IMO.
2 Likes
If you want another distro, highly recommend fedora with up-to date software.
1 Like
@bjlockie:
Hi James, 
thanks a lot for your opinion.
Thanks for the suggestion; I´ll look into it.
Many greetings to all
Rosika 
I followed instructions on this link;
I have six 22.04 Lubuntu machines throughout my house and it worked with all of them. I didn’t like snap for a few reasons - one was, it was always heckling me with popups when it wanted to update, another was, some apps like my Plex server got broken. I never was much of a Snap fan anyway as it always gave me problems with other apps too.
2 Likes
Did you get [sufficient] answers to this?
I didn’t respond further as I don’t see that I could provide more.
- I don’t have a crystal ball, so can’t gaze into the future & see what (if any) changes Ubuntu will make into the future.
- On a thinkpad x201 with only 4GB of RAM I initially removed all snap packages (20.04 or focal) and used the deb packages of
chromiumand it remained that way for much of the time it ran focal. I don’t recall any issues without snapd, but that was a focal install and not jammy, and past isn’t always a great indicator for what will occur in the future. That install is now jammy but I’ve returned to using snap packages on it (I really didn’t notice any improvement with only deb packages in performance) - if problems occur (see first no crystal ball comment) I don’t see them as any real issue anyway; the most obvious I already mentioned which you saw & quoted anyway, but how difficult or problematic an issue is depends on our skill level, how pressured we are for time when it occurs etc which will vary
- Not really asked, but I don’t see Lubuntu as being any different in this regard to other Ubuntu flavors. Snap packages can remove the packaging time significantly thus some use them for welcome or flavor-specific apps, so removing them will impact the users ability to use those apps/features but that should be obvious.
Not repeating the pro and con arguments here. If someone really wants to get rid of snaps and still enjoy the beauty and elegancy of LXQt, a good alternative to Lubuntu is SparkyLinux.
I have been using it for several weeks now on my summer laptop. The end user experience is almost identical to Lubuntu (because it is also based on LXQt). Since both distros are Debian-based, and Canonical did not made radical changes to Lubuntu’s underlying Ubuntu OS, not only the look is almost the same, but also the feel if you are an experienced user and do work on the command line. Well…except for snaps.
I have two more remarks to make:
- I appreciate the Lubuntu team for their work. I also appreciate the SparkyLinux team for their work. However, the Lubuntu website is add free, while the SparkyLinux website (forums, blog, etc.) is bloated with adds (extremely annoying);
- After at least fourthousand years of high civilisation humanity should really focus on cooperation, not reinventing the wheel every 5, 6 years or so. Both Lubuntu and SparkyLinux are very marginal brands. I dare say extremely marginal. Join forces. Why not make Lubuntu the reference implementation of LXQt: “We’ll do the dirty work (i.e. the graphical layer), and you do the packaging on top of whatever OS”. Some analogy to the merger of the LXDE and Razor-Qt teams came into my mind.
I can’t speak about SparkyLinux, but will say Debian GNU/Linux bookworm (or testing) is using the LXQt of Lubuntu 21.04 which is EOL (two releases ago), and I suspect that’s the LXQt you maybe using in Sparky.
It’s some Lubuntu members that are currently involved upstream in pushing the LXQt 1.1 available for some time to Lubuntu kinetic or via backports to existing Lubuntu jammy, or 22.04 users, to Debian sid (you’ll see parts of currently in experimental) so we’re [Lubuntu] back in sync with Debian.
The Debian intention from Simon/@tsimonq2 to Debian/LXQt highlights this
I intend on updating the entire LXQt stack to the latest version on June 30, 2022 (this is when I plan on uploading to Sid).
The entire stack builds, installs, and works in the Ubuntu development release. I would like to completely eliminate the vast majority of Ubuntu deltas.
Lubuntu & Debian are different distributions yes, but we do try and work together when we can, as that is work that benefits us both & reduces overall workload. (The LXQt release in Lubuntu 22.04 LTS had intended to be LXQt 1.0 from Debian, but they were unable to get it there & we ran out of time if you recall; thus were pushing LXQt 1.1 there ourselves)
lxqt-about | 0.17.0-0ubuntu1 | jammy/universe | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
lxqt-about | 1.1.0-2 | kinetic/universe | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
lxqt-about | 0.16.0-1 | stable | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
lxqt-about | 0.16.0-1 | testing | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
lxqt-about | 0.16.0-1 | unstable | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
lxqt-about | 0.16.0-1 | unstable-debug | source
lxqt-about | 1.1.0-2 | experimental | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
lxqt-about | 1.1.0-2 | experimental-debug | source
1 Like
I did not know you folks were actively involved in pushing the latest LXQt to other distro’s as well.
A perfect example of what I was referring too. Good to know that Lubuntu admires to be leading. Keep up the good work. Appreciated! 
1 Like
This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.
Paste from @Rosika2
Hi Chris,
unfortunately the thread was closed before I could reply.
Therefore I send what I otherwise would´ve posted as a message to you.
Thanks for understanding. Also: thanks a lot for your help.
…
Hi all,
thanks again for your comments.
Thanks for the link.
Well, that´s quite something. Thanks for letting us know.
Yes, thanks a lot. I marked your initial post (post #2) as the solution.
Quite. I´ll have to try for myself.
Yes, I also looked around a bit and other official derivatives come with snapd enabled by default, too. You´re perfectly right.
I didn´t know that. Well, it sounds promising. Really great.
Thanks for all the info.
Thanks for the suggestion. I´ve heard of SparkyLinux but never got around to looking into it.
I´ll do it now. 
BTW: I was also considering LinuxLite.
Still, the step away from Lubuntu wouldn´t be light-heartedly taken by me.
Thanks to all of you.
Many greetings from Rosika
2 Likes