Linux devs open up universal Ubuntu Snap packages to other distros

Snappier security updates on the way

Analysis The Snap application container system released in April with Ubuntu 16.04 is now going to be opened up to many other Linux distros after a surprise discovery by developers.

In a press call to journalists, Canonical founder Mark Shuttleworth (accompanied at times by a rather excitable Labrador) explained that shortly after the Snap release several Linux developers, particularly from Arch and Gentoo, approached Canonical with an idea to make Snap a more universal system.

Snap, originally developed for Ubuntu's mobile flavor of Linux, is a way of packaging an application with all the dependencies it needs to run in isolation. This means it's easier to run on any device, and the main operating system doesn't risk suffering a Total Inability To Support Usual Performance (TITSUP) if an application gets a dodgy upgrade.

What the developers found after two months of research was a relatively simple way of making Snap apps run on other Linux distros with no need for developers to change any code. Arch, Debian, Fedora, and Kubuntu can all now run Snap applications and CentOS, Elementary, Gentoo, Mint, and OpenSUSE are all currently being validated.

"As long as snapd has been ported to their linux distro it will just work. You don't have to do things differently to make a Snap that works across multiple Linux's," Shuttleworth said.

"That's what is really beautiful about it and that's what really surprised me. I thought we would get Gentoo Snaps of Firefox and Debian Snaps of Firefox, but the way the guys did the work it's a universal Snap."

Red Hat is also listed as validating the system, but Shuttleworth said progress has been comparatively slow. Canonical had alerted Red Hat and gave its engineers a briefing on the topic, but had heard nothing back. In contrast, the OpenWrt Project had proof-of-concept code for its operating system in four days, Shuttleworth said.

"Snaps deliver new applications to OpenWrt while leaving the core OS unchanged," said Matteo Croce of OpenWrt.

"Snaps are a faster way to deliver a wider range of software to supported OpenWrt access points and routers."

Porting Snap to Android is also an option. Shuttleworth said doing so "would be trivial," since the mechanisms to do so already exist in the operating system's kernel and there should be no problems porting apps with a little development time needed.

Getting Snap apps to run in the Bash shell for Windows is "absolutely plausible," Shuttleworth said. He said that it would take a bit of work modifying the syscalls needed to make Snap work on Bash, but when they do, the results will be amazing.

"If you want your mind blown, go and install Jenkins the old way and then type snap install jenkins," he said. "People who've seen that just boggle at how easy it makes complicated things. I'm sure that Microsoft will want that for their Ubuntu compatibility layer."

Ubuntu will continue to support deb software packages, he said, but the ability of Snap to run across multiple versions of Linux means that developers are going to find it a lot easier to get their apps out there written in the distro of their choice.

Security as a selling point

Since the launch, Canonical has been stressing that Snap has significant advantages for both apps and an overall operating system.

Data flows are tightly controlled and the application is held in relative isolation. Updates can be issued on the fly at far lower risk; if the update fails midstream it's cancelled, and if it's buggy the app can automatically roll back to its previous incarnation.

"Snaps enable our users to get the freshest LibreOffice releases across different desktops and distributions quickly, easily and consistently," said Thorsten Behrens, founder and board member of The Document Foundation.

"As a bonus, it should help our release engineers to distribute a more up-to-date LibreOffice that is not based on a bespoke, home-grown and ancient Linux build solution, using a toolchain that is collectively maintained."

Snap applications can run a number of development channels simultaneously and Shuttleworth said these would vary from daily builds, beta version release candidates, and stable releases, providing "more edginess" for developers who wanted the very latest code.

But another key benefit of this method is the ability to push security updates out quickly, and it also offers big advantages for developers, Shuttleworth opined, because it means they can focus on the application itself and leave Canonical to handle the security of the operating system.

"We believe Snaps address the security risks and manageability challenges associated with deploying and running multiple third-party applications on a single IoT gateway," said Jason Shepherd, director of IoT Strategy and Partnerships at Dell.

"This trusted and universal app format is essential for Dell, our IoT Solutions Partners, and commercial customers to build a scalable, IT-ready, and vibrant ecosystem of IoT applications."

However, all is not perfectly rosy in the Snap security sphere. Matthew Garrett, a security developer at CoreOS and a Linux kernel developer, has pointed out that Snap apps could be built to slurp up keystrokes and private SSH keys with the X Window System (X11).

When The Reg asked Shuttleworth about the issue, he said that Garrett's research was "absolutely appropriate," and that the problem is that X is "leaky," and so Snap apps can take advantage of vulnerabilities in the window system. But, he pointed out, the same issues occur in deb and RPM packages that deal with X as well.

"We can do better, but today a Snap is no different from a deb or an RPM, or any other kind of package for Linux in that regard," he said. "With the next generation of display servers, Mir and Wayland, this isn't an issue."

Let a thousand apps bloom

On the face of it, the opening up of Snap is a very good thing for the industry – the packaging system offers some key advantages.

Fragmentation of Linux builds and versions is a major issue that isn't going away, and developers welcome a system that allows them more opportunities to run apps in multiple environments with very little extra work.

Safe and rapid updating is another key benefit, and should help keep users more secure than before, even if it isn't perfect. But Tuesday's announcement is also an endorsement of the open source system as a whole.

"I really want to celebrate contributions from the open source community; this is not something we would have or could have done ourselves," Shuttleworth said.

"I'm in the slightly odd position of hosting an announcement that gleefully gives partners and our ecosystem an easier route to not using Ubuntu, but I think it's for the best. I think the fragmentation of Linux has been one of the things that slows people down, and am delighted to be part of helping getting rid of that fragmentation."

The big question now is will the development community go for Snap. It's very early days, but Shuttleworth reported that independent software vendors are very keen on using the packaging system. There's competition out there, but Canonical thinks it has a winner on this one. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021