Canonical has responded to last week's discovery that its Snap store carried apps containing embedded crypto-currency miners, by pledging to introduce a “verified developer” program.
When users complained that apps by Nicholas Tomb included the mining code, they were pulled from the Ubuntu Snap store, with Canonical promising an investigation.
The company's follow-up, here, explained the resolution of this event and mentioned developer verification as a possible solution.
Canonical wrote “we are working on is the ability to flag specific publishers as verified. The details of that will be announced soon, but the basic idea is that it’ll be easier for users to identify that the person or organisation publishing the snap are who they claim to be.”
In explaining its response to the Tomb case, Canonical asks a question that most other app souks don't ask: is crypto-mining evil?
The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
In this case, it wasn't the mining that got the apps pulled, but misleading users while trying to “monetise software published under licenses that allow it, unaware of the social or technical consequences.”
Tomb, the post says, promised to play nice in future.
As for code review, we noted last week that even Apple and Google, both of which are rather better-resourced than Canonical, sometimes get caught out with malware dressed as apps.
Snaps go through similar steps to iOS or Android apps, the post says: “automated checkpoints that packages must go through before they are accepted, and manual reviews by a human when specific issues are flagged”.
However, “the inherent complexity of software means it’s impossible for a large scale repository to only accept software after every individual file has been reviewed in detail”, and there's no way to ensure that all software can be trustworthy before using it. ®