|
Some good points, but just to clarify snaps current behaviour re libssl et al: Snap makes a distinction between a minimal set of critical core system dependencies, and application dependencies. So on every system with a snap, there is also a 'core' snap, which has the base root fs, including glic, libssl, bash, etc. This core snap is updated regularly by its publisher (just Canonical's ubuntu core snap right now, but nothing stopping some other core snap). So a lot of critical updates are applied by default, as per normal distro policy, but just in a better way (rollback, transactional, qa, etc). The application snap is only responsible for keeping its own dependencies up to date, it uses the base libraries from the core snap. It's distinct from docker in this way, it tries to define a line between core and app dependencies, to get the best of both worlds. I.E. critical components are updated ASAP by the disro security team, but apps are free to use a specific version of a library (e.g gnome, qt) that they want to use, rather than being stuck on the distro maintained version. Which, of course, they can still use if they want :) It does push the burden on updating libraries to the app vendor, but on the flip side, snaps run in a very confined environment, which mitigates the scope of most CVEs there might be in an older library. A lot of careful trade-offs considered and involved in the design - we'll see they're the right trade offs or not :) |
And then as soon as an app decides to not use the base version of a library, it will still be vulnerable when you update the base snap, so you still need to check every app for updates. That's not an improvement at all.