[foepys]

> Does the name "Ubuntu Snap Store" carry a connotation that code is reviewed for malware by Ubuntu, the way that the Apple, Google, Amazon, etc. mobile app stores are?

As far as I know, Apple is the only company that manually reviews the code of apps, and even they let some (in my opinion) malware through [1]. Everybody else just does some heuristic anti-malware checking and then publishes the app.

1: Uber was permanently fingerprinting devices, even though Apple was disallowing this kind of tracking in their ToS.

[vanviegen]

Apple is reviewing code? I don't think the blob submitted to Apple includes actual source code. The way I understand it, they (briefly) tap through the app manually, and (like other stores) apply some automated heuristics on the binary.

[kpcyrd]

Firefox addons are reviewed. That's why malicious firefox addons are a lot less common than malicious chrome extensions.

[stiGGG]

Can confirm that Mozillas review process is the most sofisticated i’ve ever experienced. The good thing is that when they have something to complain you have a competent person on the other side that really helps you. Not like Apple who only send you some boilerplate to all your responses. The downside at Mozilla is that it takes them ages to even start the review, it took me once over 2 month to get my extension in their catalog.

[John_KZ]

Why do they allow so many extensions that rely on third-party services though? I don't like this trend. Especially given there's no network sandboxing of any sort, giving permissions for an extension to access your data locally is very different from allowing it to send them to a third-part, untrusted server.

[tinus_hn]

Apple doesn’t get the source code of apps. They check what apis you use so they can prevent you from using non public apis and they run some cursory checks. But there is a lot of crap on the App Store.

[mcny]

I really wish we had app stores actually require vendors to submit source code and build instructions so that the app store would build it themselves and publish it. Something like F-Droid even if the source code is not publicly available.

[cookiecaper]

It's difficult to get useful code review out of colleagues working for the same company. The idea that Apple et al should have a competent reviewer audit each submission is simply not a practical thing for any type of repo that accepts software developed by third parties.

[zer00eyz]

Sometimes a small comment in HN makes one think in a whole new way.

I agree with you that useful code review is a tough nut to crack. Professional editors exist for writing, and science has the peer review process (also flawed).

Reading code, is a whole different ball of wax from writing it (and from optimizing it in some cases) - I can think of few people who are great at both. I have to wonder if we will ever get to the point where "review" sits in an outside role/function that isn't already overloaded (team lead, architect, management).

Does the fact that we don't have dedicated code reviewers speak to its immaturity or (in)effectiveness.

[matthewbauer]

I assume other companies have testing processes that would pick up mining scripts like this. It sounds like "Ubuntu Snap Store" is similar to the AUR (which in fact can have lots of malware) in function. It's just the name is misleading.