| >Its target market seems to be desktop users (or server admins that are only familiar with the Desktop version) Uhh what? Isn't it's largest target cloud/server distro deployment? > Ubuntu's root certificate store is constantly outdated Uhh for me cacerts updates what twice a year? Certainly it's a lot easier for me to keep it updated on ubuntu than rhel/centos. >Their apparmor configuration lags behind, ... whatever is good they usually inherit from Debian. Apparmor and SELinux are objective failures for the most part. The entire point of snap/flatpaks is to hide away the nonsense configuration in favor of an actual permission model. I would say snaps are actually enabling apparmor to be used and enforced unlike the generic apparmor profiles generated. >Jason Donenfeld, the creator of Wireguard said about Ubuntu on the latest¹ SCW podcast: What specific aspects is he referring to here? Wireguard has been baked into the kernel. I can understand packaging updates being a mess, and updating universe/lts but that is problematic for every Linux OS out there. This is precisely why snaps were introduced. You now have apparmor/seccompf enforced permission model and an easy way for developers to directly push to multiple Ubuntu versions without having to worry about OS compatibility. |
the premise for my reply was security not market share. just because something is popular does not imply a good security posture. In fact most popular things are dumpster fires from an infosec perspective.
what I'm saying is: familiarity with Ubuntu desktop translates easily into let's install this on a server.
All of AppSec in Linux is hard. SELinux/AppArmor/firejail/systemd-hardening especially cost effort.
if you think snap/flatpack are better go for it - for me they are a major reason to stay away from Ubuntu in production. But I'm not the boss of you.