Purging of GNOME SNAP packages - Dependencies & Risks?

The disk usage under /snap was reported for the following as:

1.7G  gnome-3-34-1804
1.8G  gnome-3-38-2004
2.6G  gnome-42-2204
3.2G  gnome-46-2404

I don’t have the installation to use the GNOME desktop as an option, at least I don’t think so. It is not a choice offered on the login window.

Does MATE have dependencies on those?

If so, do I need to keep all 4 instances, or can I purge the 3 oldest and keep only “46-2404” ?

2 Likes

If you don’t use snap you can delete them all.
You can use my script to remove all traces of snap completely from your system (or reinstall it if you regret it)

I removed all snap because it is securitywise the most vulnerable packagesystem for supplychain attacks.

  1. The snap-store is proprietary so you risk vendor lock-in
  2. there is only one snap-store, a single point of failure and therefore an attractive target.
  3. Anyone can upload without oversight and because the snap-store is proprietary, only a few people can vet the software in the store, no “many eyeballs” from the community (supplychain attack danger)
  4. it already has a history of peddeling malware(Issue 03 · Security Crisis) victims were made, in one case over $400,000.- lost in crypto.
  5. Ubuntu has a history of reacting very slow to snap security issues

Here is a quote from the forementioned link:

  • Alan Pope, a former Canonical employee and Snap Store maintainer, publicly stated that malware reports could go unresolved for days — and that the cycle had repeated itself more than once across different fake wallet apps.
  • Domain takeover hijacking was also used — attackers registered typosquat domains that intercepted update checks from installed fake wallets, allowing the malicious payload to persist and evolve even after initial detection.
  • ~50 Snap packages were estimated by insiders to have malware reports outstanding at any given time — with removal delays spanning multiple days after initial reports, according to publicly available community threads.
  • Canonical’s response speed was not proportionate to a company generating $292M in annual revenue, 83% gross margins, and growing its headcount year over year. The security team’s reaction time suggested understaffing relative to the store’s scale.

Technically, a sandbox around an application should increase security so the idea of snap is sound. It’s the snap-store implementation that sucks.

4 Likes

snap packages don’t technically have dependencies in regards deb packages; but they do have connections to other snap packages that are the same as dependencies except in name (design choice). (‘tomato’ vs ‘tomato’ pronunciation I guess ; The Mustang | Opinion: The Only Correct Pronunciation of “Tomato” )

Those aren’t used by the GNOME desktop; but maybe used by other snap packages you may have installed; and you’ll break them if removed.

As example, I did a snap list on this box, and I see gnome-46-2404 installed on my box here; and that’s not a snap package I’ve installed, so a quick check and I’ll see what uses it, and thus what maybe broken if I removed it

guiverc@d7050-next:~$   snap connections gnome-46-2404
Interface               Plug                                     Slot                         Notes
content[gnome-46-2404]  chromium:gnome-46-2404                   gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  desktop-security-center:gnome-46-2404    gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  element-desktop:gnome-46-2404            gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  firefox:gnome-46-2404                    gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  firmware-updater:gnome-46-2404           gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  opera:gnome-46-2404                      gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  prompting-client:gnome-46-2404           gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  snap-store:gnome-46-2404                 gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  snapd-desktop-integration:gnome-46-2404  gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  telegram-desktop:gnome-46-2404           gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  vivaldi:gnome-46-2404                    gnome-46-2404:gnome-46-2404  -
content[gnome-46-2404]  zoitechat:gnome-46-2404                  gnome-46-2404:gnome-46-2404  -

I’m replying here using the brave browser which uses gnome-42-2204 and thus that wouldn’t be impacted if I removed gnome-46-2404, but it would be impacted if I removed that older version.

Which connections are used is determined by the builder of the snap package; somewhat like depends rules for deb packages actually…

3 Likes

I believe it’s safe to delete all snaps. I did that on my “regular” Ubuntu GNOME system and nothing breaks. GNOME does not depend on any snap so I wouldn’t imagine MATE does.

5 Likes

Thank you, Thom!

I didn’t know that Alan Pope himself had raised issues about the SNAP supply chain. I guess that is why he started working on a tool for checking SNAP packages. :slight_smile:



Thank you, Chris! That’s a command I needed to know to make my own determinations.

I am still running 22.04 LTS. This is my full list of SNAP packages installed currently:

Name                 Version                         Rev    Tracking         Publisher      Notes
bare                 1.0                             5      latest/stable    canonical✓     base
canonical-livepatch  v10.16.2                        406    latest/stable    canonical✓     -
chromium             149.0.7827.53                   3459   latest/stable    canonical✓     -
core18               20260204                        2999   latest/stable    canonical✓     base
core20               20260410                        2866   latest/stable    canonical✓     base
core22               20260225                        2411   latest/stable    canonical✓     base
core24               20260410                        1643   latest/stable    canonical✓     base
cups                 2.4.19-2                        1206   latest/stable    openprinting✓  -
gnome-3-34-1804      0+git.3556cb3                   93     latest/stable    canonical✓     -
gnome-3-38-2004      0+git.efb213a                   143    latest/stable    canonical✓     -
gnome-42-2204        0+git.c1d3d69-sdk0+git.015db9a  247    latest/stable    canonical✓     -
gnome-46-2404        0+git.f1cd5fa-sdk0+git.ca9c59c  153    latest/stable    canonical✓     -
gs                   10.02.1                         x1     -                -              devmode
gtk-common-themes    0.1-81-g442e511                 1535   latest/stable    canonical✓     -
mesa-2404            25.0.7-snap211                  1165   latest/stable    canonical✓     -
snapd                2.75.2                          26865  latest/stable    canonical✓     snapd
software-boutique    0+git.0fdcecc                   57     latest/stable/…  flexiondotorg  classic
ubuntu-mate-welcome  22.04.0-d3d4bb1a                726    latest/stable/…  flexiondotorg  classic

None of those, except Chromium, were specifically installed by me, and I did not realize that it was a SNAP rather than Debian. :frowning:

Like I did for Firefox, I will work thru the issues for me to have Chromium as non-SNAP. No need for help on this dependency. :slight_smile:


Working thru the dependencies one at a time:

# snap connections canonical-livepatch
Interface              Plug                                                           Slot                    Notes
hardware-observe       canonical-livepatch:hardware-observe                           :hardware-observe       -
kernel-module-control  canonical-livepatch:kernel-module-control                      :kernel-module-control  -
log-observe            canonical-livepatch:log-observe                                :log-observe            -
network-bind           canonical-livepatch:network-bind                               :network-bind           -
network-control        canonical-livepatch:network-control                            :network-control        -
network-manager        canonical-livepatch:network-manager                            :network-manager        -
system-files           canonical-livepatch:etc-dpkg                                   :system-files           -
system-files           canonical-livepatch:etc-update-motd-d                          :system-files           -
system-files           canonical-livepatch:hostfs-var-lib-dpkg                        :system-files           -
system-files           canonical-livepatch:hostfs-var-local-canonical-livepatch-mode  :system-files           -
system-files           canonical-livepatch:run-cloud-init-instance-data-json          :system-files           -
system-files           canonical-livepatch:sys-kernel-livepatch                       :system-files           -
system-observe         canonical-livepatch:system-observe                             :system-observe         -
system-packages-doc    canonical-livepatch:system-packages-doc                        :system-packages-doc    -

IF I remove the canonical-livepatch SNAP, is there a separate package I need to install, or is that the SNAP pushed out which was intended for servers rather than desktop?

3 Likes

If you can freely reboot whenever you want, livepatch has no added value in my opinion. As far as I can see, you only “need” snap for:

  1. chromium which can be replaced by any browser with the same engine (like Brave for instance)

  2. Also the software boutique and ubuntu-mate-welcome depend on snap, but I guess they are no longer updated since 22.04 is already 4 years old and no longer supported. So in my opinion you won’t lose much if you dump snap completely.

  3. As a replacement of Firefox you can add the official mozilla PPA which gives you Firefox ESR or you can add the official Librewolf PPA. Both are trusted.

IMPORTANT: Before using my script, uninstall livepatch first

2 Likes

So … if I enter

# snap connections chromium

I get the below list of “plugs”:

Interface                 Plug                                      Slot                            Notes
audio-playback            chromium:audio-playback                   :audio-playback                 -
audio-record              chromium:audio-record                     :audio-record                   -
bluez                     chromium:bluez                            :bluez                          -
browser-support           chromium:browser-sandbox                  :browser-support                -
camera                    chromium:camera                           :camera                         -
content[gnome-46-2404]    chromium:gnome-46-2404                    gnome-46-2404:gnome-46-2404     -
content[gpu-2404]         chromium:gpu-2404                         mesa-2404:gpu-2404              -
content[gtk-3-themes]     chromium:gtk-3-themes                     gtk-common-themes:gtk-3-themes  -
content[icon-themes]      chromium:icon-themes                      gtk-common-themes:icon-themes   -
content                   chromium:install-cups-runtime-dependency  -                               -
content[sound-themes]     chromium:sound-themes                     gtk-common-themes:sound-themes  -
cups                      chromium:cups                             cups:cups                       -
desktop                   chromium:desktop                          :desktop                        -
desktop-legacy            chromium:desktop-legacy                   :desktop-legacy                 -
gsettings                 chromium:gsettings                        :gsettings                      -
hardware-observe          chromium:hardware-observe                 :hardware-observe               -
hidraw                    chromium:hidraw                           -                               -
home                      chromium:home                             :home                           -
joystick                  chromium:joystick                         :joystick                       -
kerberos-tickets          chromium:kerberos-tickets                 -                               -
mount-observe             chromium:mount-observe                    -                               -
mpris                     -                                         chromium:mpris                  -
network                   chromium:network                          :network                        -
network-bind              chromium:network-bind                     :network-bind                   -
network-manager           chromium:network-manager                  -                               -
opengl                    chromium:opengl                           :opengl                         -
password-manager-service  chromium:password-manager-service         :password-manager-service       manual
pcscd                     chromium:pcscd                            -                               -
personal-files            chromium:chromium-config                  :personal-files                 -
personal-files            chromium:dot-local-share-applications     :personal-files                 -
personal-files            chromium:dot-local-share-icons            :personal-files                 -
raw-usb                   chromium:raw-usb                          -                               -
removable-media           chromium:removable-media                  :removable-media                -
screen-inhibit-control    chromium:screen-inhibit-control           :screen-inhibit-control         -
serial-port               chromium:serial-port                      -                               -
system-files              chromium:etc-chromium-browser-policies    :system-files                   -
system-packages-doc       chromium:system-packages-doc              :system-packages-doc            -
timezone-control          chromium:timezone-control                 -                               -
u2f-devices               chromium:u2f-devices                      :u2f-devices                    -
unity7                    chromium:unity7                           :unity7                         -
upower-observe            chromium:upower-observe                   :upower-observe                 -
wayland                   chromium:wayland                          :wayland                        -
x11                       chromium:x11                              :x11                            -

Do I need to use the snap command with some options to disable or disconnect any of those plugs before purging Chomium by entering

sudo snap remove --purge chromium
2 Likes

If I remember correctly, the snap remove command disconnects these plugs when uninstalling.

4 Likes

Yes, that is correct. The snap remove command disconnects these plugs automatically.

(b.t.w. My script also takes care of uninstalling all snaps in the right order.)

3 Likes