If you don’t use snap you can delete them all.
You can use my script to remove all traces of snap completely from your system (or reinstall it if you regret it)
I removed all snap because it is securitywise the most vulnerable packagesystem for supplychain attacks.
The snap-store is proprietary so you risk vendor lock-in
there is only one snap-store, a single point of failure and therefore an attractive target.
Anyone can upload without oversight and because the snap-store is proprietary, only a few people can vet the software in the store, no “many eyeballs” from the community (supplychain attack danger)
it already has a history of peddeling malware(Issue 03 · Security Crisis) victims were made, in one case over $400,000.- lost in crypto.
Ubuntu has a history of reacting very slow to snap security issues
Here is a quote from the forementioned link:
Alan Pope, a former Canonical employee and Snap Store maintainer, publicly stated that malware reports could go unresolved for days — and that the cycle had repeated itself more than once across different fake wallet apps.
Domain takeover hijacking was also used — attackers registered typosquat domains that intercepted update checks from installed fake wallets, allowing the malicious payload to persist and evolve even after initial detection.
~50 Snap packages were estimated by insiders to have malware reports outstanding at any given time — with removal delays spanning multiple days after initial reports, according to publicly available community threads.
Canonical’s response speed was not proportionate to a company generating $292M in annual revenue, 83% gross margins, and growing its headcount year over year. The security team’s reaction time suggested understaffing relative to the store’s scale.
Technically, a sandbox around an application should increase security so the idea of snap is sound. It’s the snap-store implementation that sucks.
snap packages don’t technically have dependencies in regards deb packages; but they do have connections to other snap packages that are the same as dependencies except in name (design choice). (‘tomato’ vs ‘tomato’ pronunciation I guess ; The Mustang | Opinion: The Only Correct Pronunciation of “Tomato” )
Those aren’t used by the GNOME desktop; but maybe used by other snap packages you may have installed; and you’ll break them if removed.
As example, I did a snap list on this box, and I see gnome-46-2404 installed on my box here; and that’s not a snap package I’ve installed, so a quick check and I’ll see what uses it, and thus what maybe broken if I removed it
I’m replying here using the brave browser which uses gnome-42-2204 and thus that wouldn’t be impacted if I removed gnome-46-2404, but it would be impacted if I removed that older version.
Which connections are used is determined by the builder of the snap package; somewhat like depends rules for deb packages actually…
I believe it’s safe to delete all snaps. I did that on my “regular” Ubuntu GNOME system and nothing breaks. GNOME does not depend on any snap so I wouldn’t imagine MATE does.
I didn’t know that Alan Pope himself had raised issues about the SNAP supply chain. I guess that is why he started working on a tool for checking SNAP packages.
Thank you, Chris! That’s a command I needed to know to make my own determinations.
I am still running 22.04 LTS. This is my full list of SNAP packages installed currently:
IF I remove the canonical-livepatch SNAP, is there a separate package I need to install, or is that the SNAP pushed out which was intended for servers rather than desktop?
If you can freely reboot whenever you want, livepatch has no added value in my opinion. As far as I can see, you only “need” snap for:
chromium which can be replaced by any browser with the same engine (like Brave for instance)
Also the software boutique and ubuntu-mate-welcome depend on snap, but I guess they are no longer updated since 22.04 is already 4 years old and no longer supported. So in my opinion you won’t lose much if you dump snap completely.
As a replacement of Firefox you can add the official mozilla PPA which gives you Firefox ESR or you can add the official Librewolf PPA. Both are trusted.
IMPORTANT: Before using my script, uninstall livepatch first