I am new to Linux and still very much learning as I go which is a bit of a struggle at my age. I am seeing why they say you can't teach an old dog new tricks.
One thing I am not really sure of are the different options when installing apps from the Software app. There are options for installing from Zorin, Flatpak and Snap. My limited understanding is Zorin is their own controlled repository and installs into the OS. Flatpaks are self contained apps with all the required dependencies included and in the case of Zorin are installed from Flathub. Snaps are similar to Flatpak but controlled by Canonical.
That's really where my understanding stops. What is the best option to use if all 3 options are available? Which is safest repository to install from? How well controlled is the Zorin repo? What are the chances there are any malicious apps in any of them?
This isn't accurate. Every Flatpak application needs another separate Flatpak called a runtime that contains the dependencies it needs. Some Flatpak applications utilize two or more runtimes.
Example: The Inkscape Flatpak is built on and needs the Gnome 45 Runtime. These are two separate Flatpaks. You only need to install one copy of a runtime - it is shared among all the applications that need it.
Snaps also use separate snaps with their needed dependencies.
Flatpaks and Snaps have the most recent versions of the applications and update to newer versions when they become available. Most .deb packages do not get upgraded during the life of the OS. There are exceptions, like Firefox, or an update to a package may be provided for security reasons.
Zorin is a fork of Ubuntu (and to some degree Ubuntu is a fork of Debian - I even read one time Ubuntu claiming Debian was a fork of Ubuntu, not so). So when you change your Software sources in Software Updater to Main Server you are getting Software from Canonical servers. Zorin references in Software channel uses APT to pull in Applications. Here is an excellent article that explains this:
The coordinator of my local Linux User Group explained that snap is as bad as Telnet or 'finger' from a security angle. There has recently been a security issue with flatpak being hacked. My personal preference is to remove both post install (I wrote a Tutorial on this linking articles on how to do it [HOW TO] Remove snapd and flatpak ... should you wish to ). The issue for me in regards to App Images is they don't update with system updates, they have to be manually updated, that is why I prefer older version of Inkscape, it still has the same functionality as the newer App Image version. On a side note, flatpak was the brainchild of several application developers which garnered the interest of Red Hat who just happened to send Lennart Poettinger to the flatpak group to find out more. Some wags on another forum suggested, with Lennart's development of systemd and pulseaudio why Linux isn't referred to as Lennart Linux!
Subsequently, Red Hat adopted flatpak as the default form of Application container, and just as they did with the inferior systemd and pulse audio, attempted to force it as the standard to be adopted by all the other 'mainstream' distributions. Canonical developed their own container, snap, and caused such a stir between it and founder of Linux Mint when they stated they would not support forks of Ubuntu which allowed flatpak packages to be present. Sadly, the argument of which is better overshadowed the obvious, "Why fix [APT] what ain't broke in the first place?!" In terms of security, fundamentally a system is only as secure as:
The initiators of code have done a thorough job, and
The users of applications also take care, such as using browsers which is not in control of the developers of such apps. Having said that, the only secure browser at present is unGoogled Chromium.
At the end of the day, no system is secure as they are written by humans. If A.I. were allowed to develop Operating Systems they would be very secure ... the downside being we mere humans would not be allowed to use it.
Thanks for all the replies. The part I was most interested in though hasn't been answered which is "Which is safest repository to install from? How well controlled is the Zorin repo? What are the chances there are any malicious apps in any of them?"
Also, one of the things I really don't understand is why open source apps are thought of so highly if you are downloading binaries that you have no way of knowing they were definitely built from that source code. Even if you can prove that how do you know you can trust every contributor to it? I only watched a video last night (about 3 weeks old) of someone maliciously putting code in an open source project.
I would argue that APT (Zorin) be the source of choice and in terms of third party tarballs I included procedure on how to check tarballs from a post by Blackwolf, a moderator on Ultimate Edition Oz forum in both unofficial manuals for Zorin 15 and Zorin 17. I would be surprised if Canonical let a modified APT package get onto their Main Server. My ultimate preferences are Synaptic Package Manager, and Apper as a Software channel. As I have stated above, no system is secure, just as safe driving is dependent on the nut behind the wheel.
Yes, you can. Download the source code for a program, build it and compute the checksum for the resulting binary file, as well as the binary file you downloaded. Compare the result, and you have mathematical proof that those files are equal if the hash signatures match, or that they aren't if the signatures don't match.
Ultimately, you can always build everything from source. This is what distributions like Gentoo are all about.
But is not just the security aspect that makes open source attractive to even major companies like Microsoft. Having access to the source code means that I can tweak the software to adjust to my particular needs. Later, I could contribute those changes to the original project (also known as "upstream") so that everyone can benefit from them.
This is exactly why thousands of open source projects exist today, from prominent names like Ubuntu (and by extension, derivatives like Mint and Zorin OS) to unknown libraries that power the entire infrastructure of the internet:
Are you referring to the XZ vulnerability? It made quite the scandal recently. See this discussion:
Yes, it's possible to embed malware in open source software just like it is in close source software. The difference is that anyone can examine the code at anytime. This doesn't make it automatically any more secure by itself, but it increases the chances of spotting these issues, which is how this vulnerability was prevented, close as it was.
One reason this XZ vulnerability did not affect Zorin OS is because of the much slower release cycle that is follows in regards to package management. This is inherited from Ubuntu and Debian, which are more focused on providing a stable and secure system, than providing cutting edge software with all the bells and whistles.
One downside of this approach is that newer software is not available quite as fast as many would like, having to go out of your way to get it. And this is where Flatpak can help.
As mentioned above by @Topaz, Flatpak has its own runtime. A runtime being a set of small programs and various libraries that other programs will make use of to run. This additional runtime will allow for packages to run independently of the system libraries that come installed with Zorin OS, and that makes it possible to have higher versions of the software than would normally be available. This brings us to:
The official repositories, no doubt. In distributions like Debian and derivatives, the packages that are included are tested thoroughly. That is by design, and a big reason why the release cycle is much slower compared to other distributions that do this differently. More time to release means more opportunities to discover stability and security issues.
Flatpak is not limited to the system libraries and thus the release cycle for each software is much faster. A developer can push an update to their software and upload it to the Flathub repository (the "store" for Flatpaks, if you will). But the cost of less time to test software as thoroughly.
In addition, not all Flatpak packages that you see are uploaded by the official developers, and is not not always verified by the Flatpak project. Those are important considerations in terms of security.
And finally, the runtime itself that Flatpak requires is software, and like all software is prone to bugs and vulnerabilities. More software installed means a bigger attack surface and more opportunities for something to go wrong.
Another aspect seldom mentioned about this runtime is that the developer needs to explicitly target a version of the runtime, in order to benefit the latest libraries and whatnot. The caveat comes when a Flatpak that depends on the Gnome runtime at version 45 gets bumped to version 46 on the newest release. The Flatpak that the user installed will not get updated and will remain at version 45. This leads to the awkward situation where one of the primary incentives of using Flatpak packages in the first place, which is to deliver the latest versions available, is completely defeated by its own design.
To properly update, the user has to explicitly uninstall and re-install that Flatpak package.
The security aspect of Flatpak comes from its design around permissions, similar to mobile apps. For example, if you download something malicious, that something may not have access to sensitive system libraries. But it can lead to a lot of awkward issues, and it often does (just browser the forum to get a sense of it), although luckily is not always difficult to work around those issues.
See more about this:
In summary, everything has pros and cons, and there's a time and place for everything. Personally, I'd recommend sticking to the official repositories as much as possible. Flatpak is an decent alternative, but not something I'd recommend as the default option as it tends to cause more headaches than it is worth. Unfortunately, the Software Store prioritizes Flatpaks over native formats.
Contrary to what most people will tell you, you don't actually need the latest and greatest versions of software all the time. When you do, you can find alternative sources such as Flatpak, or build the software from source yourself.
Well certainly not snap packages. Ubuntu fell foul of a bitcoin masquerade app that made its way into the Ubuntu Store. Mr Shuttleworth issued a statement that it had been removed (the person affected lost chips to the value of £500,000). An engineer reported after Mr Shuttleworth had made an announcement that no further fake apps would get through, found 4 new ones. (Source: Current edition of Linux Format Magazine - I didn't buy it, but flicked through the pages. In terms of the xz vulnerability, I am more inclined to believe what techrights.org have said on this - a good diversion tactic (not saying it did not happen or it doesn't exist) but M$ has already been hauled over the coals for China and Russian hacks - so the xz vulnerability proved a welcome (planned?) diversion. And let's not forget GitHub is now owned by Microsoft! I also noticed an announcement of the latest version of Cachy OS - which has dropped Gnome and dropped Wayland - why did it drop Wayland? Because Wayland can't deal with the Calamares installer!
I don't disagree about staying away from Snaps in general. I am still wary of ANY application even on LMDE (based on Debian) and Flatpaks too. But, the guy that claims he lost $500K can claim all he wants - there is no proof. I can claim I lost $1 million - so what? But, yes, always be wary of the source. especially Snaps - that was a huge fumble by Canonical in not auditing the code. Open Source and Linux have been negligent about not verifying sources of software despite being open for anyone to read the code. At least Debian does long term testing. That has been my increasing reason to stay with Debian based distributions - long term testing. Claiming Linux is more secure is not true if the source can't be verified. How many times has this happened before? It worked this time only because a Microsoft software engineer identified an anomaly and found the problem.
I agree on the comments on crypto currency. I have never been interested in this volatile fake currency, especially how it is used by drug cartels in the US.
identified an anomaly and found the problem.