When Canonical launched Ubuntu 16.04 in April, one of the biggest changes was support for a new way to install applications.
Ubuntu’s “snappy” new way of packaging applications is no longer exclusive to Ubuntu. Canonical today is announcing that snapd, the tool that allows snap packages to be installed on Ubuntu, has been ported to other Linux distributions including Debian, Arch, Fedora, and Gentoo, among others.
If you have no idea what the above paragraph means, here’s a summary. Traditionally, applications for Ubuntu and similar distributions are packaged in the deb (short for Debian) format. These packages consist of the application a user wants to install, and they can also install other things that the package depends on in order to run (libraries, other applications, scripting, support files, and so on). Applications often require a lot of dependencies, making things more complicated, for example, when one application needs one version of another piece of software and a second application needs a different version of that other piece of software.
“Snap packages solve this problem by creating self-contained packages,” we noted in our review of Ubuntu 16.04, which brought snaps to servers and desktops. “With snap packages, applications are installed in their own container, and all the third-party applications are installed with them so there are no version conflicts. Snap packages are also smart enough to not install a package more than once, meaning applications installed via Snappy don’t take any more disk space than regular applications.”
This allows users to update and roll back applications without causing problems to the rest of their operating system. It also comes with security benefits because applications are more isolated from each other and from core parts of the OS than they normally would be.
The new “snap packages” designed to make it easier to install software, since a snap includes all the software dependencies for a particular application, and Canonical says the system is more secure as well, since applications are sandboxed from one another.
It could also make it easier for users to update software more quickly, without waiting for applications to hit a specific repository, and since apps are updated automatically.
Canonical has also lined up some testimonials from developers, such as Krita project lead Boudewijn Rempt, who says “Maintaining .deb packages in a private repository was complex and time consuming, snaps are much easier to maintain, package and distribute. Putting the snap in the store was particularly simple, this is the most streamlined app store I have published software in.”
Since snaps are still relatively new, they’re not the only way to install software in Ubuntu or other operating systems. You can still use .deb files in Ubuntu and Debian, for instance, in addition to snaps.
Canonical founder Mark Shuttleworth says adoption of Snaps helps deal with one of the major issues facing Linux-based operating systems: fragmentation. If the system catches on with developers, it could greatly simplify the process of developing software for multiple operating systems by offering a single installation package that works across a range of Linux distributions. It also allows developers to roll out an update once, and have the new version of the software push security fixes or new features to all supported operating systems at once.
Other operating systems that are validating support for snaps include CentOS, Elementary OS, Gentoo, Linux Mint, OpenSUSE, OpenWRT, and RHEL.
But snaps—initially created for Ubuntu phones and then Internet of Things devices—could only be installed on Ubuntu. That’s what’s changing this week. Developers who package applications as snaps can now expect them to run on a bunch of Linux-based operating systems without creating multiple types of packages. Developers can use a tool called Snapcraft to build and package their snaps.
“Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,” Canonical’s announcement says. “They are currently being validated on CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are easy to enable on other Linux distributions.” (Ubuntu will continue to support deb packages, but developers can choose to package applications as snaps instead of or in addition to debs.)
Complementary to existing Linux packages
Snaps sit alongside the native packages of the base Linux operating system. Each distribution has its own mechanisms to provide the base OS and its updates. Snaps complement the base OS with universal apps that cannot interfere with the base OS or one another.
“Snaps deliver new applications to OpenWRT while leaving the core OS unchanged,” said Matteo Croce of OpenWrt. “Snaps are a faster way to deliver a wider range of software to supported OpenWrt access points and routers.”
Enhanced security for apps and devices
Each snap is confined using a range of kernel isolation and security mechanisms, tailored to the snap, ensuring that vulnerabilities in the application are contained to the greatest degree currently possible. A careful review process ensures that snaps only receive the permissions they require to operate. Users do not have to make complex security decisions when installing the snap.
“Security is particularly important when running third-party software,” said Steve Langasek, a Debian developer. “Snaps meet that challenge with robust confinement, neatly addressing many of the risks of apps in sensitive environments.”
Simpler and easier to create
The snap format is simpler than the native internal package formats of individual Linux distributions, because it is focused purely on applications rather than the core system itself. Snaps are essentially self-contained zip files that can be executed very fast in place, making them easy to create.
“Snaps are much easier to create than traditional Linux packages, and allow us to evolve dependencies independent of the base operating system, so we can easily provide the very best and latest Chinese Linux apps to users across all distributions,” said Jack Yu, leader of the popular Chinese Kylin team.
Updated snaps are delivered automatically, improving the flow of features and fixes as well as the feedback cycle both for commercial applications and for open source applications.
Thorsten Behrens, founder and board member of The Document Foundation said, “Our objective is to make LibreOffice easily available to as many users as possible. Snaps enable our users to get the freshest LibreOffice releases across different desktops and distributions quickly, easily and consistently. As a bonus, it should help our release engineers to distribute a more up-to-date LibreOffice that is not based on a bespoke, home-grown and ancient Linux build solution, using a toolchain that is collectively maintained.”
“Ubuntu MATE is delighted to be participating in the snappy initiative, with a goal of eventually snapping the complete MATE desktop. Collaborating with Ubuntu developers and other community contributors is a great way to share experiences and best practice,” said Martin Wimpress project lead of Ubuntu MATE.
Stable, candidate, beta and daily versions
Stable releases, release candidates, beta versions and daily builds of a snap can all be published at the same time, enabling users to preview upcoming releases with different levels of stability.
“Rolling updates are popular in the Arch community,” said Tim Jester-Pfadt, an Arch contributor. “One nice feature of snaps is support for edge and beta channels, which allow users to opt-in to the pre-release developer versions of software or stick with the latest stable versions”.
The beta or edge channels, and the candidate channel, provide a very natural way for developers and their pro users to collaborate on development progress, improving quality and accelerating the pace of releases.
A shared app ecosystem
“Most vendors target Ubuntu because of its popularity,” said Mark Shuttleworth. “Snaps bring those apps to every Linux desktop, server, device or cloud machine, giving users freedom to choose any Linux distribution while retaining access to the best apps.”
The snap format, designed by Canonical, is handled by snapd, a free software project on Github. Porting snapd to a wide range of Linux distributions has proven straightforward, and the community has grown to include contributors from a wide range of Linux backgrounds.
A community-driven project
Canonical founder Mark Shuttleworth and a few of his tech gurus gave us a preview of the announcement yesterday, though they stressed that the project was driven by open source community members rather than Canonical itself. Arch developer Tim Jester-Pfadt and Gentoo developer Richard Yao were among the key contributors, Shuttleworth said.
To install snap packages on non-Ubuntu distributions, Linux desktop and server users will have to first install the newly cross-platform snapd. This daemon verifies the integrity of snap packages, confines them into their own restricted space, and acts as a launcher. Instructions for creating snaps and installing snapd on a variety of distributions are available at this website.
Snapd itself is installed as traditional packages on these other operating systems. That means there’s a snapd RPM package for Fedora, for example. It’s the same snapd code for every Linux distribution, just packaged differently, and applications packaged as snaps should work on any Linux distro running snapd without needing to be re-packaged.
Snaps can exist on the same system as either deb or RPM packages. “Installing snapd lets you install any snap on your RPM-based environment, and the snaps sit off to the side, they don’t conflict; there’s no way for them to touch your RPM-based system,” Shuttleworth said.
Debs are obviously still far more common than snaps, but Mozilla is planning to deliver Firefox (Ubuntu’s default browser) as a snap package. Several other technology makers praised cross-platform snaps in today’s press release, including Dell, Samsung, The Document Foundation (maker of LibreOffice), Krita, Mycroft, and Horizon Computing.
“With the introduction of snaps, continually optimizing Firefox will become possible, providing Linux users the most up-to-date features,” Mozilla VP Nick Nguyen said in the announcement. Snaps are “easier to maintain, package, and distribute” than deb packages, Krita Foundation project lead Boudewijn Rempt said.
Red Hat spoke to Canonical about snaps early in the development process, but Shuttleworth said it isn’t clear whether the company will make snaps available by default. Even without official support, users of Red Hat operating systems will get snap support by installing snapd.
Canonical developers told us that it has always been a “nightmare” month-long project to package Jenkins in deb format because of this application’s various Java dependencies. But they were able to snap Jenkins into place in a weekend, putting all the dependencies into a container without having to worry about Java version mismatches, they said. Now users can install Jenkins with the terminal command,
snap install jenkins. Snaps can also be published to the Ubuntu Software store.
Switching from the stable channel to beta
With snaps, application developers can also make it easier for users to choose different release channels, such as beta, release candidates, daily builds, and stable releases. “Rolling updates are popular in the Arch community,” Jester-Pfadt said in the announcement. “One nice feature of snaps is support for edge and beta channels, which allow users to opt in to the pre-release developer versions of software or stick with the latest stable versions.”
Canonical wasn’t planning to make snaps cross-platform itself; it happened when community members expressed interest in bringing the new packaging format to other distros. Canonical developers initially thought that snaps would have to be “forked” so that you’d have different snap formats for each Linux distribution. But community developers figured out how to let snaps run across a variety of Linux-based operating systems without being altered and without losing their security benefits. Applications won’t have to be “snapped” for each Linux distribution, as Canonical first thought; they can be snapped once and run across them all.
“Very quickly the people working on that figured out that actually the same snap will work across all those platforms, and that feels like a fundamental shift and a very exciting and dynamic shift,” Shuttleworth said. “People publishing snaps can be confident that those snaps can run securely wherever they run, unless the user has ever explicitly taken them out of the box [where they are isolated from the rest of the system].”
Shuttleworth touts security of snaps
Snaps aren’t the only new package managers for Linux distributions that aim to simplify installation of applications. There’s also AppImage and OrbitalApps, Shuttleworth noted. Shuttleworth said he wouldn’t criticize anyone for choosing a different application delivery system, but he argues that snaps offer better security.
“It’s not that exciting to basically fetch a binary from the Internet and run it on your machine; that has always been possible,” he said. “What’s exciting is to be able to do that in a way where it’s confined, so you know the data that you’re trusting it with, and you can make a choice of what you trust that binary with. That’s something that snaps have that, for example, Windows apps don’t have and traditional Linux apps don’t have either.”
Snap security did come under scrutiny recently when CoreOS security developer Matthew Garrett demonstrated how a maliciously designed snap application can receive keystrokes from any other application and type into other windows.
But this is really due to the workings of the X window system used by most Linux distributions, rather than a flaw in snap packages themselves. The limitation will be removed when Ubuntu finishes its plan to replace X with Mir, its own display server. (Wayland, the other major display server in the works for Linux distributions, also changes this behavior.)
But even now, Shuttleworth said snaps bring real security benefits. Snaps by default don’t have the same access to the file system that Linux applications typically have, he said. For example, a browser delivered in a snap package would be unable to read a user’s SSH keys, because snap-based applications are given their own private space and can only read and write in that area.
[button color=”blue” size=”” type=”square” target=”” link=”http://snapcraft.io/create/”]Learn to create snap[/button]
[button color=”blue” size=”” type=”square” target=”” link=”http://snapcraft.io/”]Official site[/button]
[button color=”blue” size=”” type=”square” target=”” link=”http://insights.ubuntu.com/2016/06/14/universal-snap-packages-launch-on-multiple-linux-distros/”]Official Announcement[/button]