Linux Snap Package Format Goes Multi-Distro
Jun 20, 2016 1:03 PM PT
Snapcraft -- the Linux package format Canonical developed for Ubuntu -- now works on multiple Linux distros, including Arch, Debian, Fedora and various flavors of Ubuntu, Canonical announced last week.
They're being validated on CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL.
"Distributing applications on Linux is not always easy," said Canonical's Manik Taneja, product manager for Snappy Ubuntu Core.
"You have different packaging formats, base systems, available libraries and distribution release cadences," he told LinuxInsider. "But we now have something much simpler: Snaps."
Snaps are isolated from each other and the host system using technologies such as AppArmor, Taneja said. They are "cross platform and are self-contained, allowing a developer to package the exact software their application needs."
Stable releases, release candidates, beta versions and daily builds of a Snap can be published at the same time.
The beta or edge channels and the candidate channel provide a natural way for devs and pro users to collaborate on development progress.
"In theory, Snaps simplify and streamline Linux app distribution in several ways," noted Bill Weinberg, senior director for open source strategy at The Linux Foundation.
Among their advantages:
- They reduce or eliminate the need to support multiple, incompatible packaging and installation paradigms for different types of Linux-based platforms -- such as, for example, building releases for both .debs and .rpms on Debian vs. Fedora-based distributions, and supporting apt-get and yum;
- They encapsulate more metadata than existing package formats, thereby easing release and support for ISVs, as well as ingress, validation and integration;
- They create a sandbox for each app, encapsulating dependencies, such as libraries, and versions of dependencies for each app. That makes the app more of a standalone entity.
"ISVs can distribute and update Snaps without regard for libraries and versions present on the machines in question and consequent interaction among application support software," Weinberg told LinuxInsider.
Snaps "mean a lot less headaches around management of applications if they work, and on the supported Linux platforms," remarked Al Hilwa, a research program director at IDC.
"The bundling of dependencies into containers and the portability across different distributions has the potential to simplify developers' jobs significantly," he told LinuxInsider.
Snapcraft doesn't allow third-party software -- such as deb/rpm, which is not in the distro archives -- to push a higher rev of any software and run it on the machine without user permission, Canonical's Taneja pointed out.
Isolation among application installations and dependencies constitutes "another good step in enhancing security," The Linux Foundation's Weinberg said, but it is "subject to the context of deployment, as has been noted by Matthew Garrett for Windows' X11 display environments, and can enable or create new vulnerabilities."
Nevertheless, Snaps "provide a way to significantly limit exposure from software such as X11 using AppArmor, Secomp, cgroup and namespaces," Taneja contended.
Impact on the Industry
The biggest advantage of using Snapcraft "will be conferred upon apps suppliers vs. [operating system vendors] by facilitating rolling updates," Weinberg suggested.
By allowing apps to be packaged for multiple Linux distros, Snaps "level the playing field in some sense," said IDC's Hilwa. However, distributions "still have to compete on maturity, stability, reliability and manageability."
End users "may or may not perceive the presence and use of Snaps ... but as application ecosystems move to using Snaps, platform users of all stripes should see a greater number of available apps for their particular platform," Weinberg said.
The Potential Downside
Applications packaged with Snapcraft "might end up carrying dozens or more of interdependent versions of associated software around," because dependencies are seldom limited to a single library or component, Weinberg pointed out.
"Multiply that approach by a dozen deployed apps, and you end up occupying nontrivial storage resources, encouraging version divergence and replication, and [retaining] legacy versions of libs and components with high potential for latent vulnerabilities," he cautioned.
Snapcraft is being touted as ideal for the Internet of Things, but "for smallish edge devices," Weinberg wondered, "do developers really want to deploy multiple versions of the same libraries and other common but version-dependent resources?"