Signal Snap Maintainer here, this is because of a DMCA takedown request from lawyers representing Signal. Canonical is currently working with them to clear things up.
Canonical's communication to me was initially lacking due to issues in their process, the process has been amended and I'm back in the loop again.
Correct. We spoke to our attorneys and found the breakdown in communication. We are working to rectify and reinstate signal-desktop ASAP. Sorry for the confusion.
So you're saying signal requested their own program be removed from the snap store? Sorry, I'm a little confused on terms. When you say snap maintainer, are you saying you are the maintainer of the signal snap package, or that you're a maintainer of snap itself?
Yet another reason not to use Signal. The correct behavior would have been for signal to offer an official snap or to contact the maintainer. Instead they send their legal team...
Typical behavior from Signal. They have a track record of hostility that we as a community should really not be tolerating. I do not use Signal and I tell my friends not to, either. Play nice or don't play at all.
This is not a good look. The snap has been gone for almost a month, with seemingly no information given to the maintainer or users about why, except a belated "we removed it for policy reasons" 21 days ago. And if this happens to maintainers associated with Snapcrafters, imagine how you're treated if you're just some random person or company who maintains your own snap.
This is the sort of reason why people are concerned about an ecosystem where Canonical has 100% of the control of the only distribution mechanism. I suppose this is just a confirmation of the legitimacy of those fears.
Another perspective: Canonical's IoT offering, Ubuntu Core, is based around the idea that Canonical provides the base operating system, and you provide your software as a snap, uploaded to Canonical's snap store, and you push updates to your IoT product by pushing an updated snap to the store. That has always rubbed me the wrong way, but "Canonical will just delete the snap and not respond to questions about why" wasn't even something I had considered as a possibility before.
Due to how the Snapcrafters publisher works, Canonical was communicating with the "wrong" person about this takedown. They've since amended their process to make sure this doesn't happen anymore. (Snapcrafters is a team of community volunteers maintaining unofficial packages)
Due to how lawyers and legal threats work, Canonical is very hesitant to publicly talk about what is going on. You can expect a thorough post-mortem after the legal issues are cleared up.
While this incident isn't good, I still think the setup is a ton better than Flathub, where you have flatpaks being maintained by third parties with no relationship to the software vendors. For example, all of the Jetbrains snaps are managed by a volunteer, as is Zoom (!)
Compromise one of those devs' personal computers, and you've now got a path to getting a backdoor out to everybody using those. I trust Canonical's security team over random volunteers.
There apparently was communication with someone related Snapcraft so there was effort to communicate, since the account used for upload was a generic one I think they be forgiven for not doing anything more than that. Regarding the reason for removal that is another issue.
After reading the thread, I still have no idea why it got removed, so: why did it get removed? What part(s) of the snap policies did they violate, and how is it possible that even something doesn't charge $100 a year before you can even publish a snap doesn't even notify the maintainers that their app got removed? Just because you run an app store doesn't mean Apple and Google's opaque refusal system is the part you should take inspiration from, too.
> The Certbot snap supports the x86_64, ARMv7, and ARMv8 architectures. While we strongly recommend that most users install Certbot through the snap, you can find alternate installation instructions here.
Shame on you, certbot and EFF.
Of all people, I expected better from you.
For my Fedora people, looks like we can directly install with `dnf`.
Debian aptitude people should prefer the same.
Available Packages
Name : certbot
Version : 1.30.0
Release : 1.fc36
Architecture : noarch
Size : 44 k
Source : certbot-1.30.0-1.fc36.src.rpm
Repository : updates
Summary : A free, automated certificate authority client
URL : https://pypi.python.org/pypi/certbot
License : Apache-2.0
Description : certbot is a free, automated certificate authority that aims
: to lower the barriers to entry for encrypting all HTTP traffic on the internet.
On the bright side, their move to snap finally provided me with the impetus to switch to acme.sh (https://github.com/acmesh-official/acme.sh) and it's been a much nicer experience.
I understand the appeal as the developer, Linux package management is heavily fragmented. The snap is build once deploy everywhere. But there are a lot of drawbacks for the user. I don't want my applications to be huge bundles that use twice the ram and have an alternate update system. As a primarily Debian user, I would much rather have a deb repo. If they insist on bundling it like this, flatpak would be a better choice than snap.
This kind of thing is vindicating for those of us who stayed away from snaps precisely because the server side is proprietary and the snap tooling only supports Canonical's centralized store.
A centralized service being the only option for software distribution is too large of a failure point, no matter who's running it.
I'm being slightly offtopic here but I really dislike how slow Firefox is to launch since it became a snap package as a default on Ubuntu 22.04. I know I can uninstall the Firefox snap and install it through APT, but I imagine more and more packages will become snaps by default on Ubuntu.
And finding out now that it's possible that snaps are part of a walled garden, just like app/play stores are is really bumming me out.
I'm rather new to linux and Ubuntu is the distro I'm most familiar with and I also really like using KDE. So I'm wondering if it's feasible to continue using a Ubuntu based distribution while completely avoiding Snaps or should I just switch distros (maybe to another one that runs KDE).
Well, I have been using Ubuntu for many years. This kind of thing, centralizing packages and removing one without explanation etc makes me think I should move on. I suppose the alternative is to switch to Debian?
Or maybe there is something totally different that is becoming popular that I don't know about yet?
DMCA takedowns need to go away forever. What an idiotic implementation of the law. If someone is claiming theft, they have to at least provide proof.
Imagine if I asked police to give me my neighbor's car, as I'm claiming it as mine, and they would have to immediately comply before investigating if my claim has merit?
How in the world did a walled garden ecosystem like Snap manage to embed itself so deeply into Linux culture? There needs to be a user and industry revolt against Snap for this sort of shenanigans.
The snap distribution is unofficial. The Signal team only provides .deb files for Linux (seemingly built for Ubuntu Xenial) and any other distribution method on Linux is strictly done by volunteers.
If Signal is willing to leverage the DMCA to take down the Snap package, they could just as easily take down any other unofficial repository.
If you wish to solve this problem, write a letter to your favourite American legislator to protest the stupid way the DMCA is set up or contact Signal legal and tell them their use of the DMCA is bad for the open ecosystem that they operate in.
Someone freely choosing to grab an unofficial version of Signal from the store of their preference isn't the problem here.
The same was systemd did? The force of a multi-billion dollar company, where profit is far more important than doing it right?
Linux and OSS software became what it is, became the stable, secure powerhouse it is, literally dominating every aspect of computing, because profit was originally less important.
Look at Debian, which only ships when ready, and never ever to a fixed deadline.
Yet today, almost all private corps take and take and take, without every contributiong code and workers back.
Look at Ubuntu, a distro which literally could not even remotely exist without Debian, from which most of it is derived, and rebased to constantly.
To Ubuntu, a great leech of the OSS world, it is more important to give a crappy experience(snaps), than use Firefox LTS, for example.
I wonder why Signal opposes flatpak so much. As far as I remember, they insist on sticking to .deb package only [1]. Seems like switching to Flatpak would benefit a lot of people now because of Steam Deck-induced Flatpak popularity [2].
I really despise the idea/existence of app stores.
Why can't a publishers website be their store front, then from that site, you can run (or "download"/"install" if you must) the app?
Technically it looks like that would actually work [1]. They could host the `.snap` file. Although I'm sure snap will add friction to this (as in, not simple let you open and click "Install") from a downloaded snap file, as they probably want you to use their app store.
For me, it's updates... I don't want popups telling me to update software every few days, and then opening a webpage, downloading a snap/deb/whatever, installing it again, with sudo passwords and all that,... and then open another app, another popup, another site, another .deb... It feels like windows.
I want a centralized "update" feature, that will do all that for me.
This can be done by signal adding its own repo, but it's a pain to add a per-app repo, if the app can be on the central (distribution-managed) one, especially if it's a popular app.
Are they, technically, any different than APT repositories?
Don't get me wrong. I hate Snap much more than the next guy, but the idea of keeping a repository so you can go look for, and discover, stuff that is supposedly also vetted by someone is nice.
The issue is, when an app store is a monopoly and not standardized.
APT repositories is, in my eyes, an example of "the good" type of app store.
Ideally it would be handled like BitTorrent/Magnet/IPFS:
- Links resolve, and data can be fetched, as long as anyone is hosting it (regardless of who)
- Anyone (including big orgs/corps) can provide a curated lists/search for links they vouch for
- Removing something from a list doesn't affect anyone's ability to fetch and use it; only whether they see the link in that particular search/list UI
On any fresh Ubuntu install including on WSL, I always `apt uninstall snap` and never worry about it again. I will never use snap and will continue to use apt for packages, thank you very much.
> > Snap Store administrators had to remove the snap in accordance with our policies.
>
> Thank you for providing an official answer.
An officious answer is more like it. Note the deliberate evasiveness (which policy? Mind your own business.). This is to be expected from an organization one of whose "policies" is "we are going to update apps on 'your' desktop whether you like it or not, luzer."
snap is garbage. For a while when it first came out, it had newer packages than Ubuntu. But then, over time, most of the packages went stale. Every snap I install requires --classic (which overrides the sandbox). I wish they would just kill it.
Quite something for an open source project to use DMCA of all mechanisms to remove an unofficial distribution, but alright, maybe there's a trademark issue.
Sounds like someone should change the icons and change the name to make the unofficial Signal snap look properly unofficial. Should protect the application from Signal's controlling tendencies as well as their open source code can and should be redistributed freely.
What is this response? Still no indication anyone has been contacted with the reason why it was removed, only that "in the future we will let you know if we remove something, sorry".
This is my semi-regular message where I decry that Keybase Chat (https://keybase.io) isn't more popular. It's cross-platform, fully E2EE, has the best identity solution of all, open source, doesn't depend on phone numbers, etc etc, isn't mar In my experience, it beat all the alternatives I have used (incl. Signal, Telegram, WhatsApp, and especially Apple's Messenger). The only caveat is that Keybase.io got acquired by Zoom (thus, it's Zoom now) and the service is at the continued mercy of Zoom. However it's been a year (years?) and it's still working great.
This is really sad because I've become a huge Ubuntu fanboy in the last year, but this behavior is unacceptable. They need to fix their processes and be more dev friendly or they're going to lose allies.
I'm not a Signal user, however given what is the target audience of Signal, i can totally understand the maintainers not wanting unofficial packages around, even more so if surrounded by a snap environment they have no way to check for security.
Now, unleashing lawyers as first move is debatable for sure, and I won't be the one who defends that move, so probably some more insight from Signal should be expected.
[+] [-] mesebrec|3 years ago|reply
Canonical's communication to me was initially lacking due to issues in their process, the process has been amended and I'm back in the loop again.
[+] [-] brianacton|3 years ago|reply
[+] [-] googlryas|3 years ago|reply
[+] [-] ElijahLynn|3 years ago|reply
Can you post this update on the Snapcraft (https://forum.snapcraft.io/t/what-happened-to-signal-desktop...) and GitHub threads (https://github.com/snapcrafters/signal-desktop/issues/70) too?
I was going to just now and cross link back here to your comment and figured it would be better coming from you directly!
[+] [-] forgotpwd16|3 years ago|reply
Whoa. That's unexpected.
[+] [-] spullara|3 years ago|reply
[+] [-] xtat|3 years ago|reply
[+] [-] nottorp|3 years ago|reply
Will they do the same if some vulnerability is found in Signal? Lawyer up instead of fix the problem?
[+] [-] sschueller|3 years ago|reply
[+] [-] ddevault|3 years ago|reply
[+] [-] mort96|3 years ago|reply
This is the sort of reason why people are concerned about an ecosystem where Canonical has 100% of the control of the only distribution mechanism. I suppose this is just a confirmation of the legitimacy of those fears.
[+] [-] mort96|3 years ago|reply
[+] [-] galgalesh|3 years ago|reply
Due to how the Snapcrafters publisher works, Canonical was communicating with the "wrong" person about this takedown. They've since amended their process to make sure this doesn't happen anymore. (Snapcrafters is a team of community volunteers maintaining unofficial packages)
Due to how lawyers and legal threats work, Canonical is very hesitant to publicly talk about what is going on. You can expect a thorough post-mortem after the legal issues are cleared up.
[+] [-] smallerfish|3 years ago|reply
Compromise one of those devs' personal computers, and you've now got a path to getting a backdoor out to everybody using those. I trust Canonical's security team over random volunteers.
[+] [-] emj|3 years ago|reply
[+] [-] TheRealPomax|3 years ago|reply
[+] [-] sschueller|3 years ago|reply
Also certbot, shame on you for removing the Debian repository in favor of snap.
[+] [-] pooper|3 years ago|reply
Yes, this deserves shaming.
> https://certbot.eff.org/instructions
> The Certbot snap supports the x86_64, ARMv7, and ARMv8 architectures. While we strongly recommend that most users install Certbot through the snap, you can find alternate installation instructions here.
Shame on you, certbot and EFF. Of all people, I expected better from you.
For my Fedora people, looks like we can directly install with `dnf`. Debian aptitude people should prefer the same.
[+] [-] fanatic2pope|3 years ago|reply
[+] [-] jacob019|3 years ago|reply
[+] [-] runlevel1|3 years ago|reply
[+] [-] ryukafalz|3 years ago|reply
A centralized service being the only option for software distribution is too large of a failure point, no matter who's running it.
[+] [-] SlackingOff123|3 years ago|reply
And finding out now that it's possible that snaps are part of a walled garden, just like app/play stores are is really bumming me out.
I'm rather new to linux and Ubuntu is the distro I'm most familiar with and I also really like using KDE. So I'm wondering if it's feasible to continue using a Ubuntu based distribution while completely avoiding Snaps or should I just switch distros (maybe to another one that runs KDE).
[+] [-] ilaksh|3 years ago|reply
Or maybe there is something totally different that is becoming popular that I don't know about yet?
[+] [-] lxe|3 years ago|reply
Imagine if I asked police to give me my neighbor's car, as I'm claiming it as mine, and they would have to immediately comply before investigating if my claim has merit?
[+] [-] lxe|3 years ago|reply
[+] [-] luckylion|3 years ago|reply
[+] [-] johnisgood|3 years ago|reply
[+] [-] fazfq|3 years ago|reply
[+] [-] jeroenhd|3 years ago|reply
If Signal is willing to leverage the DMCA to take down the Snap package, they could just as easily take down any other unofficial repository.
If you wish to solve this problem, write a letter to your favourite American legislator to protest the stupid way the DMCA is set up or contact Signal legal and tell them their use of the DMCA is bad for the open ecosystem that they operate in.
Someone freely choosing to grab an unofficial version of Signal from the store of their preference isn't the problem here.
[+] [-] b112|3 years ago|reply
Linux and OSS software became what it is, became the stable, secure powerhouse it is, literally dominating every aspect of computing, because profit was originally less important.
Look at Debian, which only ships when ready, and never ever to a fixed deadline.
Yet today, almost all private corps take and take and take, without every contributiong code and workers back.
Look at Ubuntu, a distro which literally could not even remotely exist without Debian, from which most of it is derived, and rebased to constantly.
To Ubuntu, a great leech of the OSS world, it is more important to give a crappy experience(snaps), than use Firefox LTS, for example.
Good grief.
[+] [-] ifeeltriedboss|3 years ago|reply
1. https://github.com/signalapp/Signal-Desktop/issues/1639
2. https://www.reddit.com/r/signal/comments/tiidh8/comment/i1em...
[+] [-] cmeacham98|3 years ago|reply
[+] [-] turblety|3 years ago|reply
Why can't a publishers website be their store front, then from that site, you can run (or "download"/"install" if you must) the app?
Technically it looks like that would actually work [1]. They could host the `.snap` file. Although I'm sure snap will add friction to this (as in, not simple let you open and click "Install") from a downloaded snap file, as they probably want you to use their app store.
1. https://github.com/snapcrafters/signal-desktop/issues/70#iss...
[+] [-] ajsnigrutin|3 years ago|reply
I want a centralized "update" feature, that will do all that for me.
This can be done by signal adding its own repo, but it's a pain to add a per-app repo, if the app can be on the central (distribution-managed) one, especially if it's a popular app.
[+] [-] martinmunk|3 years ago|reply
Don't get me wrong. I hate Snap much more than the next guy, but the idea of keeping a repository so you can go look for, and discover, stuff that is supposedly also vetted by someone is nice.
The issue is, when an app store is a monopoly and not standardized.
APT repositories is, in my eyes, an example of "the good" type of app store.
[+] [-] edent|3 years ago|reply
[+] [-] chriswarbo|3 years ago|reply
- Links resolve, and data can be fetched, as long as anyone is hosting it (regardless of who) - Anyone (including big orgs/corps) can provide a curated lists/search for links they vouch for - Removing something from a list doesn't affect anyone's ability to fetch and use it; only whether they see the link in that particular search/list UI
[+] [-] ifeeltriedboss|3 years ago|reply
[+] [-] cercatrova|3 years ago|reply
[+] [-] inetknght|3 years ago|reply
Might want to double-check if/when there's some automatic update that decides to reinstall Snap
[+] [-] numeromancer|3 years ago|reply
[+] [-] dekhn|3 years ago|reply
[+] [-] jeroenhd|3 years ago|reply
Sounds like someone should change the icons and change the name to make the unofficial Signal snap look properly unofficial. Should protect the application from Signal's controlling tendencies as well as their open source code can and should be redistributed freely.
[+] [-] foolswisdom|3 years ago|reply
https://forum.snapcraft.io/t/what-happened-to-signal-desktop...
[+] [-] he_is_legend|3 years ago|reply
[+] [-] bobmaxup|3 years ago|reply
[+] [-] FullyFunctional|3 years ago|reply
[+] [-] warent|3 years ago|reply
[+] [-] squarefoot|3 years ago|reply