Transcript from the "Snaps" Lesson
>> So the next thing that we're gonna talk about is snaps. So I need to give you a bit of history here and also a little bit of open source politics because this is kind of necessary. The way to package a Linux package is way too controversial for what that sounds like, right?
[00:00:20] There's an open source war over how to correctly package something for Linux. So the problem with APT and most package managers is it's relatively unsafe in the sense of if someone injects bad code into APT and you install it, they can wreck some serious havoc on you and do some pretty nefarious things.
[00:00:44] And so various different package managers and companies have been trying to figure out how can we install untrusted code? And someone that has worked on this problem before, installing untrusted code is always, it's kind of a scary proposition. So the way that they kind of mitigate that right now is every bit of code that you install from APT is always combed over by open source developers to make sure that you are not installing anything bad.
[00:01:16] And that's not a super scalable solution. And it's also very fallible, right? If I'm an open source developer and I go read 10,000 lines of code, there's a decent chance that someone can write code in such a clever way that I would miss the bad parts of it.
[00:01:31] We've seen this with NPM a couple of times, right, where we've had really bad code make it out to NPM because people are pretty smart. They can circumvent obvious ways of exfiltrating data. So knowing that's the problem that we wanna have some sort of scalable solution of installing untrusted code.
[00:01:52] There's been four or five different major initiatives to try and figure that out. One of them is called snaps, and that's the one officially supported by Canonical and for Ubuntu. So that's what I'm gonna focus on. But the cool thing about snaps, because of how they're packaged and run, they can run on any Linux distribution.
[00:02:09] Whereas something like APT is actually gonna only install Ubuntu code, right? So you can't use APT on Red Hat, for example, because that code was compiled specifically for Ubuntu. And there's enough differences that that's not gonna port across easily. You'd have to rebuild it from the source specifically for Red Hat.
[00:02:31] What snaps do is they do something called sandboxing. Or at least they're trying the sandboxing so that it's a totally enclosed package that it cannot break out of. So even if you install something that's going to steal all of your bitcoins, it won't be able to break out of that particular sandbox.
[00:02:49] And that's the kind of the basic premise of snaps. Because we're able to sandbox everything, they can actually include all of the code necessary to run it. Which means that you can have a snap and you have the very same snap on Ubuntu and Red Hat. It's both gonna run the correct way.
[00:03:06] So that's another big benefit of snaps as it works outside of just Ubuntu, Mint and Debian. And another thing that's kind of beneficial is every time that you go to update something from APT, it throws away everything and it downloads an entire new version of it. So if you have a package that's a gigabyte big, you have to throw it gigabyte and reinstall the gigabyte even if you updated just one line of code.
[00:03:32] The nice thing about snaps is they can ship deltas, right? So they can actually just ship the one line of code that changed and don't have to redownload the entire package. So that's the basic premise. That's the idea of what snaps are. It's officially supported by Canonical. And in general, I think it's a fairly sound architecture.
[00:03:53] I use snaps, but there are some people that don't like them. And they don't like Ubuntu or Canonical's kind of aggressive approach to getting this out there. I actually read that I think as of a couple weeks ago. Mint, which is again downstream from Ubuntu, doesn't even include the ability to run snaps out of the box.
[00:04:11] You can do it, you just install one package called Snaps D. But you have to install it because they didn't like how aggressive they were being about it. So I think probably the question you're gonna ask me is why would I use a snap and why would I use APT?
[00:04:30] And honestly, for the most part, you're not gonna really care a whole lot. Snaps are more secure. I think that's an honest answer to that question. They update automatically, so this can be both a scary and a cool thing. You don't control when snaps update. Snaps just update themselves automatically and there's no ability to kind of stop that train from getting in motion.
[00:04:51] They did that on purpose, kinda like browsers, where browsers are like, we don't care. We're gonna update and we're not gonna let you tell us not to update, because we want everyone to be on the latest package. They built snaps in a similar way that they want everyone to be up to date.
[00:05:03] And that upsets people that wanna have control over the versions. So that's kind of a mixed bag thing of how you feel about it. If it's my production Node.js server, I don't want you to update it. That's my thing. Don't touch my thing. But if it's my desktop computer and you're updating Chrome for me automatically, great, cool, do it automatically.
[00:05:23] I don't wanna think about that. So snaps are safer as long as you don't install it. You can install snaps in an unsafe way. But as long as you install it in the safe way, which is the normal way, they are safer cuz they won't let code outside of the sandbox.
[00:05:37] Snaps are how Ubuntu install GUI apps, graphical user interface. So if you do snap install Visual Studio code, right, you can stall that via snap. You can do Spotify, Firefox, Chrome, all those kind of different tools. All those are installed via snap. So when you install Deb, Deb is another form of packaging, which is what APT uses underneath the hood and for the most part.
[00:06:08] You can install snaps via APT, which is a little confusing. But Debs, which is the other file format for APT, those have to be 100% reviewed before they make it onto the registry, which is probably why we're still in Node 8 for Ubuntu. Cuz they don't wanna make sure that people aren't publishing nefarious stuff.
[00:06:29] Snaps, due to how they're packaged, can be updated by the developer without going through review. So that means they're able to stay more up to date. We can have more control of it because there's more trust there. Or rather to distrust them so they can basically do whatever they want, right?
[00:06:42] So that's my exhaustive list of why you should think about snaps versus Debs. So things like node and lolcat are actually installed on both. So in fact, we can go ahead and try that if you want to. If I come in here and say, let's see, apt --help remove, sudo apt remove lolcat, that'll go remove it from the Deb version.
[00:07:14] And then if I do, I think it's snap. So if I say sudo snap install lolcat, This will actually go out and get the snap version of lolcat. And you'll see it doesn't matter. It works precisely the same way, but they're packaged differently. So that'll work, it'll take just a second.
[00:07:43] So if you're gonna ask me what am I gonna do when it's my computer. If I'm doing a Linux desktop, where I have the Ubuntu desktop running, I'll probably use snap quite a bit more cuz I like the autoupdate feature. And otherwise, I kinda just use APT, and that's probably more just from muscle memory than any sort of conscious decision.
[00:08:05] So probably that's a non-answer, but it's also the truth. [LAUGH] So that's what you get. So yeah, it's taking a little bit longer. I think typically snaps end up being a bit bigger in size, because they include all of their dependencies in one package. Whereas when you install from APT, it seems smaller because it has just the code, and then its dependencies span onto other dependencies.
[00:08:33] So I think snaps on the whole end up being a tiny bit bigger if you include all the dependencies, but in reality, it ends up being about the same. Yeah, like I mentioned, lolcat right now, it's probably installing Ruby for me inside of the snap. Which is probably why it's pretty big.
[00:08:57] Another thing that I think I kind of alluded to this earlier, but in order to run a snap, you need something called snapd, which is a daemon or daemon. Depends on who you asked about that. Again, computer scientists can never agree to how to pronounce things because we don't speak our language, right?
[00:09:11] We type our language. So how do you pronounce the word D-A-E-M-O-N? I've always said daemon because there's an A in there. [LAUGH] But it's technically the old English spelling of the word demon. So people just say demon. Up to you, I'm sure you're incorrect no matter what you say, so doesn't matter.
[00:09:33] So a daemon is something that runs in the background that you don't have to worry about, right? So the snapd or initd or containerd, anything that ends with a d at the end is a daemon, typically. And these are programs that are running in the background without you having to do anything about it.
[00:09:50] That's all that term means. So you have to install the snap daemon, which is the tool that actually executes daemons. So if you're on Mint or if you're on Red Hat or anything like that, you just have to install snap daemon, and then you can run it. Okay, so there we go.
[00:10:09] I installed lolcat. Now I can say ls -lsa, pipe that into lolcat. And I probably have to restart this cuz it, yeah. This particular terminal session won't have lolcat installed yet, so I have to open it, so reinitializes itself. And now I can say ls -lsa pipe lolcat, and there you go.
[00:10:35] Now, that's running from snap instead of running from a Deb. So something that you might see as well, let's do a sudo apt remove nodejs. Okay, that'll go delete nodejs from the Deb. And then if we do, let's say, snap info node, You can see here, because it's going through snap, the people that maintain the node snap which is node source, which is a bunch of lovely people, you can trust them.
[00:11:12] They're able to publish much quicker because they don't have to go through any sort of process for it. And you can see here, they're up on 14. So that's why Ubuntu is kinda pushing, or Canonical is pushing people towards snaps. So now I can just say sudo snap install.
[00:11:29] So when you're installing snaps, you have to opt into a channel. Most snaps have just a default channel, which is what we saw with lolcat and have to opt into a channel. But in this one, you have to say, give me versions of Node 14. Because they don't wanna upgrade to Node 16 without you knowing, because that can break your application.
[00:11:50] So I'm gonna say I wanna be on 14/stable, but I could say 12/stable, I could say 10/stable. In fact, you can see up here. There's latest/stable, there's beta, edge. There's a bunch of different channels. And then you have to just give it a classic. If I didn't give it this classic, then it wouldn't actually work, it wouldn't install.
[00:12:11] This actually allows this to break out of the snaps. So this actually is not fully sandbox, which means that you do need to trust it if you're gonna give it this classic flag. If I do that, this is actually gonna go out and grab me the latest version of Node 14.
[00:12:30] And I'm not gonna sit here and make you watch this install, but suffice to say this is going to work. It's gonna install the latest of Node 14. Yeah, the thing I wanna underscore here, if you're gonna give it the --classic, go check who's publishing it and make sure that's someone that you trust to publish something.
[00:12:50] Because it's not quite as secure, but it is more secure than an APT install. So kinda balance your options with that. And that's it for Node.js, or it's not Node.js. I just taught you Node.js in 30 seconds. That's it for package management with Linux, or specifically with Ubuntu.
[00:13:16] Everything I just taught you is pretty specific to Ubuntu. If you're gonna do something with Red Hat or with Mint or something else, they have their own versions of this. But it's relatively similar ideas, just expressed by different companies.