"Yeah, I got another pallet of bad press on Snap packages"
put it in the corner with the rest
this post was submitted on 10 Jul 2025
1 points (100.0% liked)
KDE
6926 readers
1 users here now
KDE is an international technology team creating user-friendly free and open source software for desktop and portable computing. KDE’s software runs on GNU/Linux, BSD and other operating systems, including Windows.
Plasma 6 Bugs
If you encounter a bug, proceed to https://bugs.kde.org/, check whether it has been reported.
If it hasn't, report it yourself.
PLEASE THINK CAREFULLY BEFORE POSTING HERE.
Developers do not look for reports on social media, so they will not see it and all it does is clutter up the feed.
founded 2 years ago
MODERATORS
It's not the first time Canonical has missed this stuff. Flatpak is not perfect but you don't see this on flathub.
Source: snap
So, tell it to Canonical (the company that develop Ubuntu).
https://snapcraft.io/euruspro-desktop
Report it.
Discover is a frontend client.
I feel like KDE still mantains responsabilty over packages like this. After being aware of the issue, they should make it not avaiable to users.
That's not how FOSS works. Even if Discover were delivered with a blacklist of certain packages, the distributor could change or completely remove that blacklist; hence why it would be pointless to have one. I'm about to report this thread for being offtopic here because what (non-KDE software) a certain Linux distro has in its repos is unrelated to KDE.
So you would expect the devs to include a filterlist for known bad packages in different potential source stores that they have no influence over? How would you distribute that? Bundled with Discover, in which case the package maintainers of the different distributions have to roll out new versions with the updated list? Or as a list maintained on some server the KDE team has to provide, which gets updated by Discover automatically on startup? What if you don't condone their decision to block something? What if the list gets abused? What should companies do that want that list customized?
I could swear Ubuntu snap store has been gotten with this bullshit before, maybe more than once
Like 5 times already
Yes this is how I found out about it, by searching if there was a known Exodus scam with Snap. I can't believe this has happened more than once, I don't know how Snap works but that seems like a mistake you make once and then never again.
It happens because putting packages on snap happens privately without transparency and is likely mostly automated. Whereas any package added to flathub has a public repo: https://github.com/flathub. That wouldn't absolutely prevent this, but it would make it much less likely to happen in the future, as adding a package to flathub is an open process: https://github.com/flathub/flathub/pulls
This Exodus wallet scam popped up before. https://arstechnica.com/information-technology/2024/03/ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams/
So your theory about "never again" has been spectacularly shot down, apparently. Even the same name.
I reported the SNAP to Canonical. I understand that this is not directly KDE Discover's fault, but I wonder if there's still a possible solution (like a bigger warning for SNAP packages or something).
The warning is, don't use SNAP packages.
At this point, Canonical is so desperate that even if you try to use apt on the command line to install certain packages it'll override it to install the snap version anyway:
$ apt search firefox
firefox/oracular,now 1:1snap1-0ubuntu6 amd64 [installed,automatic]
Installs Firefox snap and provides some system integration
In the last Discover version, there is a warning; but distro developers can hide it (and they will, Canonical does not want a "Third-party programs could be dangerous for your system" disclaimer for their snap repository).
My dad just got scammed a lot of money by downloading this fake Exodus cryptocurrency wallet from the Discover app. I really can't blame him too much, it looks legit and usually you don't think of getting scammed in the official Discover app.
If you've got a lot of money in cryptocurrency, then you should almost certainly use a hardware wallet.
(I realize this is obvious to you now but want to inform anyone else reading...)
@explodicle @weastie
and yet, it is my understanding that you still need some sort of desktop software for accessing a hardware wallet!
This argument is not an excuse against malware.
I've reported the SNAP to Canonical and emailed KDE security.
It looks like this exact same thing happened a year and a half ago (just search "snap exodus scam").
This is at least the third time this has happened. There was also a malicious app that was a cryptocurrency miner.
I don't know how Canonical can take themselves seriously when it comes to Snap. It's beyond embarassing. Their near complete lack of moderation has hurt people over and over again.
I'm not 100 sure what KDE Can do Because discover is not a Unified store It just pulls from the back end repos and either snap or flatpak set by the distro
They could still blacklist certain entries, it's nog like they don't have that control. Bazzite just launched its own alternative to Discover called Bazaar that hides things like the Steam flatpak that will fluff your day up. Whether the DE should be doing that sort of moderation is another question entirely, but I think the answer is clear if it's a straight up scam.
I don't think that it is the responsibility of KDE or Discover to perform blacklisting or cleanup here.
It is a upstream fuck Up by Canonical, again! The solution for this can't be that developers of a frontend, like Discover, now reserve and use time and resources to add and maintain blocklists to clean up that mess that they didn't created.
We should get our torches and pitchforks and put all the blame where it belongs, at Canonical!
I don't think it should be about blame game, though.
It's 100% Canonical's fault, but it would be nice for KDE team to at least respond to scam alerts they receive and block respective apps from appearing in Discover.
No it would not, because as soon as they implement such a blocklists feature and provide official blocklists they take over responsibility (morally and in some countries even legally) to ensure that they provide updated filter lists in a timely manner.
Oh and then they have to implement something that vets and checks incoming scam alerts, to ensure that only valid claims are blocked. This will put unneeded strain on the personal and financial resources of KDE.