Automatic refresh for snaps (security model): Let users confirm updates

There has been some debate about enforced automatic snap updates.

While I consider frequent app updates as an important feature, let me question this model from a different security perspective:

Automatic non-deniable updated might promote fast distribution of malicious software updates.

By malicious software updates I mean ones either caused by

  • snap project maintainters that have changed their “moral compass” and project goals
  • projects overtaken by a different evil actor

In the past e.g. the Node.js npm ecosystem had several occurences of evil packages. The big difference to snap is, that npm packages are not getting installed automatically.

I would favor some kind of confirmation dialog - akin to the Ubuntu Software Updater. This would get you a chance to check updated snaps in general before they are installed.

Of course, you can change the update interval via snap set system refresh.timer. But

  • secure, confirmed updates should not be mutually exclusive to frequent updates.
  • you may have bad luck, if the distribution of an evil package overlaps with your update interval.

I would be curious to hear, what security model snap/Canonical has to mitigate above attacks.

Thanks in advance