
Last Friday, Canonical, the developer of the popular Ubuntu operating system and owner of the Snapcraft app store, spotted one application surreptitiously mining cryptocurrencies in the background.
In the blog post announcing the incident, Canonical deliberately avoided naming the app or the publisher.
Canonical said the publisher was uploading open-source software with licenses that allowed the inclusion of mining software. Itās thererfore entirely possible that the original developer is unaware that their software had been monetized in this fashion.
The open-source company said that all snaps released by the publisher have been temporarily removed and will be re-uploaded without the malicious content by a ātrusted party.ā Again, it declined to say who this would be.
This incident is a testing moment for Canonical. Snapcraft ā and the broader Snap project ā is a bold effort to change how package management works across the entire Linux ecosystem. Canonical has to convince a lot of people about its vision, and above all, itās got to instill trust.
Itās therefore unsurprising that Canonical has approached this issue with radical transparency. Not only has it fessed up to the problem, itās also undertaken a refreshing amount of soul-searching about how it preserves the integrity of the Snapcraft app store, and whether cryptojacking could ever be considered a legitimate form of monetization.
Was the publisher doing anything wrong?
Canonical raises the question whether the publisher was doing anything wrong, pointing out that cryptomining isnāt actually illegal.
This was the argument put forward by the publisher. For what itās worth, itās a fair argument. āCryptojackingā is a big business, and itās no longer exclusively associated with the seedier parts of the internet, like porn and torrent sites.
A few months ago, popular alternative news site Salon said itād use cryptojacking to monetize its visitors who have adblocking extensions installed. As the crypto market matures, and cryptojacking loses its stigma, you can expect others to follow.
Canonical rejected this argument, however, noting that users werenāt informed about the dual-purpose of the software they were downloading.
āThere are no rules against mining cryptocurrencies, but misleading users is a problem,ā the company said.
Where does Canonical go from here?
This incident is arguably the first big test for Canonicalās Snap initiative. In addressing this issue, Canonical has acknowledged its limitations.
Canonical wrote that all Snap packages go through āautomated checkpointsā and manual reviews when an issue is flaged. This is par for the course with most app stores.
However, it notes that the āinherent complexity of softwareā makes it impossible to go through every line of code with a fine-tooth comb.
āNo institution can afford to review hundreds of thousands of incoming source code lines every single day,ā it wrote.
Canonical therefore argues that the best way to address the issue of bad actors on the Snap platform isnāt to focus on content, but rather on the origins of software.
With that in mind, it intends to launch a verified publishers program. This will work a bit like verification on Facebook and Twitter, and itāll distinguish legitimate publishers from those masquerading as such. The details of this will announced soon.
Itās also working on more technical approaches which it describes as āmore gradual and less visible.ā These will place greater emphasis on isolating applications from the underlying system.
The Next Webās 2018 conference is just a few days away, and itāll be ??. Find out all about our tracks here.
Get the TNW newsletter
Get the most important tech news in your inbox each week.