I installed Spotify via snap and it was working fine a couple of days ago but today it won’t start. Launching the app from KDE or from the console does nothing. Was wondering if this is related to installing it from snap and if there is a more reliable way to install it.
I use Spotify as flatpak from flathub, works great.
Some more methods to install Spotify:
- Using the prebuilt RPM package:
Spotify client – negativo17.org
sudo dnf config-manager addrepo --from-repofile=\
https://negativo17.org/repos/fedora-spotify.repo
sudo dnf install spotify-client
- Building the RPM package locally:
Enabling the RPM Fusion repositories :: Fedora Docs
sudo dnf install lpf-spotify-client make
sudo gpasswd -a ${USER} pkg-build
sudo systemctl reboot
lpf update
Both methods work for me.
I wouldnt add a proprietary binary unconfined into my system.
Btw, as far as I know the Flatpak uses the binary that Spotify ships inside the Snap.
Let’s say hypothetically someone used Negativo17’s Spotify package and let’s say hypothetically it has a trojan in it. Would it be able to spread to other parts of the OS? Or would uninstalling the package be enough?
If you run an app, it can do everything that it can do. If it has access outside of its own container, or doesnt even run in a container, it can write stuff ANYWHERE.
This includes a trivial privilege escalation in your .bashrc
alias dnf="somecommand to catch your password and pipe it to | dnf"
Next time you run dnf
with sudo, the malware has your sudo password and can do whatever it wants.
No, uninstalling something does not help against malware.
And if you run untrusted apps as flatpaks, still always check its permissions, especially if they are .flatpak files like with RustDesk. Their app got rejected from Flathub because they wanted too broad permissions without a good explanation. So they publish it manually with pretty bad permissions.
You can edit it with Flatseal (GNOME) or the KDE Settings before the first launch, this is a safe method.
I would mark the Flatpak as solution simply for safety reasons
Yeah well what do I do at this point besides reinstalling the entire OS?
Well your firmware might be infected too. UEFI has a pretty big attack surface and with fwupdmgr
or even flashrom
you might be able to install “persistent” malware (that is how the NSA calls it) into your firmware.
So you couldnt even reinstall the OS as the firmware will create a hidden partition on the disk, or just tamper with the OS again after reinstall
So use coreboot, or at least get a flash programmer and make a backup of your BIOS with flashrom before you use a laptop.
Store that on a pendrive (or better HDD, that storage lasts longer while not used). When something shady happens, you can use a different “trusted” linux laptop with flashrom on it and overwrite the BIOS.
Copying the firmware is not that complex. You just need a CH341a programmer, the right adapter board and clip.
Here is how it looked when I copied the firmware off my Laptop (dasharo coreboot, write protected, I did that in case I break it lol).
Security is complex
That’s not an option at this point. All I can do is update the BIOS when booting into Windows. It’s supposed to have “SecureBIOS” whatever that means.
Well that kind of attack also assumes somebody with a lot of money wants your data. Could also be a general attack on everyone.
If you can update it from within windows, that means an OS can update it.
Security by obscurity works, but is not a really good solution. If you leave that windows system airgapped, download the firmware update executable whatever from another device, copy that file over, it will be safe too.
Like, this is high level security. You dont have to do this.