Ubuntu 26.04 Trust Problem: Snap Flaws, Ads & Migration

[0:00]You open a fresh Ubuntu 24.04 installation. You need Chromium, the open source browser you've run as a native .deb package for years. You type the command you've typed a hundred times before: sudo apt install Chromium browser. And then, something happens quietly in the background. There's no dialog box, there's no warning, there's no consent request. What actually happens is that Canonical has quietly replaced the Chromium browser package with a transitional stub. This stub silently pulls in the Snap runtime and installs a Snap package instead, all while you believed you were running a standard APT operation. For millions of users who trust the command line above all else, this is a violation of the most fundamental expectation in Linux. The expectation that the system does exactly what you tell it to do and nothing else. Welcome back to Ton Does Linux. Today, we need to have a serious conversation about Ubuntu. This isn't about creating drama or hating on Canonical. Ubuntu is still one of the most important distributions in the Linux ecosystem. But over the last few years, and especially looking at the landscape in 2026, Canonical has accumulated a pattern of trust-eroding decisions that every Linux user needs to understand. We are going to look at four specific issues today: the silent Snap installations via APT, the injection of promotional messages inside the server terminal, the ongoing problem of malware reaching users through the proprietary Snap Store, and a brand new high-severity privilege escalation vulnerability discovered just this week. Each of these decisions or incidents on its own might be explainable. But together, they form a recognizable corporate playbook. A distribution that was built on community trust cannot afford to treat that trust as a renewable resource. Let's break down exactly what is happening, look at the hard numbers, and discuss what you should do next, whether that means staying on Ubuntu or migrating to an alternative distribution. Let's start by looking closer at those silent installations and why they matter far beyond just being a minor inconvenience. The Chromium case is the most visible example of APT installing Snaps without telling you, but it's not the only one. On Ubuntu 24.04, several popular package names in APT have been converted into transitional stubs. Their sole purpose is to bootstrap Snapd and pull a Snap version instead. Why does this matter? Because package management trust is the absolute bedrock of Linux system administration. When a sysadmin runs apt install, they need certainty about what that package will be, where it will live, and what it might activate. That certainty makes scripted deployments and system administration reproducible. Silent format switching breaks that contract at a foundational level. Snapd installs the Snapd daemon even if you previously removed it. These packages auto-update on their own schedule, independent of your APT upgrade commands or planned maintenance windows. In production, this is a massive compliance and change management issue. Snap binaries live in a different directory structure, outside the standard user bin path, which can break scripts and system monitors. This was a deliberate product decision, and it's not the only place Canonical uses your infrastructure as a billboard. Let's talk about the terminal, sacred ground for Linux professionals. It's where infrastructure decisions are executed, often during critical incidents. The command line's reputation for precision and honesty has been earned over decades. When Ubuntu began injecting promotional messages into terminal output, it crossed a line many administrators consider non-negotiable. Years ago, Ubuntu's Message of the Day system included Amazon search integration in Gnome. That was rolled back after backlash, but the promotional instinct didn't disappear, it just shifted channels. Ubuntu Pro upsell messages now appear inside APT upgrade output. MicroK8s and other products are promoted via MOTD news, which fetches promotional content from a Canonical server when you log in. These messages can appear in automated logs, confusing monitoring tools, parsers, and junior engineers who might mistake promotional text for system warnings. Even worse, the MOTD fetch makes an outbound HTTP request to Canonical servers every time you log in, sharing infrastructure activity data you may not have consented to share. A server terminal is a workspace, not a billboard. Inserting commercial messaging into professional tools reflects a revenue optimization mindset applied where it fundamentally does not belong. But the issues with Snap go deeper than forced installations and terminal ads. We need to talk about what is actually inside the Snap Store. If you force users to use a specific package manager, you take on the responsibility of keeping that ecosystem safe. And recently, the Snap Store has struggled with exactly that. In February 2024, a fake Exodus Bitcoin wallet application was published in the Snap Store. A single Bitcoin investor downloaded it, thinking it was the legitimate app, and was scammed out of nine Bitcoin. At the time, that was worth approximately $490,000. You might think that after an incident of that magnitude, the security review process would become ironclad. But the problem has actually escalated. In January 2026, security researchers and former Canonical developers, including Alan Pope, exposed a sophisticated new campaign targeting Linux users. Instead of just creating new, suspicious-looking accounts, attackers found a much more clever way to bypass trust signals. They started hunting for expired web domains that belonged to legitimate, long-standing Snap Store publishers. They would register these expired domains, set up email servers, and use them to hijack the original developers' Snapcraft accounts. Once they had control of a trusted account with a history of safe packages, they would push a malicious update. These updates were designed to look perfectly normal, but in the background, they would harvest cryptocurrency wallet recovery phrases and send them to servers controlled by the attackers. By the time a user realizes something is wrong, their sensitive data and funds are already gone. Alan Pope, who worked at Canonical for a decade and still maintains nearly 50 packages in the Snap Store, has been very vocal about this. He noted that while security professionals regularly report these bad Snaps, it can sometimes take days for Canonical to actually remove them from the store. When you have malware actively draining user wallets, a response time measured in days is simply unacceptable, especially when Canonical's own system makes it difficult for users to choose alternative sources for their software. This brings us to a fundamental architectural issue with Snaps. The Snap Store backend is entirely proprietary. Unlike Flatpak, where anyone can host their own repository, the Snap Store server is closed source. Only Canonical can run it. There are no community mirrors. There is no self-hosted alternative. Canonical has absolute control over what gets distributed and to whom. When you combine a proprietary, unavoidable backend with a track record of slow malware removal, you create a significant trust deficit. And just this week, that trust was tested again by a critical security flaw discovered in the very foundation of how Snaps are isolated from your system. Just days ago, on March 17th, 2026, the Qualys Threat Research Unit disclosed a high-severity local privilege escalation vulnerability affecting default installations of Ubuntu Desktop 24.04 and later. Tracked as CVE-2026-3888, this flaw has a CVSS score of 7.8. It allows an unprivileged local attacker to escalate their privileges and gain full root access to the system. The vulnerability exists in the interaction between two core system components: Snap-confine and Systemd-tmpfiles. Here is how it works in simple terms. Snap-confine is the highly privileged component that builds the secure sandbox before a Snap application runs. Systemd-tmpfiles is the service that automatically cleans up temporary files and directories that get too old. In default configurations, the cleanup daemon is scheduled to remove stale data in the temp directory after a set period, 30 days in Ubuntu 24.04 and 10 days in later versions. An attacker simply has to wait for this cleanup cycle to delete a specific critical directory required by Snap-confine. Once the system deletes it, the attacker quickly recreates that directory but fills it with their own malicious payloads. During the next sandbox initialization, Snap-confine blindly mounts these malicious files as root. This allows the execution of arbitrary code within a highly privileged context, resulting in a complete compromise of the host system. While the attack does require local access and a time delay, it requires no user interaction and very low privileges to execute. Canonical has released patches for this, and if you are running Ubuntu 24.04, 25.10, or testing the upcoming 26.04 release, you need to update your Snapd package immediately. But this vulnerability highlights a broader concern. Snap was designed to increase security through containerization and strict permission models, but the complexity required to enforce that isolation at the kernel level creates new highly privileged attack surfaces. When you mandate that users rely on this complex, proprietary backed system, and that system introduces critical root-level vulnerabilities, it forces administrators to re-evaluate their risk models. This is especially relevant as we look toward the release of Ubuntu 26.04, Resolute Raccoon, next month. While Canonical is introducing welcome changes like default permission prompting for Snaps, the community consensus is that 26.04 will integrate Snaps even deeper into the core system. For many users and enterprise administrators, this is the breaking point. The combination of forced installations, terminal advertising, slow malware response, and complex vulnerabilities is driving a serious conversation about migration. So, where does that leave us, and what should you actually do about it? If you are currently running Ubuntu, your immediate priority is security. You need to run apt update and apt upgrade right now to ensure your Snapd package is patched against the CVE-2026-3888 privilege escalation vulnerability. Do not wait on this. Once your system is secure, you have a choice to make about your long-term relationship with Ubuntu. If you want to stay on Ubuntu but regain control over your package management, you can block Snaps entirely. You can create a preferences file in the APT configuration directory that pins the Snapd package to a negative priority. This prevents it from ever being installed, even by transitional packages. You can then use PPAs or Flatpaks to get the software you need. I'll put the exact commands to do this in the description below. You can also disable the MOTD news service using systemCTL to stop the terminal advertisements and the outbound HTTP requests on login. But let's be honest, fighting your operating system's default behavior is exhausting. If you are spending hours writing Ansible playbooks just to undo Canonical's product decisions, it might be time to look elsewhere. For desktop users, Linux Mint remains the absolute gold standard for an Ubuntu-like experience without the Snap controversy. They explicitly block Snaps by default and provide a clean, user-focused environment. Pop!_OS by System76 is another fantastic option that relies on Flatpak and native packages. If you want to move away from the Debian base entirely, Fedora is incredibly polished in 2026. It provides fresh software, respects open-source principles, and defaults to Flatpak for containerized applications. For enterprise and server environments, the conversation is shifting heavily toward Debian for general-purpose workloads, and Red Hat Enterprise Linux or its derivatives like AlmaLinux and Rocky Linux for enterprise support. They offer the stability and predictability that sysadmins require without the silent format switching. Canonical is a financially successful company. They made nearly $300 million in revenue in 2024. They are clearly executing a strategy that works for their enterprise cloud and IoT customers. But for the traditional desktop user and the independent sysadmin, the relationship has fundamentally changed. Ubuntu is not a bad operating system. But it is an operating system that increasingly views its users as a captive audience for its proprietary ecosystem. Trust is hard to build and incredibly easy to lose. By forcing silent installations, injecting ads into professional tools, and struggling to secure a proprietary backend, Canonical is testing the limits of that trust. What are your thoughts on the current state of Ubuntu? Are you staying for the 26.04 release, or have you already migrated to something else? Let me know in the comments. Thank you for watching Ton Does Linux. Stay safe, patch your systems, and I'll see you in the next one.