That is EXACTLY the problem, as it allows attackers to know in advance the probable vulnerabiities of your system, by knowing in advance what libraries you have installed. OK, let's look at Firefox as a Snap. Every vulnerability in a library shipped with FF becomes a fixed and known FF vulnerability, known to exist on a large number of systems at once. The convenience Snap provides developers in avoiding the "moving target" situation also applies to attackers. Lots more attack surface in FF and all of its libraries as a fixed combination than in a known (by useragent) FF version over unknown library versions.

In short: if you want security, either make sure all FF builds are coming with the latest security patches to all shipped libraries, or built it yourself locally against system libraries. This goes double if you have to pin FIrefox to keep out unwanted "features." That's because pinning all the libraries too means any attacker has a large part of the total system as a fixed, non-moving target matching a huge number of other installs from one time. That makes "quality control" on exploits and payloads a breeze and gives attackers reliable access to your system, instead of having exploits break because some underlying library changed.

For non-networked programs on a single-user machine this should not be an issue unless they can be attacked FROM the browser, and in that case for them to be isolated in a Snap makes it harder to reach them, even if the exploits are known. Thus, Snappy should be great for something like Kdenlive, but is a bad idea for something like Firefox.

First, any distro not using SELinux obviously doesn't have security as a focus (IIRC, Fedora and the enterprise Linux's should have this enforcing by default)

Second, / is rw by root on both systems, root just tends to be more accessible by Linux distro's. Realistically, a system admin should give sudo/wheel privileges out sparingly. Some users don't understand the consequences of typing in their password when the system asks for it, or have malicious intend to begin with.

Third, one can hope x11 will be out the door within the next 5 years.

I already said why even distros that have SELinux (or apparmor like the 'Buntu) don't enforce things the level Android does (mostly because they cannot).

/ is ro on Android and there is a CLEAR split between that and data, you can easily reset everything by formatting data while cleaning up a linux distro isn't so easy, and there are signing mechanisms in place that can and do lock up the phone if you tamper with system partition.
Yes you can remount it rw, but it wasn't the point. A system designed to run with / ro has a very different design than linux desktop.

x11 is crap but I know it is on its way out, I was talking about the now.

And now the average linux desktop is not safer than a good updated Android.

If CURRENT linux desktop was running on billions of devices, it would get raped. Totally, fully, truthfully.

It will get better, yes, and will totally rock within 5 years (also because Snap and other compartimentalized app systems like the gnome's and others).

But for now the main reason it is safe is that is is at less than 1% of the marketshare.

Android, even if 99.99% of the devices are not receiving updates and are technically full of holes, is holding up pretty fucking well in the harshest conditions EVER for a computer (daily usage by total idiots that click everywhere).
With no antivirus.

Windows in similar conditions lasts months or so before the PC has to be exorcized by a qualified technician, and current linux desktop follows most of the same principles (since both OS evolved from something that existed ages ago, they were not reinvented from scratch keeping in mind the modern world)

That "marketshare" issue is actually a LOT of protection. Even NSA malware has been found that after using ingenious delivery systems to take over something like hard disk firmware then turns around and hooks into Windows to do its dirty work, thus failing on LInux. At least double to work to replace 95% marketshare with 96% just does not appeal to many attackers it seems

dunno about NSA malwares but according to Wikileaks documents malware named FinFisher/FinSpy has ability to hook into Linux (I assume few "non-glibc" distros, like Alpine that uses musl, being exempted). It's "governmental" type of paid malware.

FinFisher came from Gamma International UK Ltd, which is a private venture selling to regimes that torture and kill. Egyption protesters found out about it when they stormed a security police office. I wonder why the NSA's hard drive firmware malware, the kind that makes a phony boot sector, only targeted Windows given that Gamma Group has shown that it is possible to target Linux.

Gamma in this context is like the rural serial killer who is the exception to an otherwise low-crime community. Windows is the kind of neighborhood where gangs unload whole magazines of pistol ammo down the street several times a year. Still, Gamma executives deserve to be tried before an international court for selling spyware to torturers and murderers.

OK, now let's look at the difficulty of writing malware against a known target, the original issue if Snaps for packages users rarely update pack knowable library versions. I will now use myself and Gamma for an example of what happens when an attacker knows in advance what software and versions will be on the machine to be attacked.

If Gamma asked me to sell them an encrypted computer they would get one-with code added that would put copies of both their disk key and their passphrase somewhere I could recover them with Foremost and encrypt them with my public key so nobody ELSE could find them. If I knew in advance those criminals would come to me for a computer, that software would be pre-written and installable if the Gamma exec supervising the install so much as turned his head to look at the clock. Otherwise he would have to leave the room to take a dump to give me enough time to write it on the fly, and in that case re-encrypting the key and passphrase might have to be left out.

They have also sold their product to the democratic countries. For example, to the security forces of certain EU countries. And facing it on Linux is somewhat worse. On Windows, you usually have antivirus installed. On Linux, most users do not and there actually isn't much to select from if you want one.

I agree that security situation is much worse on Windows but they also have way more tools to defend themselves with. For open source, antivirus software is seriously lacking (you will find something like NOD32 v4 for Linux if you really go looking - next you would have to manage getting it running. Won't succeed as often as you do.) but try finding something for some BSD, it's even worse.

It should be about twelfth hour to fix it but nobody seems to care about developing antivirus software for open source OS'es (Android doesn't count).

Linux (average linux distro's) update speed after a vulnerability is discovered does not make this a major issue.

Antivirus programs are (were) crucial on windows because its update speed is meh, and its infrastructure isn't safe like at all, with win10 it's more a moving target as if a patch is pushed in their repos IT WILL UPDATE and IT WILL REBOOT if needed, no more nonsense like "we release most patches every X days just because".

Android antivirus software is scamware. Without root there is no way in hell that they can do anything useful.

There is one other defense that applies to most of us on this board reading from the US: The FBI and similar agencies have been reported to avoid using at least their higher value exploits against anyone suspected of being a hacker, for fear that the spyware will be detected, reverse engineered, and published or even used against them. They have been burned this way before. OK, all those webservers are Linux, so to get the Freedom Roads .onion server to serve Windows malware over Tor they no doubt had to attack a hacker-owned Linux system first. They got in, only to have the entire exploit and spyware package they were serving to Windows Tor users captured and published. They can no longer use it, because they foolishly attempted to strike at a hacker-owned server to distribute it.

Interestingly, one of the biggest vectors of Finspy infection has been fake Itunes updates, a very good reason for Windows users to get rid of Itunes and for Linux users to never, ever use it in WINE. Those of us who don't use paid websites or purchase any files would not be using Itunes anway.

I can guarantee that if I ever catch any piece of governmental or corporate owned spyware on any system I have root access to, I will bring in all the best hackers I know plus my own skills to do the same thing and will ensure that as many of the FBI's enemies as possible get the reverse-engineered source, the defenses, the works. If they want to risk that they can bring it on...

Another major vector is fake Windows updates, so Windows, especially Windows 10 users, are doubly screwed.