As end user, I expect these things (maybe they are addressed from some other discussions, if so sorry):
- No internet access for snaps, and they have to ask permissions on first start - something like the modern Android security model. While it wouldn’t stop a miner, at least attackers cannot collect what they mined. Of course this would work for games (I don’t want to give Internet access to games), but not for other things.
- Check on license: why a snap that builds a public Github Repo shouldn’t have the same license?
- For FOSS projects, https://reproducible-builds.org/
- Verified authors: there is an aws-cli package, the author is listed as aws on the store, but the repo’s authors say its not theirs. While I trust @popey because I know him, so I believe it’s owned by AWS, as a random user I wouldn’t trust just a random comment on a Github repo and give my company’s AWS credentials to a snap with a doubtful ownership
- Easy to find link to the build log, if available (e.g LP)