Allow classic confinement for Sturdy

Hey!

We’re preparing to launch Sturdy on Snapcraft ( https://snapcraft.io/sturdy ), and are currently unable to run Sturdy in the default sandbox environment.

Sturdy is a real-time version control platform that works by real-time synchronising files between Sturdy and the Sturdy server.

The app is built with Electron, and is 100% open-source (Apache 2.0) (Code on GitHub).

There is currently two bigger blockers that prevents Sturdy to run in the strict confinement. I believe that we’ll be able to overcome these limitations over time, and would also appreciate some feedback on the suggested workarounds/improvements.


Obstacle 1 - Sturdy uses SSH

Sturdy transfers files between the client and the over SSH, and uses the system SSH-client to do so.

Both the ssh and ssh-keyscan binaries from the system are exec-ed, and Sturdy will auto-configure trust to the server by appending to $HOME/.ssh/known_hosts.

Solution 1: Use the system-files interface to allow Sturdy to exec the binaries and write the result to known_hosts.

Solution 2: Bundle ssh and ssh-keyscan in the application, and use a known_hosts file from within the snap.

Obstacle 2 - Connect to any directory

Sturdy allows the user to make any directory on the system a “connected directory” that Sturdy manages and watches for changes, using file watchers. The files in these directories are normally also used from an IDE, the terminal, other scripts etc…

Solution 1: Use the personal-files interface to allow Sturdy to manage files under some pre-defined directories in the users $HOME, such as $HOME/src, $HOME/code, or $HOME/sturdy.


We’re exploring more options as we speak, but would be happy to collaborate with the Snapcraft maintainers to find a solution that works well for us both.

Thanks for your help,
Gustav

As you suggest, to use ssh the best course of action would be to ship the required ssh binaries via the use of stage-packages within the snap’s snapcraft.yaml. Since you are then using your own ssh binary you could invoke it with an option such as -o UserKnownHostsFile $SNAP_USER_COMMON/known_hosts so that your snap can manage it’s own list of trusted servers.

For obstacle 2, the home interface already provides access to all (non-hidden) files within a users $HOME and so would provide access to the types of directories you suggest - ie. $HOME/src , $HOME/code , or $HOME/sturdy without the need for personal-files.

As such I don’t think classic confinement should be needed for your snap at all. Can you please try these suggestions and let me know? Thanks.

@zegl did you get a chance to try my suggestions above? This should allow sturdy to work under strict confinement. Please let us know the outcome. Thanks.

@zegl ping, this request cannot proceed without the requested information.

Hey @alexmurray and @emitorino, thanks for getting back to me.

We’ve decided to not pursue publishing Sturdy to Snapcraft for the time being, and have instead opted for releasing Sturdy via an AppImage on Linux.

1 Like

Hey @zegl,

Thanks for letting us know. Whenever you decide to snap Sturdy again, feel free to ask here any question and we will be happy to help publishing it.

Thanks!