Currently desktop users are able to install snaps from the store using GNOME Software.
There's a couple of cases we don't yet handle, but we (probably) should:
- Snaps using classic confinement (these currently fail to install because we don't pass the classic flag to snapd )
- Sideloaded snaps . These may require devmode or be unsigned.
- We do want to support both these cases in a graphical environment, right?
- What safeguards do we want to use to ensure a user doesn't install a malicious snap using these methods?
With safeguards, we can:
- Indicate on the app description page that this is unconfined app.
- Show a dialog box to get the user to confirm installation (danger being that people often ignore such boxes and just click "yes")
I've started a discussion with upstream about how such things could fit into the gnome-software design .
For comparison, this is the command line experience in installing a classic snap:
$ sudo snap install atom
error: This revision of snap "atom" was published using classic confinement and thus may perform
arbitrary system changes outside of the security sandbox that snaps are usually confined to,
which may put your system at risk.
If you understand and want to proceed repeat the command including --classic.
$ sudo snap install --classic atom
I think this quite secure because it requires sudo (implying a lot of responsibility on the user) and the command has to be re-typed to confirm the behaviour. I'm a little worried that these responsibilities are less clear in a graphical environment.