Hi,
I’m the publisher of the snap(s) which were originally quoted in this post. Full disclosure: I work for Canonical and am a recovering Debian and Ubuntu package maintainer.
The topic goes beyond the specifics of these snaps, but I wanted to respond to specific points.
On licensing, I didn’t set any licensing and the store picked up proprietary, I guess as a safe default. This was wrong on my side and I guess to improve this we could trust the store to set a better default in the future and improve our tooling to scan for licenses automatically and warn when it can’t be done.
Snap names are a central concern here. An upstream-ish name will get some unwarranted implicit trust, and I engaged in namespace pollution by using too broad names like dnsmasqd since I didn’t actually intend to maintain a dnsmasq snap in any kind of upstream capacity. That said, others have made the point that it might make sense for a non-upstream person to maintain a snap until upstream picks it up, and it’s hard for end-users to distinguish between these cases.
Funnily enough, in an early design of “snappy”, snap names were namespaced, so you have installed lool.dnsmasq and I would have had to ask explicitly to get an official dnsmasq alias.
(see e.g. https://www.unixmen.com/getting-started-with-snappy-ubuntu-core/ for samples)
While it’s easy to find/check the publisher of snaps before and after installing, I started suffixing my snap names with -lool in the past months to mimick this behavior.
But still, snaps can be leveraged or deliver official packages with official names from official upstreams, or they can be more like GitHub or Google Play Store.
I guess similarly to SSL certificates or Twitter accounts, there could be more work invested into verifying publishers on the backend side and there could be more work to expose this on the client side (such as deciding which publishers to trust/not trust).
This discussion was centered around potentially malicious use, but there’s a simpler path to bad snaps (outside of quality, store reviews/comments and general end-user experience) that I’d like to highlight: security updates. Dnsmasq snap needs to be updated whenever there’s a new upstream security update.
I’ve made some of my (non-suffixed) snaps private for now. The dnsmasqd snap was created because I was asked for a TFTP tool and also as a demo of a cross-compilation example, but also because I thought it would be useful to have it around for me and others in quick debug/DHCP/TFTP situations. I’ll stick to suffixing my non-official snap names until we have better mechanisms in place to document verified and trusted publishers.