What happens when a snap previously published in the store with strict confinement gets an updated version that declares classic confinement? Is that even allowed? Will this require manual review to get accepted in the store?
If a user has the previous (strict) version installed, will the update be applied silently, or will snapd request the user to confirm?
I don’t know details about the store process for the change, but snapd will hopefully not allow the refresh until manual action is taken. If it does accept it, it’s a bug we’ll want fixed right away, because the user didn’t acknowledge the risk of having something unconfined from the given publisher on their machine.
That will require manual review in the Store, and as @niemeyer notes hopefully snapd will not silently refresh with classic. I’m not sure if we have tested that explicitly, but we will now and report back.
I just tested this scenario and all is working as expected - manual review required and explicit action by the user on refresh:
bret@foundation:~$ snap install hello-noise
hello-noise 0.1 from 'noise' installed
bret@foundation:~$ snap info hello-noise
name: hello-noise
summary: "\\o"
publisher: noise
description: |
Hola!
tracking: stable
installed: 0.1 (1) 4kB -
refreshed: 2017-03-27 11:51:40 -0400 EDT
channels:
stable: 0.1 (1) 4kB -
candidate: 0.1 (1) 4kB -
beta: 0.1 (1) 4kB -
edge: 0.1 (1) 4kB -
# push & release r2 w/classic to stable, get manual store review, then:
bret@foundation:~$ snap refresh hello-noise
error: snap "hello-noise" requires classic or confinement override
bret@foundation:~$ snap info hello-noise
name: hello-noise
summary: "\\o"
publisher: noise
description: |
Hola!
tracking: stable
installed: 0.1 (1) 4kB -
refreshed: 2017-03-27 11:51:40 -0400 EDT
channels:
stable: 0.2 (2) 4kB classic
candidate: 0.2 (2) 4kB classic
beta: 0.1 (1) 4kB -
edge: 0.1 (1) 4kB -In terms of store process, if in the store the snap wasn’t allowed use of classic, it would trigger a manual review. If in the store the snap was allowed use of classic, the developer may go back and forth between classic, devmode and strict in any order desired without triggering a manual review. Ie, once a snap is allowed use of classic in the store, the developer may choose to use it or not at any time thereafter (unless in the store someone actively revokes use of classic of course).