Classic confinement request for graalvm-jdk

pushkarnk · January 17, 2025, 6:41am

Here are the details

name: graalvm-jdk
description: “Graalvm for JDK” supports native image compilation of Java applications.
snapcraft: GitHub - pushkarnk/graalvm-jdk-snap: Snapcraft for GraalVM CE
upstream: GitHub - graalvm/graalvm-community-jdk21u: Maintenance repository for GraalVM Community for JDK 21. To report issues or request backports, go to https://github.com/oracle/graal.
upstream-relation: user
supported-category: compilers, programming languages
reasoning: GraalVM will need access to Java source and other binaries (JAR files) to compile and build a native image.

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

pushkarnk · January 17, 2025, 6:42am

The other upstream link (which I couldn’t mention) due to the restriction on the number of links is: GitHub - oracle/graal: GraalVM compiles Java applications into native executables that start instantly, scale fast, and use fewer compute resources 🚀

pushkarnk · January 17, 2025, 6:44am

The snaps (–beta and --edge) currently pushed to the store use devmode. Let me know if I need to change this to classic before the review process is started.

jslarraz · January 21, 2025, 12:46pm

Hey @pushkarnk,

In general classic confinement requires of publisher vetting, which has following objective:

To ensure that the publisher of a snap is genuinely associated with the upstream project or belongs to a trusted group (e.g., Snapcrafters, Canonical, Verified Accounts ).

Considering the provided information (upstream-relation: user) I think you don’t meet this criteria (please correct me). Thus, I think the best option to proceed here would be to ask the upstream if they are willing to incorporate the snap package to the upstream repository (or a different upstream maintained repository).

Thanks

pushkarnk · March 25, 2025, 7:09am

Hi @jslarraz

Thank you for the information. The graalvm-jdk snap has now been transferred under the Canonical org. Can we please revisit the classic confinement request? Please do let me know if you need any other information.

jslarraz · March 28, 2025, 10:50am

Hey @pushkarnk

Looking at the reasoning:

GraalVM will need access to Java source and other binaries (JAR files) to compile and build a native image.

Java source refers to the application code that will be compiled? If so, I think home + potentially removable media should be enough
other binaries (JAR files): could you please clarify what is the origin of those binaries in the most general cases?

Thanks