Here are the details
I understand that strict confinement is generally preferred over classic.
I’ve tried the existing interfaces to make the snap to work under strict confinement.
The snaps (–beta and --edge) currently pushed to the store use devmode
. Let me know if I need to change this to classic
before the review process is started.
Hey @pushkarnk,
In general classic confinement requires of publisher vetting, which has following objective:
To ensure that the publisher of a snap is genuinely associated with the upstream project or belongs to a trusted group (e.g., Snapcrafters, Canonical, Verified Accounts ).
Considering the provided information (upstream-relation: user
) I think you don’t meet this criteria (please correct me). Thus, I think the best option to proceed here would be to ask the upstream if they are willing to incorporate the snap package to the upstream repository (or a different upstream maintained repository).
Thanks
Hi @jslarraz
Thank you for the information. The graalvm-jdk snap has now been transferred under the Canonical org. Can we please revisit the classic confinement request? Please do let me know if you need any other information.
Hey @pushkarnk
Looking at the reasoning:
GraalVM will need access to Java source and other binaries (JAR files) to compile and build a native image.
- Java source refers to the application code that will be compiled? If so, I think home + potentially removable media should be enough
- other binaries (JAR files): could you please clarify what is the origin of those binaries in the most general cases?
Thanks
Hi @jslarraz,
I’ve added the home
plug including a few others, referring to the openjdk snap. I tried compiling some basic programs and a spring-boot application to a native image and it seems to work well. I’ll revisit this request in future, if need be 
Thank you for the help!
1 Like
Thanks a lot for working to make this snap strict. It certainly enhances the overall ecosystem security 
1 Like