Classic confinement request: `gh`

lengau · February 19, 2023, 12:03am

Currently the GitHub CLI is published with strict confinement, but this limits its capabilities quite significantly. While core functionality works thanks to vendoring in various packages like git, nano, etc., fundamentally the application expects to use the user’s system copy of git, including any installed plugins (and access to git hooks, etc.)

I believe this app meets the requirements for classic confinement for the same reasons as git-cola.

N.B. I am not the owner of the Snapcraft listing, but the owner did make me a collaborator specifically for this purpose.

Once we have classic confinement enabled, the plan is to move to publishing the snap using an already-built snapcrafters-like release process and to eventually move it under snapcrafters (with me as the primary maintainer), as the upstream maintainers currently have no interest in owning the snap package.

alexmurray · February 19, 2023, 11:35pm

gh would appear to meet the requirements for classic confinement as it wants to execute arbitrary user defined applications from the users host system, and it roughly fits within the supported categories of a debug tool / IDE.

To proceed with granting this however publisher vetting is required - @advocacy could you please vet the publisher? Thanks.

Igor · February 20, 2023, 1:24pm

+1 from me, I verified the publisher (@lengau clearly and directly explained the affiliation).

alexmurray · February 21, 2023, 1:08am

Thanks @Igor - classic confinement override granted for gh - this is now live.

casper.dcl · February 21, 2023, 4:16pm

(As owner of the snap) wanted to say thanks to @lengau, @alexmurray & @Igor. Hopefully will publish a fixed version soon.