Codium is VS Code with some proprietary components / telemetry removed. I’ve published it under the snapcrafters name. As with the original VS Code it’s based on, it requires classic confinement. It’s an IDE, which requires access to external applications, compilers etc. Please can we get classic confinement approved for it. Thanks.
The requirements are understood and the publisher has been vetted previously (Classic confinement for Android Studio).
This is now live (and this post is now at least 20 characters long…)
Thanks @alexmurray
I have since attempted to publish and get the following errors from build.snapcraft.io:
Error:checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details.
and
Error:found errors in file output: unusual mode 'rwsr-xr-x' for entry './usr/share/codium/chrome-sandbox'
Neither of these errors occur when I test the snap using review-tools from edge. Why isn’t the store and review-tools in the store consistent?
Further, if I build locally using --use-lxd with snapcraft from edge, it allows me to push to the store. Revision #4 in the store was built this way and didn’t give me errors about checksums or chrome-sandbox.
The short answer is that snaps are not allowed to ship setuid binaries, which is the 2nd error. The checksum mismatch error is because the review-tools run as non-root, unsquashfs will splat the file on the disk but not have the permissions to set the setuid bit so when mksquashfs is run, the bit isn’t there, and the resquashed snap has a different checksum than the original.
snapcraft has code to strip out these bits. I suspect what is happening is that the bits weren’t stripped for some reason when you uploaded the time the review failed.