Communitheme & macarons to fine-grain release permissions

For the new communitheme snap, we’ll requests some tracks following ubuntu release names (as GNOME-Shell and GTK aren’t stable API-wise for theming).

As communitheme is a community project, but we still release it in ubuntu, I would like to fine-graine the release snap permissions with some developers, which isn’t possible via the snapcraft store itself when adding collaborator.

Basically, I want some developers to be able to publish in <track>/{candidate,beta,edge}/* channels (basically, everything but stable risk for any track series).

  • I have looked at https://dashboard.snapcraft.io/docs/api/macaroon.html#restricted-upload-rights, but I’m unsure how to share the macaroon for the developers, is it an assertion that can be published to the store, with developer names, so that it doesn’t need to have manual sharing? I didn’t find doc as well on how to use those macarons with snapcraft itself.
  • Is that possible to ensure that the form of the permission is */{candidate,beta,edge}/* to avoid maintenance overrhead each time we open a new track (so, every 6 months?)

Thanks!

As an intermediate step, I suggest you add specific users as collaborators to accounts you own and then use snapcraft export-login --help to provide the fine grained access you require.

@sergiusens: thanks for answering! So, in this scenario, it means that I have to create a credential files that I share with people who will access this snap? I’m unsure about the first step “add specific users as collaborators”? The capability has been removed from the new store AFAIK, and it was a all or nothing, no? The credential file isn’t enough?
Are wildcards supported as well for channel names?

Remember that this snap will be under the Canoncal name and be installed by default on any ubuntu machine. Is this acceptable security and policy-wise? @jdstrand, @slangasek?

My suggestion was something like:

  • Create a new sso user, e.g.; communitheme-edge-releaser
  • Add that user as a collaborator, keep the login credentials to yourself.
  • snapcraft export-login with the required caveats to only be able to release to edge or beta.
  • Pass on that credentials file to whomever needs it.

Thanks for the precision! Ok on the procedure, even if it requires to pass a file around.

1 Like