Display provenance of snap when it is available

FYI, I just filed this bug: https://bugs.launchpad.net/software-center-agent/+bug/1780970 so the store team can add a build log url to the snap revision page in the store. There are other useful things that could be done with this information, so I will cross-post here in the forum. For convenience, here is the bug description:

Knowing the provenance of a snap revision can be a key component in trusting a snap and its publisher. It has always been planned that when we know where a snap came from (eg, an LP build, etc) the store would record the build log link in its database. Once it is in the database:

  • the store could provide a link for the revision of the snap (eg, at https://dashboard.snapcraft.io/snaps/SNAPNAME/revisions/NNN/
  • an API could be exposed so that a user can obtain the build log url
  • snapd could at some point do interesting things with this information such as display the build log url with snap info, offer controls to the user to only allow installs/refreshes if a public build log is available, etc

This is particularly useful for the open source community for all the reasons why Linux distributions make their build logs public (indeed, just today I heard again “if only I could examine the build, I might be able to better trust the snap”). This is somewhat useful as a reviewer (though admittedly, we focus on the publisher, not the contents of the snap) and is one of the steps towards controls for enforcing constraints on the use of classic (https://bugs.launchpad.net/software-center-agent/+bug/1657825).


Thanks @jdstrand. I’ve commented on the bug, we can definitely surface the build_url, if defined, in the snap revision web UI.

I also added some comments on what we should do to have this available for snap info, but first I’d like to know if snapd is interested in showing this information (ping @niemeyer).


1 Like