The By Line of all snaps that are packaged my 3rd parties should state who originally developed the software along with who packaged the snap if they are different.
The current snap for IntelliJ IDEA Community is packaged by JetBrains and they also make the original IntelliJ IDEA Community software. Therefore the following is good…
However, the current snap for Android Studio is packed by SnapCrafters, but the software is originally by Google. Therefore it should state something like the following…
by Google via Snapcrafters
I worry that this is misleading because it gives a false sense of safety to the Android Studio snap (in this example). Snapcrafters is a trustworthy GitHub org since it’s Canonical’s Snap Advocates who have commit and store upload permissions but it won’t always be the case that the packager is trusted. There are plans to have a trusted publisher tick(?) next to some snapcrafter names so people will know better if a snap is safe or not…
In short, ‘by Google via snapcrafters’ sounds more legitimate than ‘by snapcrafters’ and it shouldn’t have that effect.
That is very important that people understand the legitimacy of the snaps and I agree that bad-actor snaps, in this case, would seem more legitimate when it shouldn’t.
I knew I didn’t flesh this idea out too far but wanted input on this, which is why I stated the above. It was just an idea.
With that said, I believe that the Snap Store is misleading because it gives a false sense of who created the software inside of the snap. (i.e. There is no credit given where credit is due). The credit is given only to the packager of the snap, but the store gives details about the software inside of the snap.
How to overcome this while not giving legitimacy to bad-actor snaps?? I don’t know fully, but it does appear to be an issue.
Perhaps some inspiration could be taken from Flathub? ‘Developer’ and ‘Publisher’ makes things pretty clear.
Maybe an “official” tag can be applied when the package can be verified to be controlled by the upstream? Like a manual verification of the snap package’s promotion on non-public writable upstream pages?