Ephemeral browser interfaces

I have built and published ephemeral, which is a privacy focused web browser from the elementary developers. It’s based on gtk webkit, and as a browser it needs browser-support along with the dbus connection to operate correctly. The yaml is at my git repo. I have tested the snap on 19.10 and it operates correctly with the dbus connection and browser-support interfaces connected.

Please can we have a store assertion to enable both automatically.


@popey - I looked at the snap in the store and it is currently using the browser-support interface without ‘allow-sandbox: true’, which is allowed. It failed automated review due to the use of the dbus slot, which I’ve just granted. I’ve just requested automated reviews for the latest revisions.

Are you asking to be able to use ‘allow-sandbox: true’. Typically this is reserved for official browser snaps; is ephemeral going to be transferred to upstream?

Huh. I’ll do some more testing with the correctly defined browser sandbox with the plug and run the review tools before updating.

Unfortunately upstream do not wish to support the package. I asked for their permission to upload it under certain conditions, which they’re fine with. But no, they’re not going to (in the short term at least) take ownership of it.

Did anything come of this?

Ok, will this then fall under the snapcrafters project?

Yes, I just pushed my tested changes. It fails review with:

$ snap-review ephemeral_6.1.1_amd64.snap 
 - declaration-snap-v2:plugs_connection:browser-sandbox:browser-support
        human review required due to 'deny-connection' constraint (interface attributes). If using a chromium webview, you can disable the internal sandbox (eg, use --no-sandbox) and remove the 'allow-sandbox' attribute instead. For QtWebEngine webviews, export QTWEBENGINE_DISABLE_SANDBOX=1 to disable its internal sandbox.
 - declaration-snap-v2:slots_connection:ephemeral:dbus
        human review required due to 'deny-connection' constraint (interface attributes)
ephemeral_6.1.1_amd64.snap: FAIL

I had done this in my spare time so uploaded to my own account, but happy to migrate it to snapcrafters instead.

Ok, that’s expected when using allow-sandbox: true. My question was more, does your snap work properly without allow-sandbox: true? If so, I think you are good to go and nothing more needs to be done (since I issued the snap decl for use of the dbus interface already; ie, use of com.github.cassidyjames.ephemeral).

If not, we need to issue a snap declaration for the snap for allow-sandbox: true. While I can vet you, I think it might make sense based on what you said regarding upstream/etc to have this be under the snapcrafters team.

1 Like

It works without allow-sandbox: true! Good news indeed. I have pushed a new release to the store. Thank you.