General User Concerns About Installing Snaps

So I’ve been using Snapcraft a bit lately, installing some packages with it and, recently, publishing my own snap, and I really like it. The auto updating and out-of-the-box confinement is great. I wanted to bring up, though, some initial concern that I had when installing certain apps from the snap store.

The main concern I had was with unofficial snaps where I had no information on the author that published the snap other than their Ubuntu One username. For example, the Mindustry snap was a snap that I wanted to install, but I could not find anything to verify the source of the snap. For all I knew I could be installing malware. There wasn’t any link to the source or any way to identify the author.

The snap description had a link to the GitHub source code for Mindustry, but no link to any snapcraft.yaml or anything to indicate what actually produced the snap. This isn’t necessarily any fault of the snap store or anything, but I wanted to bring it up as a potential concern of users.

I just published a Chocolatey package and I noticed that they will give you a link to the user who published a snap and will show you what other packages they published, if any. This could definitely help in some instances. I wonder if another possible help would be to allow you to tie your GitHub account to your snap store account, just for the sake of identifying you with a provider that many will recognize and can look at to get a cursory “background check” so to speak.

Either way, I think snaps are great and just wanted to open the discussion on how we might be able to improve the store experience.

1 Like

I published the Mindustry snap, and will update the page to link to the yaml. However, worth knowing you can see it yourself inside the snap, without installing it.

alan@KinkPad-K450:~$ mkdir mindustry
alan@KinkPad-K450:~$ cd mindustry/
alan@KinkPad-K450:~/mindustry$ snap download mindustry
Fetching snap "mindustry"
Fetching assertions for "mindustry"
Install the snap with:
   snap ack mindustry_44.assert
   snap install mindustry_44.snap
alan@KinkPad-K450:~/mindustry$ unsquashfs mindustry_44.snap snap/snapcraft.yaml
Parallel unsquashfs: Using 4 processors
1 inodes (1 blocks) to write

[===================================================================|] 1/1 100%

created 1 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos
alan@KinkPad-K450:~/mindustry$ cat squashfs-root/snap/snapcraft.yaml 
name: mindustry
base: core18
version: "100"
summary: A sandbox tower defense game
description: |
  Mindustry is a hybrid tower-defense sandbox factory game. Create elaborate
  supply chains of conveyor belts to feed ammo into your turrets, produce
  materials to use for building, and defend your structures from waves of
  enemies. Features include a map editor, 24 built-in maps, cross-platform
  multiplayer and large-scale PvP unit battles.

grade: stable
confinement: strict

apps:
  mindustry:
    command: desktop-launch $SNAP/bin/launcher
    plugs:
    - network
    - network-bind
    - opengl
    - home
    - joystick
    - pulseaudio
    - desktop
    - wayland
    - x11
    - desktop-legacy
    - unity7
    environment:
      XDG_DATA_HOME: "$SNAP/usr/share"
      JAVA_HOME: "$SNAP/usr/lib/jvm/java-8-openjdk-amd64/jre/"
      PATH: "$SNAP/bin:$PATH:$SNAP/usr/lib/jvm/java-8-openjdk-amd64/jre/bin"
      GVFS_MOUNTABLE_DIR: "$SNAP/usr/share/gvfs/mounts"
      GVFS_MONITOR_DIR: "$SNAP/usr/share/gvfs/remote-volume-monitors"
      LD_LIBRARY_PATH: "$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/pulseaudio"

parts:
  mindustry:
    after: [desktop-gtk2]
    plugin: nil
    override-build: |
      wget -O $SNAPCRAFT_PART_INSTALL/Mindustry.jar https://github.com/Anuken/Mindustry/releases/download/v$SNAPCRAFT_PROJECT_VERSION/Mindustry.jar
    build-packages:
      - wget
    stage-packages:
      - openjdk-8-jre
      - ca-certificates
      - ca-certificates-java
      - libpulse0
      - libpulsedsp
      - libxxf86vm1
      - libgl1-mesa-dri
      - libglu1-mesa
      - libgl1-mesa-glx
      - libgles2-mesa
      - x11-xserver-utils
    prime:
        - -usr/lib/jvm/java-*/lib/security/cacerts
        - -usr/lib/jvm/java-*/jre/lib/security/cacerts
  launcher:
    plugin: dump
    source: snap/local
    organize:
      'launcher': 'bin/'
      'padsp': 'bin/'
      'sensible-browser': 'bin/'
      'usr/lib/*/gvfs/*.so': 'usr/lib'
      'usr/bin/xprop': 'usr/bin/xprop.disabled'
  desktop-gtk2:
    build-packages:
      - build-essential
      - libgtk2.0-dev
    make-parameters:
      - FLAVOR=gtk2
    plugin: make
    source: https://github.com/ubuntu/snapcraft-desktop-helpers.git
    source-subdir: gtk
    stage-packages:
      - libxkbcommon0
      - ttf-ubuntu-font-family
      - dmz-cursor-theme
      - light-themes
      - adwaita-icon-theme
      - gnome-themes-standard
      - shared-mime-info
      - libgtk2.0-0
      - libgdk-pixbuf2.0-0
      - libglib2.0-bin
      - libgtk2.0-bin
      - unity-gtk2-module
      - locales-all
      - libappindicator1
      - xdg-user-dirs
      - ibus-gtk
      - libibus-1.0-5
alan@KinkPad-K450:~/mindustry$ 

2 Likes

Ah cool. Very good to know, thanks. :slight_smile:

1 Like

Thanks for your input. We definitely could make some improvements to both encourage publishers to link to sources and information about themselves as well as provide publisher pages on snapcraft.io. We will take this into consideration.

3 Likes