So I’ve been using Snapcraft a bit lately, installing some packages with it and, recently, publishing my own snap, and I really like it. The auto updating and out-of-the-box confinement is great. I wanted to bring up, though, some initial concern that I had when installing certain apps from the snap store.
The main concern I had was with unofficial snaps where I had no information on the author that published the snap other than their Ubuntu One username. For example, the Mindustry snap was a snap that I wanted to install, but I could not find anything to verify the source of the snap. For all I knew I could be installing malware. There wasn’t any link to the source or any way to identify the author.
The snap description had a link to the GitHub source code for Mindustry, but no link to any
snapcraft.yaml or anything to indicate what actually produced the snap. This isn’t necessarily any fault of the snap store or anything, but I wanted to bring it up as a potential concern of users.
I just published a Chocolatey package and I noticed that they will give you a link to the user who published a snap and will show you what other packages they published, if any. This could definitely help in some instances. I wonder if another possible help would be to allow you to tie your GitHub account to your snap store account, just for the sake of identifying you with a provider that many will recognize and can look at to get a cursory “background check” so to speak.
Either way, I think snaps are great and just wanted to open the discussion on how we might be able to improve the store experience.