So I’ve been using Snapcraft a bit lately, installing some packages with it and, recently, publishing my own snap, and I really like it. The auto updating and out-of-the-box confinement is great. I wanted to bring up, though, some initial concern that I had when installing certain apps from the snap store.
The main concern I had was with unofficial snaps where I had no information on the author that published the snap other than their Ubuntu One username. For example, the Mindustry snap was a snap that I wanted to install, but I could not find anything to verify the source of the snap. For all I knew I could be installing malware. There wasn’t any link to the source or any way to identify the author.
The snap description had a link to the GitHub source code for Mindustry, but no link to any snapcraft.yaml or anything to indicate what actually produced the snap. This isn’t necessarily any fault of the snap store or anything, but I wanted to bring it up as a potential concern of users.
I just published a Chocolatey package and I noticed that they will give you a link to the user who published a snap and will show you what other packages they published, if any. This could definitely help in some instances. I wonder if another possible help would be to allow you to tie your GitHub account to your snap store account, just for the sake of identifying you with a provider that many will recognize and can look at to get a cursory “background check” so to speak.
Either way, I think snaps are great and just wanted to open the discussion on how we might be able to improve the store experience.
I published the Mindustry snap, and will update the page to link to the yaml. However, worth knowing you can see it yourself inside the snap, without installing it.
alan@KinkPad-K450:~$ mkdir mindustry
alan@KinkPad-K450:~$ cd mindustry/
alan@KinkPad-K450:~/mindustry$ snap download mindustry
Fetching snap "mindustry"
Fetching assertions for "mindustry"
Install the snap with:
snap ack mindustry_44.assert
snap install mindustry_44.snap
alan@KinkPad-K450:~/mindustry$ unsquashfs mindustry_44.snap snap/snapcraft.yaml
Parallel unsquashfs: Using 4 processors
1 inodes (1 blocks) to write
[===================================================================|] 1/1 100%
created 1 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos
alan@KinkPad-K450:~/mindustry$ cat squashfs-root/snap/snapcraft.yaml
name: mindustry
base: core18
version: "100"
summary: A sandbox tower defense game
description: |
Mindustry is a hybrid tower-defense sandbox factory game. Create elaborate
supply chains of conveyor belts to feed ammo into your turrets, produce
materials to use for building, and defend your structures from waves of
enemies. Features include a map editor, 24 built-in maps, cross-platform
multiplayer and large-scale PvP unit battles.
grade: stable
confinement: strict
apps:
mindustry:
command: desktop-launch $SNAP/bin/launcher
plugs:
- network
- network-bind
- opengl
- home
- joystick
- pulseaudio
- desktop
- wayland
- x11
- desktop-legacy
- unity7
environment:
XDG_DATA_HOME: "$SNAP/usr/share"
JAVA_HOME: "$SNAP/usr/lib/jvm/java-8-openjdk-amd64/jre/"
PATH: "$SNAP/bin:$PATH:$SNAP/usr/lib/jvm/java-8-openjdk-amd64/jre/bin"
GVFS_MOUNTABLE_DIR: "$SNAP/usr/share/gvfs/mounts"
GVFS_MONITOR_DIR: "$SNAP/usr/share/gvfs/remote-volume-monitors"
LD_LIBRARY_PATH: "$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/pulseaudio"
parts:
mindustry:
after: [desktop-gtk2]
plugin: nil
override-build: |
wget -O $SNAPCRAFT_PART_INSTALL/Mindustry.jar https://github.com/Anuken/Mindustry/releases/download/v$SNAPCRAFT_PROJECT_VERSION/Mindustry.jar
build-packages:
- wget
stage-packages:
- openjdk-8-jre
- ca-certificates
- ca-certificates-java
- libpulse0
- libpulsedsp
- libxxf86vm1
- libgl1-mesa-dri
- libglu1-mesa
- libgl1-mesa-glx
- libgles2-mesa
- x11-xserver-utils
prime:
- -usr/lib/jvm/java-*/lib/security/cacerts
- -usr/lib/jvm/java-*/jre/lib/security/cacerts
launcher:
plugin: dump
source: snap/local
organize:
'launcher': 'bin/'
'padsp': 'bin/'
'sensible-browser': 'bin/'
'usr/lib/*/gvfs/*.so': 'usr/lib'
'usr/bin/xprop': 'usr/bin/xprop.disabled'
desktop-gtk2:
build-packages:
- build-essential
- libgtk2.0-dev
make-parameters:
- FLAVOR=gtk2
plugin: make
source: https://github.com/ubuntu/snapcraft-desktop-helpers.git
source-subdir: gtk
stage-packages:
- libxkbcommon0
- ttf-ubuntu-font-family
- dmz-cursor-theme
- light-themes
- adwaita-icon-theme
- gnome-themes-standard
- shared-mime-info
- libgtk2.0-0
- libgdk-pixbuf2.0-0
- libglib2.0-bin
- libgtk2.0-bin
- unity-gtk2-module
- locales-all
- libappindicator1
- xdg-user-dirs
- ibus-gtk
- libibus-1.0-5
alan@KinkPad-K450:~/mindustry$
Thanks for your input. We definitely could make some improvements to both encourage publishers to link to sources and information about themselves as well as provide publisher pages on snapcraft.io. We will take this into consideration.
Here’s an earlier thread on similar concerns (before there was Verified / check mark):
This is something I’m concerned about myself. I can’t believe there’s so little discussion or concern by others. Like … why isn’t “snapcrafters” publisher verified even? Why isn’t “brave” (brave browser) verified? Or “telegram.desktop”? Fear coursed through my veins as I read the publisher name for Audacity on a server I have in production – like oh crap, what mess did I just cause for myself after installing that? (This person claims to be the official publisher of snaps for Audacity, … though for what reason should I believe that to be true? After research, I did discover this person provides snap building service, so I’m no longer as concerned with this publisher, … but this cannot really be this haphazard, can it?)
Am I risking that the “telegram.desktop” publisher is not really Telegram, but just some bad dude trying to intercept private messages?
Or the snap, … geany-gtk. Is that really from the geany team? Looks like it. If it wasn’t an older version I might have installed it.
[Edited: word choice, and added geany as another example.]
I think there’s a huge opportunity here for a middle-ground between whatever is involved in the “official” Verified checkmark - for which I’m not even sure there’s a documented process to request? - and verifying aspects of an account’s identity (that can be automated).
For example, with the way GitHub does it, the Warzone 2100 Project has verified ownership of the associated domain. (You can see that here: https://github.com/Warzone2100 )
As zicklag noted, offering the ability to verify that a Snapcraft publisher is associated with a GitHub account / GitHub organization would be a really solid improvement. This could be an automated process (from Snapcraft’s end), and could display the verified linkage (much like GitHub does with the domain name / email verification). (“GitHub verified”?)