While trying to explore --classic confinement for my application, I found that user can break my strict confinement by using snap install bashell --classic. Is this expected? If yes, I will just update the documentation with the installation guide.
My application “bashell” requires a classical access since the tool requires write permission to the OS system for creating and deleting files. I’m aware of the --classic confinement process requires a manual human being reviews.
However, on machines that doesn’t need write access, they are usable in strict confinement. This allows user to use the app but bypassing the manual human being review process. Hence, is this a bug?
It is not a bug, as far as I know. Being able to manually change the confinement of a snap was a requested feature, useful for developers and packagers.
However, note users will not be prompted to use --classic, and users of GUI stores don’t (yet) have the option of overriding the confinement set in the snap.
Unless a snap was built as a classic snap, binaries within a snap installed with classic confinement will load the interpreter and libraries from the host system, not the core snap, so won’t be portable between distros and versions of distros. If a binary was built as a classic snap, it will load libraries from /snap/core/current which is not present in the execution environment of confined snaps so it just won’t work at all if it is installed that way.
So this doesn’t sound like something that should be supported to me…
In that case, I’ll proceed to raise the “classic” ticket for my application and avoid hacking my way out with the “–classic” installation with strict confinement.
There shouldn’t be a problem moving forward related to libraries. We plan to deliver single executable application as our strategy in the future without dependency.
note that the choice of it being a classic snap limits your possible targets (classic is not supported on all distros, classic will not be installable on UbuntuCore (where i imagine you could have a large target audience for something like bashell))
The strict confinement broke half of bashell capabilities and the GUI install instructions in the store can mislead users’ expectation. Reaching people the right way is always the higher priority than mass market for now.
If publishing both “strict” and “classic” simultaneously is available, that’s would definitely my first choice. =)
