Like probably most people here, I’m used to apt-get my stuff.
I have almost no other ppa in my list than the default ubuntu ones and so I have quite a strong feeling that when I apt-get something it will be safe ( as-in it won’t brake my system and it won’t me some kind of malware).
However, I have a feeling that the snap store it not like that since people can publish and that I should be more careful installing apps, a bit more like the python pip repository.
To name a concrete example, lets take this package: https://snapcraft.io/audacity
At first glance, it doesn’t seem to be published by the official audacity author.
What is the chance of it being completely unrelated to audacity?
Can I tell from the store page if it will run as strict confinement and so at least will have no chance of messing up my system?
There was a recent post on this topic https://blog.ubuntu.com/2018/05/15/trust-and-security-in-the-snap-store.
In the case of the
audacity snap, you will see that it does not yet have a release in the stable channel, does have
strict confinement, and connects to the following interfaces:
Also, it appears this is following the snapcrafters process (from the GH repo linked in the snap’s contact) and there will thus be an attempt to hand over to the upstream project.
Depending on your risk tolerance, you could try it out now or wait until it is further along and published by the upstream project. There’s a lot of freedom with snaps and we are working to provide information for users to make informed choices about the software they are installing.
it’s published by myself, who some may consider a known and trusted community member and participant of the “Snapcrafters” project (according to @popey and @wimpress, though I think they are lying to me, and are secretly plotting for my demise…)
I have published several well-regarded snaps including GIMP, Corebird and several games. Whether you trust me is up to you, but all my snaps are listed on Github for your inspections if you desire to do so; either via the snapcrafters or my own snapcraft organisation.
The problem is that we don’t really know that the builds are really the result of one of the repositories on GitHub. It should be possible to reveal where the build came from (i.e. by build.snapcraft.io according to namespace/repo_name, or pushed directly by certain packager)
Please see Display provenance of snap when it is available