Know to trust a snap?


#1

How do I know if I should trust a snap?

$ snap search gimp
gimp  2.8.22   snapcrafters
$ snap search heroku
heroku  v6.14.36+git4.914b286-dirty  dickeyxxx

The first one is snapped by some Ubuntu folks as far as I know but it’s not “officially endorsed” by the Gimp project, is it? The second one is, what I expect, the official Heroku snap but I might be wrong. Who is dickeyxxx and should I trust this snap?

You could say it doesn’t matter since snaps are sandboxes but the Heroku one will ask for my credentials. It’s easy to publish a fake snap only to harvest username and passwords.

Am I being too paranoid or is there a way to know what snaps are real and which are not? In other words, shouldn’t we have a way to identify “official” publishers?

Thanks!


#2

The idea with snaps is that you shouldn’t trust them as much as you trust the software coming from the ubuntu and debian archives. They are confined by default, and you are always in control of the permissions that you give them. The permissions are fine grained, so you no longer have to give them full root access.

However, I have learned that the only way to trust a project is to get to know the people behind. There will always be mistakes and bugs, even on the most secure project, so what I look for (in addition to the obvious technical capabilities) is to be confident that the people I decide to depend on will own those mistakes and make their best to patch them and prevent them in the future.

One of the things I love the most about free software is that if I choose to do so, I can get very close to the developers of the projects. I can ask them questions, and I can help them. I can see how things evolve, and I get an open window to how the project reacts to good and bad times. And this forum is great for that. We are building every piece of the operating system together, we leave here a trace of every thing that happened, and you will get to see who did what, why, and you can decide if you want to trust those people connecting an interface on your machine.

For exampe, take a look at @evan’s post when he was starting to test heroku before transferring it upstream. Or you can search for gimp and see @daniel’s journey.

But, just seeing how people interact is also not enough to give you the confidence to connect some delicate interfaces. Us, the paranoids, will first take a peak at the source code:

We might even want to deconstruct and rebuild the project ourselves, to learn what it does and how.

And of course, there will be many things that are not easy to understand in a few hours. So we can go back to people we trust and ask them. If something is not clear for you, please leave your question here in the forum. There are many great developers here, and our amazing security team is also present.

Snaps, the store, and these forum are big game changers. It’s a work in progress, and we still need to get better on traceability and transparency, but what’s great about not having everything already solved is that you can join us.


#3

In addition to the good insights from @elopio, I’d also say that yes there should be a way to tell upfront that someone was at least verified to be the person they claim to be.

We probably don’t want to over-emphasize the fact a publisher is the official publisher, though, because very often that will not be the case without this being an issue, and the work of good packagers shouldn’t be devalued just because they are not the upstream. The vast majority of software in Linux distributions is not packaged by upstreams.

So the goal should really be to more easily establish a line of trust onto the packager.