snapcraft.io and “snap info …” do not require any package source, authorship, integrity, ownership, or other means by which provenance can be determined.
tl;dr -> What is the intended way to view the source of a snap and connect a snap to its upstream? Can more metadata be required for uploading snaps to snapcraft.io to allow for basic authentication of package contents?
I’m new to using snap but discovered this while working on HashiCorp Nomad and seeing this after trying to run Nomad before installing it:
~$ nomad agent -dev Command 'nomad' not found, but can be installed with: sudo snap install nomad # version 0.7.1, or sudo apt install nomad # version 0.8.7+dfsg1-1ubuntu1
A snap! I just started happily using snaps for other apps, so I wanted to investigate. Nomad’s is very out of date with upstream, so I went looking for how this snap is built:
~$ snap info nomad name: nomad summary: Easily Deploy Applicatrions at Any Scale publisher: Stefhen (res0nat0r) store-url: https://snapcraft.io/nomad license: Proprietary description: | Nomad is a single binary that schedules applications and services on Linux, Windows, and Mac. It is an open source scheduler that uses a declarative job file for scheduling virtualized, containerized, and standalone applications. snap-id: G6Lkx7rvJ6pn2BbWhQ8ADFz3GxtePT2m channels: stable: 0.7.1 2018-03-27 (1) 10MB - candidate: ↑ beta: ↑ edge: ↑
Hm, no upstream or source links of any kind in the info output. The license is wrong as well. I followed the only available link to the snapcraft website and it did not display any further metadata or links.
There’s an author, but no link to contact the author or gain any information about the author. As far as I know the author field is completely controlled by the end user and could be set to “HashiCorp.”
My only available option seems to be reporting the app, but that’s seems extreme. It’s ok for people to package open source software, but I don’t even know how to tell what’s in this package.