A few notes
- The author field is the name of the account that “ownes” the snap in the snap store, so you can’t just fill in “HashiCorp”. Though nothing is stopping you from creating an account named “HashiCorpOfficial” and publishing snaps under that name.
- Some authors are “verified”, which means they get a check mark next to their name. However, there is no way to publicly request to be verified. Moreover, users rarely notice the absence of a safety symbol. Which is why browsers are now showing HTTP websites as “insecure” instead of showing HTTPS websites as “secure”.
- Unconfined/classic snaps require the publisher of the snap to be vetted; the snapcraft team checks if the account is really associated with the developer of that application.
- Snaps can optionally include their build manifest in the snap as the file
snap/manifest.yaml. However, this file could be doctored and the snap tools do not tell you to look in that file. - Publishers can include a “contact me” url so you know how to contact them. However, that field is not required.
- For reference, similar topics have been discussed previously, though not much came from them: Snap build transparency and trust