Hi,
I’ve taken a look at the metrics for the mosquitto snap today, and when looking at the channels view I noticed that there are a handful of channels that I know nothing about, as shown by the red dots here.
Most of the channels have 0 installs - I presume there was one or two at some point which is still weird - but more concerning is 20/stable which started in around July 2021 and has been growing ever since to make up 10% of the total installs.
What’s going on here?
Thanks,
Roger
I don’t think anyone here can make an accurate guess. You should reach out to the snap publisher:
$ snap info mosquitto --verbose
name: mosquitto
summary: Eclipse Mosquitto MQTT broker
publisher: Mosquitto Team (mosquitto✓)
store-url: https://snapcraft.io/mosquitto
contact: https://mosquitto.org/
links:
contact:
- https://mosquitto.org/
website:
- https://mosquitto.org/
Sorry, I should have made that clearer. I’m the snap publisher, I’m the only person with access to the account. That’s why I’m surprised that there are channels I didn’t know about. I’m hoping someone from Canonical can confirm what it is and in particular that it’s nothing nefarious.
Hi,
Thanks for raising this. Our team will look into it and get back to you as soon as possible.
Thanks,
Odysseus
Hi,
These metrics are based on what clients periodically report to the Store during refresh requests; more specifically the tracking channel of each reported installed snap. We use those channel names verbatim - with some validations, but we don’t check the channel actually exists. This is to show publishers an accurate picture of the installed base of their snaps without hiding any data unnecessarily. So, these clients are somehow tracking an unexistent channel.
@maxiberta Thanks for the reply. What you’ve said makes sense and I understand why you’d do that.
So essentially if I worked in a company and decided to build my own snap to deploy install on machines we owned/sold and used that channel name and the same snap name, then it would report back to the store and you’d show it. This other snap would have no benefits of being able to auto update though, because it’s not hosted on the store.
I guess I’ll never know where it’s from.
Cheers,
Roger
Not exactly. When snapd sends a request for snap update it includes a list of all installed snaps and the channels they are tracking. In fact the request does not even include snap names, only snap IDs.
The snap namespace is global, snap IDs and names are unique. AFAIU (@maxiberta please confirm), users of brand stores are not able to publish snaps under the same name as ones already existing in the global store, they have to use a different name (usually prefixing it with their brand store name). On the other side of the spectrum, unasserted snaps that you may have built yourself have no snap ID, track no channels and are never included in the request to the store.
So unless, there’s a request which references the exact same snap ID it should no be aggregated towards the stats of mosquitto.
@maxiberta on the other hand, such requests do seem a little bit suspicious, no? It feels like the store should be rejecting them.
Well the evidence suggests that there are requests using the exact same snap ID, otherwise they wouldn’t be appearing 
Could there be something related to the way Ubuntu Core works that contributes to this? I have slightly more Core 20 users than for the 20/stable channel.
Yes, this is correct.
If you mean clients reporting snap ids tracking non-existent channels, yes these are suspcious and unexpected, but I don’t think we should just drop them - visibility for publishers is good!
I think a common source of unexpected and/or weird metrics are cloned cloud VMs and containers. But we don’t know in this case in particular.
I’m not sure, as a publisher, that it’s good for me to know that someone made up a channel that doesn’t exist and hasn’t been published to, ever.
Judging by the screenshot I think we know who that was 
cc @popey
On more serious note, I suppose one could include some random, even offensive names as long as they meet the format, which I understand would be reported in statistics presented to the publisher. Snapd has no way of validating this information without asking the store, which would be done when one used snap switch (or `snap refresh --channel commands), but not if the state file is edited by hand.
Well, for clarity, it wasn’t me.
So if I understand this correctly, the working theory is that someone made a VM/container with Ubuntu and snaps running on it, installed mosquitto, hand edited the state.json to point it to a different channel, then shared that VM/container on the wider internet and it’s become popular. Also, because that channel doesn’t exist the people using the VM will never get updated. Similarly, four other people/attempts have been made to do the same thing but they haven’t become popular.
That seems very unlikely to me, however there is some evidence to back it up. The appearance of the 20/stable channel occurs after the 2.0.11 release, and I’ve got a stubborn and growing set of users stuck on 2.0.11. There are some odd bumps in the metrics graph for the 20/stable channel, and they are mirrored in the 2.0.11 portion. Interesting I’ve also got a smaller but growing set of users who appear to be stuck on 2.0.15, and the sum of the 2.0.11 and 2.0.15 is 160 shy of the 20/stable count.
