Name Approval not working? Need auto-approval for trusted publishers

Hey I have been publishing snaps for a few years now, is there any way that my account can be added to some kind of auto-approval list as a trusted publisher?

The problem I am having at the moment is that a new snap name sends for review with only a comment, I can’t even setup the snap page - so I have no idea how a reviewer would be able to decide if the new snap name could be trusted or not from that basic information alone (a name and an optional comment box to supply further information).

1 Like

The new gated review process was added after there was a flood of scam crypto nonsense in the store.

I usually put a comment in which explains who I am, what the app is, why making a snap of it is important. It takes 2 minutes.

The review process takes a little while, and is a touch opaque, I suspect, by design.

I suspect there’s not a huge number of reviewers processing the name registrations. So you may have to wait a few days. More time to do some QA though, eh? :smiley:

2 Likes

Yeah I saw that news update, tbh that was waiting to happen. I always joked about how unregulated Snapcraft was in the past. But if there was any saving-grace that Snapcraft had over Flathub it’s that Snapcraft approval was instant using an easy to use GUI. Now it doesn’t even have that, it has worse super ambiguous approval process and longer wait times instead.

They need to start whitelisting publishers, they could have already automatically whitelisted prior publishers that had uploaded many snaps and not broken the rules.

I just see this as another failure of the Snapcraft ecosystem.

Even worse, I can bypass this approval system and publish snaps right now if I wanted to! So many oversights…

Obviously whitelists need to be implemented ASAP and the approval process needs to be considerably improved and made far more transparent - in it’s current state it’s a hideous black box.

Flathub on the other hand has a great approval process using the GitHub Pull requests system, where you can build your application as you wait for approval and communicate with the staff who will eventually approve it - for help and advice.

When I can clearly say Flathub is better, that’s not good for Snapcraft at all.

Particularly when Snapcraft has a bad habit of always trailing behind Flathub in every respect (from a publishers point of view).

2 Likes

I really wish if community, publishers have a say on this!

Let’s take a step back here.

The vast vast majority of developers who publish snaps, are publishing exactly one snap. A few large publishers or organisations such as KDE and JetBrains publish more than ten. But those are outliers, by far and away the majority of snapcraft publishers are single-snap maintainers.

We (us in this thread) are also outliers.

The processes that Canonical put in place - to me at least - appear to be tailored to the majority use case. That is:

  • A new individual or organisation wishes to register the name of a new application
  • They register an account, and request the name
  • Time passes
  • They get the name and publish it

Typically that process is relatively quick in the grand scheme of things. Whereas we (enthusiasts) have already been blessed with the instant turnaround, and feel aggrieved when it takes longer than an INSTANT to register a snap name.

(I had a snap sat for a few days on my computer because the name was waiting for approval)

If I was a big brand, and had a release cadence to cater to, then I likely would have registered the name some time back, and done some testing of the store delivery, UX etc. But we don’t do that, because “we” know the whole process.

I can’t help feeling that the whole push to CI/CD has made everyone a little less patient. It wasn’t that long ago that you’d wait for 6 months to get the newest software in your Linux distro. When I was young, we waited days to get our software, in the mail.

I’d rather like to see us cut the store review team a little slack, rather than lament the end of the snapcraft world, just because it takes longer than a second to register a name. :man_shrugging:

1 Like

Personally I think the instant name registration should have been stopped years ago, security concerns aside; the biggest problem I see in Snaps personally is a lack of maintainers and lack of consistent quality.

A few years ago I’d proposed automatically unlisting snaps with no activity; where activity would be an update in the last year or a response to an automatically generated email sent to the maintainers asking them to testify that the snap still works as expected.

IMO we already have far too many “Hello Worlds” and other snaps that were useful but have since lost maintainers. The quality of the unmaintained snaps doesn’t improve because they’re unmaintained, yet the quantity of them is increasing constantly, since maintainers remains relatively constant overtime (I’d like to think it goes up, but certainly it goes up slower than the rate test snaps and deprecation goes up).

It’s tangentially related to the original topic, and the intention of the approval process isn’t the same intention I’d have with increasing quality over quantity of snaps, but I think we’re long past the days Snaps were new and needed “all hands on deck”. If a maintainer cannot wait a week or two to get the name, I’d personally avoid giving them the name at all because it’s suggesting they don’t have the commitment over periods of years that I’d like to think we all have.

Obviously this is speaking in the general case, as Popey says. most people have 1 snap, some have 50. Generally the people with 50 are lacking resource not commitment and I don’t see a problem with that because the quality of their work can still be exceptionally good even if sometimes delayed.

But certainly, I’ve avoided publishing snaps because either other people have already taken the names and never uploaded once in several years of owning them, and I’ve also avoiding uploading snaps because there’s already currently broken versions on the store. I’ve also been salty in the past (internally, to myself!) when people have uploaded the same snaps I have that already worked, left them to rot, and now my snap competes against a version that’s 4 years outdated, people complain snaps are bad using the outdated versions, and that’s seen as a technical problem with snaps not a problem with maintainers (or lack thereof).

Infact, I’ve had that happen to the same snap twice :(!

Tl;Dr I agree it’s annoying to dedicated snappers cos we’ve had it good so far, but in the general case, I don’t think getting names should be as as easy as it has been historically, whether that makes us better or worse than competition, they can do their own thing.

3 Likes

These are losing sentiments to be honest and it’s exactly this kind of thinking that makes Flathub a better platform, and even Flathub does’t have their heads fully in gear - that is to say I don’t think it would take that much to out do them.

Popey you can’t defend a SOTA system based on past sentiments, this is just distorting context to serve your pro-snapcraft agenda.

The point still stands, I don’t mind waiting, I have to wait with Flathub too, but it’s the terrible “hang-fire” approval process where the publisher is unable to see any progress or even supply satisfactory information that might help the approval process - and no ability to update or append to the information the publisher had originally submitted for the approval.

There are only a few qualities that made Snapcraft better than Flathub, so to lose an integral functionality like instant turn around is a big deal and to ignore that is foolish. Particularly when it can be solved so easily with whitelisting (that can be automated). That being said I don’t mind an approval process if it was done better and not in this current haphazard state.

I am very concerned by your response simply because it serves to make Snapcraft worse and not better, merely to defend it in a manner that disregards the problems at hand, to defend it blindly.

James-Carroll the solutions to the problems you describe can be solved without having to alter the approval process, but I also don’t have a problem with having an approval process as long as it is a good approval process, although the debate of quality of snaps is off-topic to this thread, yes getting names is too easy and they can’t be deleted so hogging names becomes mandatory, it makes absolutely no sense and is one of many issues I have raised on these forums in my many long winded threads that go completely ignored.

It doesn’t matter how many snaps people have published, etc, these problems I am raising are very real no matter how anyone tries to minimise them with arguments - they simply need to be addressed and fixed or Snapcraft will remain at best #2 to Flathub.

1 Like

You’re right, when I’d made my suggestions back when, they were around cleaning up snaps that already exist but aren’t maintained, not blocking new snaps from existing because they could become unmaintained.

But any change doesn’t exist in isolation. The primary effect of this change is security related (which I don’t think it’s doing enough yet), but there’s other effects and whether it was security related or not, I’d still personally approve of making it harder to upload brand new snaps.

As for giving people the ability to instantly create names, as you say, you could have a trusted users list and I’d be fine with people like yourself being on it.

But the underlying problem itself is trust, and Canonical has said it’s being reviewed in that context, considering approaches like ID verification & etc.

Once the trust is sorted out, I’d propose trusted people could generate names instantly, and that precedence with people like yourself would constitute one of those ways of earning trust.

But I’d never personally want a return to the norm where any random person can upload a snap with any given name and publish to it with no inconvenience whatsoever. Between malicious cryptominers and general lack of consistent quality, I personally feel we’d be better off with fewer but more dedicated snappers than the 350+ hello worlds we currently have (Can we not have a staging store?!). Not one of these people considered setting their snap to unlisted or private when they were done with it?

So for yourself personally, yes, I’d want you to have quicker access to publishing and a more streamlined process. But in general, I’d want slower access to publishing (but still with a more streamlined process).

1 Like

https://staging.snapcraft.io/

1 Like

Ah, secretly I know it does actually exist, but it’s hella undocumented and I’m not so sure how it works!

(E.G I’d assume a staging store would have to sign with different keys main snapd wouldn’t recognise, or you’d upload malicious packages to the staging store to get them signed in ways that the production store might not allow).

If it does actually work though, maybe I could write some documentation…

1 Like

Thinking further, perhaps I have been a bit too relaxed on this issue. Thanks for calling it out @fletch - I appreciate it. I generally agree that there should be better processes around registration. I also agree it would be useful if those of us with long term reliability and a track record of uploading non-dodgy software, might need to benefit from an ‘allowlist’ for publishing.

I think where I fall down is that having been at Canonical, I know how slow some of these important compliance and process changes are to implement. I know some of is is under resourcing, and some is prioritisation (or lack thereof). As has always been the case at Canonical, projects get to “60% done” and the company moves on to the next shiny. The same is true of snapcraft, sadly.

Part of the problem is the lack of communication and engagement. It’s incredibly frustrating to see threads go unanswered, knowing (from insiders) that there are private conversations about these things happening where nobody can see - inside Canonical chat systems, and in hidden google docs.

I don’t know how to change that, it needs to come from the top.

1 Like