Please allow use of personal-files for gitl [Was: Classic confinement for gitl]

@wieczorek1990 - can you comment on @chipaca’s feedback? Lots of applications can potentially access files from anywhere, but in practice access them almost exclusively from locations that can be accommodated by strict confinement. That sounds like the case with gitl. If it is not, can you specifically comment on why?

I think this is what I need.
Could you share an example configuration if available?

It’s on github,


(in the snap directory)

So do I need something else from this:


Should I request some approval, etc.?

Yes. It sounds like you are saying that your use of personal-files fits your use case, so I have converted this classic request to a request to use personal-files.

The snap is using:

plugs:
  gitconfig:
    interface: personal-files
    read:
      - $HOME/.gitconfig
      - $HOME/.config/git/config

+1 for use of and auto-connection of this interface.

@reviewers - can some of you also vote on this?

+1 from me, the personal-files usage is very well constrained and auto-connection makes sense because people installing gitl whose purpose is quite clear and obvious are likely to be OK and explicitly want that anyway.

  • Daniel

+1 from me too. These directories make sense for this application.

git can write to .gitconfig with e.g. git config --global user.name wieczorek1990 too so I change the request from read to write.

I just tired these commands to check if it works, and it doesn’t:

snapcraft
snap install --dangerous git_0.3.0_amd64.snap
snap connect gitl:gitconfig
gitl
# acts like .gitconfig is not read
# writes to ~/snap/gitl/current/.gitconfig

I don’t know how to proceed.

EDIT:
Seems to somehow work, but not fully, I have a strange error now:

expansion of alias 's' failed; 'status' is not a git command

EDIT 2:

Writing to .gitconfig results in an error:

error: could not lock config file home/luke/snap/gitl/x3/.gitconfig: permission denied

The new snapcraft.yaml looks like that:

+1 for write as well. @popey and @roadmr - can you cast again?

Ping - I can’t tally until votes are recast for write access.

Guys why does it take so long? @jdstrand @popey @roadmr

@wieczorek1990 Apologies for the delay.

+1 from me.

2 votes for, 0 against (1 discarded since it wasn’t for write). Granting use of and auto-connection for the personal-files interface.

While I have granted the snap declaration, the review-tools need a corresponding update. I have performed this update, but it is not in production yet. Newly uploaded revisions will require someone to manually approve it until this change is in production.

Apologies for the delay (due to vacation :beach:): post-facto +1 from me with write, my only concern is granting write permissions to .gitconfig to a third-party app but gitl has “git” in its name so users should not be caught unaware.

  • Daniel

@jdstrand
Now I get this error during push:

luke ~/D/gitl $ snapcraft push gitl_2.0.0_amd64.snap
Preparing to push 'gitl_2.0.0_amd64.snap'.
Pushing 'gitl_2.0.0_amd64.snap' [=========================================] 100%
Processing...|
Error while processing...
The store was unable to accept this snap.
  - override not found for 'plugs/gitconfig'. Use of the personal-files interface is reserved for vetted publishers. If your snap legitimately requires this access, please make a request in the forum using the 'store-requests' category (https://forum.snapcraft.io/c/store-requests), or if you would prefer to keep this private, the 'sensitive' category.

EDIT:
Signed up for manual revision.

Yes, that is expected and what I was trying to communicate with “While I have granted the snap declaration, the review-tools need a corresponding update. I have performed this update, but it is not in production yet. Newly uploaded revisions will require someone to manually approve it until this change is in production.” I have approved the revisions you requested. The update should be in prod soon.

Still it reads the .gitconfig from ~/snap/gitl/current/.gitconfig instead of the user home directory.
Or am I not understanding how does it work? What directory does the $HOME variable from snapcraft.yaml refer to?

in runtime, HOME of a snap is set to that diretory, which is not the actual user’s home. This is convenient for a majority of legacy apps trying to make it into snaps, but hinders cases such as these (and I expect we’ll make opting-out of this HOME rewriting a thing at some point as things mature). Meanwhile, in icdiff, I change the first line of git-icdiff script to be

export HOME=$(perl -we "print((getpwuid $>)[7])")

because as I tested things that was the most lightweight way of achieving this. Other snaps that need this do something similar using getpwent etc.