I think this would be wise (it doesn’t happen at the moment as far as I’m aware), though the snapcrafters repo would need a documented authority structure/quality control as a semi-official snappy organization-of-sorts and it’s promotion above other sources of applications (where the applications are the same) could then be justified because of this authority structure and quality control and its stated aim to get snaps upstreamed (and its success in doing so).
I’d disagree with any revocation. One of the use cases for snaps was touted to be as a replacement for ppas. I have a snap package which is probably only useful for me, which I used to keep in a PPA. I’d hate for it to be revoked just because it annoyed someone in the store. Although, I admit, I had been misled by the telegram-latest package it was immediately apparent through snap info this was legacy and unmaintained. By all means adjust the store to deprecate old snaps but please don’t revoke them.
3 Likes
I agree with your use case and I hope the use case is conveyed in the name of the snap; the case here is one of misleading people with a popular application name, with an identifier which is even more blatant as it is nowhere close to latest.
We are working on improvements to snap find that should help longer term, particularly giving the ability to categorize snaps and scoring up snaps that are “promoted” in those sections. Meanwhile I think we can do two things:
-
As a store admin, I can contact the telegram-latest author and kindly request that they unpublish their snap.
-
@sergiusens could request the bare “telegram” name and repub his snap there.
3 Likes
I think if @sergiusens requested the base application name, plus moved it over to snapcrafters that would at least help clarify the situation in the short-term.
I think if @sergiusens requested the base application name, plus moved it over to snapcrafters that would at least help clarify the situation in the short-term until the new improvements come to light.
@bashfulrobot No, there’s not an order between providers, and I cannot imagine us ever doing something like that as it would be disrespectful with the snap community at large. The reason why snapcrafters are regularly part of such conversations is because it’s a very active community of snap maintainers, not because they have priority. So if we want to have some nice software up-to-date, they can help.
This is unrelated to revocations, orders, or any sort of priority.
@mcphail We would not revoke a name without contacting the publisher with reasoning and hopefully we’d have room for options (some cases we might not, e.g. legal action), and we always try to have such conversations publicly here, just as in the case of this very thread, so that it’s transparent and invites collaboration and discussion openly.
That said, the snap namespace is flat, so we’re all responsible for keeping it tight for us all to use it conveniently and appropriately. That means we will need revocations in some cases, and transfers, and renames. It’s all part of the job of maintaining a namespace sane.
Also note that in the case at hand it is the very owner of the name that is asking for it to be revoked, rather than someone asking for a third-party name to be revoked, and precisely in the interest of sanity. This sounds very reasonable to me. (see below)
Finally, it’s easy to make your own personal but public snap with a name similar to mcphail-telegram. Nobody else can argue about a name like this being improper or misassigned. It’s just your preferred flavor of some free software, with whatever version and patches you’d prefer to have on it.
2 Likes
@sergiusens I thought you were the owner of telegram-latest, but apparently not. Also, your snap info output shows a different output than mine. Mine says the publisher is “Saleh”? @noise?
Either way, we should absolutely not revoke this snap without approval from the publisher. The name is not fantastic, but that’s subjective and not a good basis for breaking other people’s snaps.
2 Likes
My output is identical to @sergiusens’ above. publisher listed as “pain7”:
name: telegram-latest
summary: Telegram Desktop Client latest
publisher: pain7
contact: Dev9Ar@gmail.com
description: |
Telegram is a popular messaging protocol with encryption ...
snap-id: 2HRsGY7THIQWdKvzbrHACxrwUZuuDiWA
channels:
stable: 1.0.5 (4) 29MB -
candidate: ↑
beta: ↑
edge: ↑
$ snap info telegram-latest
name: telegram-latest
summary: Telegram Desktop Client latest
publisher: Saleh
bizarre!
$ snap version
snap 2.31
snapd 2.31
series 16
ubuntu 17.10
kernel 4.13.0-32-generic
$ # core 16-2.31 (4017, candidate)
Looks like 2.31 changed the developer username column to show display name, was that was intentional?
Note in the details API response these are “origin” and “publisher” respectively, for historical reasons.
No, that’s definitely not intentional. The display name is not unique and can be changed, so not sensible by itself. We’re working on 2.23.1 2.31.1 already, and will neee to fix that too.
cc @mvo
I suspect that it’s not 2.23.1 that’s being worked on? Can you please clarify?
Sorry, 2.31.1.
I’ll be happy to move out of the ones twos and threes.
telegram-latest was last updated more than one year go (2017-02-07).
It is currently in the fourth revision, therefore it has been in the store for more than a year.
It uses the following plugs,
plugs: - unity7 - network - network-bind - home - pulseaudio
therefore, if it were malicious, it could send over the network both the Telegram user credentials, and any X.Org information.
I would expect that in telegram-latest, the latest denotes the username of the user. Is that notation enforced? (it’s not the case here).
@simos The “latest” in this case seems to demonstrate an intention of keeping it up to date, but it’s clearly not being met. If we can’t get in touch with the publisher, we may end up having to revoke this name on the basis of it being misleading.
The topic of the username presentation was moved here:
Okay, no replies? I suggest trying once more now, and if we don’t get a reply again it seems fine to go ahead and revoke, on the basis that it has a misleading name, and it’s out of date for a long time, contradicting its name.
I attempted to contact the developer last week as well and having received no response I’ve gone ahead and unpublished telegram-latest.
4 Likes
That is a good point. I guess I was looking at it as being a “trusted” source for the users who may not have the knowledge on how to “vet” packages - and maybe a friendly way for the non-developer/non-snapcrafters community members to “trust” packages. point taken though!