Please revoke telegram-latest

lucyllewy · February 9, 2018, 6:06pm

My output is identical to @sergiusens’ above. publisher listed as “pain7”:

name:      telegram-latest
summary:   Telegram Desktop Client latest
publisher: pain7
contact:   Dev9Ar@gmail.com
description: |
  Telegram is a popular messaging protocol with encryption ...
snap-id:     2HRsGY7THIQWdKvzbrHACxrwUZuuDiWA
channels:              
  stable:    1.0.5 (4) 29MB -
  candidate: ↑              
  beta:      ↑              
  edge:      ↑

Ads20000 · February 9, 2018, 6:07pm

$ snap info telegram-latest
name:      telegram-latest
summary:   Telegram Desktop Client latest
publisher: Saleh

bizarre!

$ snap version
snap    2.31
snapd   2.31
series  16
ubuntu  17.10
kernel  4.13.0-32-generic
$ # core 16-2.31 (4017, candidate)

noise · February 9, 2018, 6:56pm

Looks like 2.31 changed the developer username column to show display name, was that was intentional?

Note in the details API response these are “origin” and “publisher” respectively, for historical reasons.

niemeyer · February 9, 2018, 7:12pm

No, that’s definitely not intentional. The display name is not unique and can be changed, so not sensible by itself. We’re working on ~~2.23.1~~ 2.31.1 already, and will neee to fix that too.

cc @mvo

sparkiegeek · February 14, 2018, 11:53am

I suspect that it’s not 2.23.1 that’s being worked on? Can you please clarify?

niemeyer · February 14, 2018, 12:26pm

Sorry, 2.31.1.

I’ll be happy to move out of the ones twos and threes.

simos · February 14, 2018, 1:13pm

telegram-latest was last updated more than one year go (2017-02-07). It is currently in the fourth revision, therefore it has been in the store for more than a year.

It uses the following plugs,

plugs:
- unity7
- network
- network-bind
- home
- pulseaudio

therefore, if it were malicious, it could send over the network both the Telegram user credentials, and any X.Org information.

I would expect that in telegram-latest, the latest denotes the username of the user. Is that notation enforced? (it’s not the case here).

niemeyer · February 14, 2018, 3:19pm

@simos The “latest” in this case seems to demonstrate an intention of keeping it up to date, but it’s clearly not being met. If we can’t get in touch with the publisher, we may end up having to revoke this name on the basis of it being misleading.

The topic of the username presentation was moved here:

sergiusens · February 14, 2018, 3:53pm

I reached out in September Please revoke telegram-latest

niemeyer · February 14, 2018, 3:59pm

Okay, no replies? I suggest trying once more now, and if we don’t get a reply again it seems fine to go ahead and revoke, on the basis that it has a misleading name, and it’s out of date for a long time, contradicting its name.

noise · February 14, 2018, 4:00pm

I attempted to contact the developer last week as well and having received no response I’ve gone ahead and unpublished telegram-latest.

bashfulrobot · February 14, 2018, 6:39pm

That is a good point. I guess I was looking at it as being a “trusted” source for the users who may not have the knowledge on how to “vet” packages - and maybe a friendly way for the non-developer/non-snapcrafters community members to “trust” packages. point taken though!