Real life identity of verified accounts / star-developer / developer

Hey @all,

after reading the following three links:

h**ps://snapcraft.io/docs/creating-your-developer-account

it seems to me, that the developers real life identity is never checked even on verified accounts . The suggestion is that all communication is done digital by email or forum posts.

Is this correct?

If not, at what account membership you are verifying the developers real life identity and how?

thank you for your help

sh

1 Like

It’s a bit strong to say “never”. Many of the early ‘verified’ developers are as a result of physical meetings.

4 Likes

On the other hand side it’s a bit strong to say “verified” if the latest “verified” developers identity is unknown :wink:

I don’t want to do any ubuntu/canonical or snap bashing here … I am using ubuntu and snaps but if we are using a canonical driven snapstore we expect a clear notification that snaps by verified accounts are save to use or not and all others are not save to use.

And if the verification process of a verified/star-developer/developer account is faulty this is not bad but they have to mention this very clear.

Edited: registered substituted by “verified”

1 Like

Well, unverified apps aren’t necessarily.unsafe to use either.

I don’t know who wrote the JavaScript on this page but my computer still runs it.

I would however love to know the answer to your question, but if I gave you a call on Skype and showed you photos from my childhood, does that mean you can actually trust me, or just you know who to arrest if I step out of line. It’s really the second part that’s key in my opinion, can we really trust somebody if they’re in a jurisdiction that punishment is rarely enforced?

1 Like

I don’t work for Canonical, but I used to. From my experience, I don’t believe there was ever a request to show a government-issued ID to become a verified developer in the Snap Store.

In the early days, when we ‘verified’ a publisher, it was to enable users to be more confident that the application was being published by the upstream developer or a responsible community member representing the upstream developer.

It was never about proving the human meatbag at the other end was a specific human.

No idea what the internal process is now, but I suspect it’s still not doing real-world ID checking. I think the process you’ve seen documented online is what it is. No more, no less.

3 Likes

I was curious, so I queried all the public snaps with something published for amd64 architecture. These are all the verified publishers I could find. There’s not a lot.

2appstudio
ameshkov
aws
basecamp
bitwarden
blenderfoundation
blix
brave
cacherapp
certbot-eff
circleci
cmd
collabee
crystal-lang
domotzpublicstore
dotnetcore
dwellir-snapcrafters
flock-chat
foundry376
google-cloud-sdk
hpoul
inkscape
jgraph
julialang
katacontainers
keepalived-project
krita
lenovo-snap
meltytech
metabrainz-apps
mosquitto
msft-storage-tools
nginx-inc
noderedteam
nodesource
o3de
octave-snap
onlyoffice
opera-software
play0ad
plexinc
postman-inc
projectjupyter
ramboxapp
remmina
rocketchat
rubylang
standardnotes
streamsheets
telegram-desktop
vscode

Not a huge number. These 51 verified publishers are responsible for 98 published snaps. With the other 6233 snaps published by 2699 unverified publishers.

So about 1.5% of snaps are verified by around 1.9% of publishers. Roughly.

This is correct! You are right my statement was really to short maybe to provocative. But it helps to wake up people.

If your computer won’t run it or the script will do some really evil things you know who to contact and who is responsible for it (at the first sight):

Contact Us

In the event of a critical issue or urgent matter affecting this site, please contact us at https://www.canonical.com.

Yes, you can trust them more than somebody you know only from a computer-chat.

We can state so far that we have some kind of “fraud prevention and detection”-system here but it should be improved. And yes you are right again that we could never make it so secure that it is “metal solid”. But we can try to come much closer.

I would appreciate if someone of the policy-reviewers can bring some light into the darkness or confirm what popey said:

1 Like

OK, one month has passed and none of the policy reviewers have responded. Can I conclude from this that this topic is not being pursued?

Anyways …

@James Caroll: Thank you for your answers.

@popey: Thank you for your answers and for your blog. Your post (exodus-bitcoin-wallet-490k-swindle) on your blog prompted me to inquire more detailed here.

Cheers SH

1 Like