Request Classic Confinement For Graft

store-requests classic-confinement
1

name: graft Snap ID: GSF8EWCHoTtL5iKTYWd4u2pbwjU1hdfq Publisher: Shahariar Munir (skssmd) description: Agentless deployment tool extending Docker Compose to cloud via SSH. snapcraft: Graft/.goreleaser.yaml at main · skssmd/Graft · GitHub (Managed via GoReleaser) upstream: https://github.com/skssmd/Graft upstream-relation: I am the author and maintainer of the Graft project. supported-category: compilers/architectures/IDEs/developer tools reasoning: Graft is a CLI deployment engine that requires classic confinement for the following technical reasons:

  1. Global Registry & Configuration: Graft maintains a global registry of Cloudflare zones and server metadata in the user’s home directory (~/.graft/). It needs to persistently read and write to this hidden directory to manage credentials and state across different projects.

  2. Arbitrary Project Access: Graft operates on graft-compose.yml and docker-compose.yml files located within the user’s project directories. These projects are often located outside the standard home folder (e.g., on external drives or custom development partitions), requiring unrestricted filesystem access.

  3. Local Git Metadata Inspection: The tool inspects the local .git directory to extract commit hashes and repository info. This allows for automated deployment tagging and version tracking without requiring manual user input or GitHub API tokens.

  4. Native Shell Integration: Graft invokes the host’s native shell and system ssh binary to provide an interactive remote terminal experience. This allows Graft to leverage the user’s existing SSH environment and binary while establishing agentless connections to cloud infrastructure.

Given that Graft serves a similar purpose to tools like docker-compose, terraform, or ansible (which all typically require classic confinement), strict confinement would break the core functionality of agentless remote management.

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

2

This request has been added to the queue for review by the @reviewers team.

3

Hey @skssmd

Given the provided reasoning I think graft should be perfectly functional under strict confinement:

  1. can be achieved via personal-files interface
  2. home and removable-media interfaces are usually enough for most cases.
  3. i think confinement does not block this access at all
  4. Staging ssh client in your snap should be the way to go.

Additionally, classic confinement is a sensitive matter and it is reserved for mature, well-known applications published by mature, well-known entities. As of today, I believe that graft doesn’t meet this criteria because of the following reasons:

  • The project seems to be very fresh, according to the upstream repository

  • The projects seems to have little/none community around according to upstream repository (contributors, issues, PRs, etc.)

  • I could not find evidences that the project has a strong enough user base currently

Thus, considering these factors, I think graft should not get classic confinement as of now.

Thanks!

1 Like