Hi, we kindly ask for automatic-connection for both “dot-local-share-applications” and “dot-local-share-icons” for vivaldi, to help with creating the required files when PWAs are made.
This is our snapcraft.yaml
There is an obvious requirement here for all Chromium-based browsers, see:
Thank you,
Ruarí from Team Vivaldi
P.S. See also this request.
Ok, it seems even adding these to our snapcraft.yaml caused a requirement for human review. If anyone can do that as well, I would appreciate it.
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (dot-local-share-applications, personal-files)
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (dot-local-share-icons, personal-files)
Similarly to the discussion in the linked topic, allowing write access to ~/.local/share/applications allows a trivial sandbox escape. @alexmurray - has there been any alternative since this was discussed for chromium?
No, there is no other mechanism, however @vivaldi is a Verified Account so I don’t think there should be any problem with granting such a privileged interface. As such, +1 from me.
in that case, +1 from me as well
Ok, it looks like I have to remove the “dot-local-share-applications” and “dot-local-share-icons” changes I made from our snapcraft.yaml for now as every build I make is just stuck in review (because of this) and I have a security update to get out
Ok, I reverted that change for now: Reverting PWA fix · vivaldi/snapcraft@6a414f0 · GitHub
We still want to have PWAs working but I cannot have it hold up the security update.
It seems that removing that removing that change has not helped and we are still stuck in review for all builds from now on. That is problematic as we are trying to get a security update out based on Chromium ESR (Extended Stable Release) 130.0.6723.129. This is pretty much the same build as Chrome 130.0.6723.127 which was released on the 12th of November 2024 https://chromereleases.googleblog.com/2024/11/extended-stable-updates-for-desktop.html. This ESR release has many of the same security fixes as 131.0.6778.69 https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html, at least one of which is rated as HIGH (CVE-2024-11110) plus a number of medium security fixes.
The review status means we cannot update the Snap package with these important security fixes, along with a bunch of our own fixes, including:
I will update our rpm/deb and (unofficial) flatpak in the mean time but Snap users will have to wait, which is a shame and perhaps gives the impression that Snap packages are less important to us (they aren’t).
@alexmurray Anything you could do to assist? See above.
EDIT: Ok my colleague pointed out I could reject old reviews to move the queue along using the following https://dashboard.snapcraft.io
+2 votes for, 0 votes against, granting auto-connect of system-files interfaces dot-local-share-applications and dot-local-share-icons to snap vivaldi. The publisher is verified. This is now live.
