Hi,
I’m requesting classic confinement for kubri as it needs access to the filesystem for both reading user configs and local releases and outputting build artefacts.
Kubri is a build tool which generates & signs APT, YUM & APK repositories from a YAML config.
More infos:
Since most users store their data etc in $HOME or possibly on some removable media, would it be sufficient to just plug home and removable-media respectively?
@adamb - ping, can you please provide the requested information? Thanks!
@adamb ping, this request cannot proceed without the requested information
@adamb - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks
Hi, sorry for the late reply!
This app can be run anywhere on the system and needs access to the current folder to read the config file. The configuration of the repositories is expected to be committed along with the application itself. See for example Kubri itself which uses Kubri to manage distribution has this file here: kubri/.kubri.yml at master · kubri/kubri · GitHub
So this could be run wherever the user has their repositories locally and although many probably would have them somewhere within their home directory this is not guaranteed.
Hey @adamb
Whilst you are right and there is no guarantee that local repositories will always be under the user’s home directory, I think that the possibility of some users don’t fitting this use case should not be a reason to grant classic to a snap that could be strictly confined.
In my personal opinion, maybe this restriction/limitation should be considered part of the snap confinement/security model, bringing some security benefits as a counter part.
That said, I would really like to see kubri packaged as a snap, so I’ll be happy to support you as much as I can if you decide to make it to work under strict confinement.
Thansk!
@adamb ping, could you analyze @jslarraz comment? I am +1 to encourage you to still snap kubri under strict confinement and providing accesses to the locations users might typically host their repositories
ping @adamb - this request cannot proceed without the requested information.
Hey guys,
So what apps, if not ones that can be run from anywhere and require access to the current working directory, would be approved for classic confinement?
I’ve seen similar apps use classic too, for example goreleaser.
Classic is reserved for applications in the supported categories, as per Process for reviewing classic confinement snaps. goreleaser clearly fits in the compilers category, which use to require access to system headers and so on.
I don’t clearly see in which supported category kubri falls. Could you please point it out?
Thanks
ping @adamb, this request cannot proceed without your response. Thanks.
ping @adamb - can you please provide the requested information otherwise we will close this request from our side with no response in 7 days. Thanks.
@adamb - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks
