Request for classic confinement for Kubri

Hi,

I’m requesting classic confinement for kubri as it needs access to the filesystem for both reading user configs and local releases and outputting build artefacts.

Kubri is a build tool which generates & signs APT, YUM & APK repositories from a YAML config.

More infos:

Since most users store their data etc in $HOME or possibly on some removable media, would it be sufficient to just plug home and removable-media respectively?

@adamb - ping, can you please provide the requested information? Thanks!

@adamb ping, this request cannot proceed without the requested information

@adamb - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks

Hi, sorry for the late reply!

This app can be run anywhere on the system and needs access to the current folder to read the config file. The configuration of the repositories is expected to be committed along with the application itself. See for example Kubri itself which uses Kubri to manage distribution has this file here: kubri/.kubri.yml at master · kubri/kubri · GitHub

So this could be run wherever the user has their repositories locally and although many probably would have them somewhere within their home directory this is not guaranteed.

Hey @adamb

Whilst you are right and there is no guarantee that local repositories will always be under the user’s home directory, I think that the possibility of some users don’t fitting this use case should not be a reason to grant classic to a snap that could be strictly confined.

In my personal opinion, maybe this restriction/limitation should be considered part of the snap confinement/security model, bringing some security benefits as a counter part.

That said, I would really like to see kubri packaged as a snap, so I’ll be happy to support you as much as I can if you decide to make it to work under strict confinement.

Thansk!

@adamb ping, could you analyze @jslarraz comment? I am +1 to encourage you to still snap kubri under strict confinement and providing accesses to the locations users might typically host their repositories