Requesting classic confinement for the mockzilla snap. It’s an OpenAPI mock engine CLI that reads user-supplied OpenAPI spec files from arbitrary filesystem paths and executes user code-generation toolchains, neither of which strict confinement’s interfaces can cover.
This request has not been added to the review queue. It should be placed in the appropriate store-requests subcategory using the subcategory template for classic-confinement, privileged-interfaces and aliases requests.
This request has been added to the queue for review by the @reviewers team.
Not a @store reviewer, however, you should check out:
- About the classic-confinement category - store-requests / classic-confinement - snapcraft.io
- Reviewing classic confinement snaps - Snap documentation
and adjust your application.
1 Like
Thanks @Lin-Buo-Ren, expanding the request per the linked docs.
What mockzilla is
An OpenAPI mock-server CLI written in Go. Two modes:
- portable reads an OpenAPI spec at runtime and serves it as a live HTTP mock.
- codegen invokes the user’s Go toolchain to generate a typed mock server they then compile.
Why classic confinement is required
- portable reads an OpenAPI spec at runtime and serves it as a live HTTP mock.
- codegen invokes the user’s Go toolchain to generate a typed mock server they then compile.
Why classic confinement is required
1. Read user-supplied OpenAPI spec files from arbitrary filesystem paths
Users pass spec paths anywhere their workflow keeps them: /tmp/spec.yaml, repos under /srv, /opt, /var, NFS mounts, CI scratch dirs. The path is chosen at invocation time.
Interfaces considered:
home: covers only$HOME. Specs are routinely outside it.removable-media: only/mediaand/mnt.system-files: requires a static, snap-author-declared allowlist. No allowlist can cover “wherever the user keeps their specs”.personal-files: static allowlist under$HOME, same constraint.
2. Execute the user’s code-generation toolchain
Codegen mode spawns go, oapi-codegen-dd, and optional formatters from the host’s $PATH. These binaries are user-installed and version-specific. Bundling them inside the snap would pin one Go version and one plugin set, which defeats the point of using the user’s own toolchain.
No strict-confinement interface grants a snap the ability to exec arbitrary binaries from the host $PATH.
3. Write generated source to user-chosen output paths
Codegen writes Go source files into the user’s project directory, which has the same arbitrary-path constraint as #1.
Why devmode is unsuitable
Devmode snaps cannot be promoted to the stable channel, so the project cannot ship a production CLI via devmode. Devmode also emits security warnings that mislead users.
Process check
I’ve read [About the classic-confinement category]and [Reviewing classic confinement snaps] and structured the request to match. Happy to adjust further based on review.
Hey @mockzilla
Before even starting to discuss about the technical reasons, I don’t think mockzilla fits under any of the supported categories for classic confinement, which is a hard requirements. These categories are defined in Reviewing classic confinement snaps - Snap documentation. Moreover, classic confinement is a sensitive matter and is reserved for mature, well-known applications. I could find at least three different projects using this name, and I don’t think any of them clearly meets this criteria as of now.
If you disagree with these two concerns, could you please provide evidences that point out in a different direction?
Thanks
Thanks for the quick review and for the honest feedback.
You’re right on both counts - mockzilla doesn’t fit any of the classic confinement categories, and it’s too early in its lifecycle to argue the “mature, well-known” bar. I should have looked at strict confinement first; the app is a Go static binary that runs an HTTP server and reads OpenAPI spec files, which is exactly what strict + network, network-bind, home, removable-media covers.
I’d like to withdraw the classic confinement request. I’ve already updated snapcraft.yaml to confinement: strict with the appropriate plugs and will publish under strict instead.
Apologies for the noise.
2 Likes