Could you please identify if ORAS fits within any of those categories?
Our use case fits into this one: kubernetes tools requiring arbitrary authentication agents . ORAS can be used to upload and download container images. Other K8S tools are expected to share the auth config and agents with ORAS.
Have you considered if
personal-filesorsystem-filesmight be able to be used to satisfy this?
Since the file path is user-specified, we need to enable ORAS snap to access(read and write) files in every folder of $HOME, as well as every system files. I am not sure if it’s doable and it’s seems better not to sandbox those config files.
Would you be able to package those binaries into the snap using
stage-packages?
No we can’t. ORAS is expected to support any binaries compliant to the authentication mechanism and it’s not possible to enumerate all the applications during build(snapcraft) time.
All in all, ORAS has the exact issue discussed in Personal-files request for kontena-lens - store-requests - snapcraft.io and Classic confinement for kontena-lens - store-requests - snapcraft.io. To me ORAS should not be sandboxed.