I’m mostly interested in the chain of trust here, a way for me to validate if I trust the publisher of the snap.
I wrote this post after I found a snap that I liked to use, but it required both home
and network
so I liked to make sure it was safe, I Googled the name of the snap and found a GitHub repo but the versions did not match so I have no idea is they are the same person/source …
Let’s use one of my own snaps (build from BSI) as an example:
$ snap info konstructs-client
name: konstructs-client
summary: "A voxel based game client"
publisher: nsg
contact: https://github.com/konstructs/client/issues
description: |
An open source Infiniminer/Minecraft inspired multiplayer game.
snap-id: vz0NCdgBzBeFaDlSVYCv7zC08ikS6ImI
channels:
stable: 9 (11) 66MB -
candidate: 9 (11) 66MB -
beta: ↑
edge: 4+git165.6c16f07 (66) 70MB -
I have tried to add a chain of trust between the snap and the project. I refer to our GitHub repo (from the snap metadata), and that repo refers to our homepage (and BSI) that refers back to our snap. There is a chain of linkage between the konstructs-client
snap, konstructs/client
repo (and the users that has committed there) and the homepage.
My thought was, this is a lot of work and people will not do this. The metadata inside the snap is provided by the user so it can’t really be trusted unless the repo/webpage refers back. Then BSI builds the snap at least it knows for sure what the source of the incoming webhook is, it clones that repo, this is the information I like to store inside the metadata.
I suggest something like this:
$ snap info konstructs-client --all
name: konstructs-client
summary: "A voxel based game client"
publisher: nsg
contact: https://github.com/konstructs/client/issues
description: |
An open source Infiniminer/Minecraft inspired multiplayer game.
snap-id: vz0NCdgBzBeFaDlSVYCv7zC08ikS6ImI
source: https://github.com/konstructs/client.git
channels:
stable: 9 (11) 66MB - commit:0a1e706d0eab87b3b2f340ef0efeea3c0dd7df98
candidate: 9 (11) 66MB -
beta: ↑
edge: 4+git165.6c16f07 (66) 70MB - commit:6c16f07a38546f4969f1012508431d535287d86c
(added source and commit)
For the future it would also be nice to add a profile page or something for the publisher like the one on Launchpad, a place to inspect what projects the user is involved in. But the above suggestion is something simple that would not be to hard to implement.
… or did I miss something? I’m only human so my reasoning may be flawed