Save BSI metadata in a snap

I like to try to audit a snap before I installs it. How do I for example know that the krita snap really contains krita and not the latest version of cryptolocker? There are no (easy) way to inspect the interfaces, it may require home and network, and a user called krita tells me nothing, I can make a account called “gimp” and publish my very special gimp to… probably.

Krita is a good example because they actually refers to this snap from their homepage, that creates a chain of trust that links the snap/user krita to the upstream project, that’s good. But there are plenty of projects out there, especially unofficial snaps that has no chain of trust. I love to discuss ways to solve this but first my suggestion:

If a users has chosen to publish the snap with build.snapcraft.io, Canonicals servers actually know exactly from what source and commit the snap was built. I suggest that this information is recorded in the snap (and/or store) and makes it available for the user to inspect, maybe add something under snap info “Built with the build service from git.example.com commit abc123”.

What do you think?

Snapcraft is way to flexible for this, what if i create a prepare snippet that has the git call (because i need to use special git options i cant get get via the snapcraft builtins …) what if my source tree just contains a script that des all the building (i have a bunch of old snaps personally that simply use the make plugin and have a ton of shell in the corresponding Makefile, even many that download binary stuff and simply put it in place)

the build machines will not reliably know what was built and how , the only reliable thing here would be a proper build log one could read (with enough expertise) to see where what bit came from. So there is no easy way to reliable put such info into “snap info” in a generic way…

You could perhaps put a link to a build log in the meta data but that also means whoever opens that link needs to be able to understand the build process.

That said, nowadays all snaps put their snapcraft.yaml into the snap which means you theoretically can read it and see exactly what was done …

I’m mostly interested in the chain of trust here, a way for me to validate if I trust the publisher of the snap.

I wrote this post after I found a snap that I liked to use, but it required both home and network so I liked to make sure it was safe, I Googled the name of the snap and found a GitHub repo but the versions did not match so I have no idea is they are the same person/source …

Let’s use one of my own snaps (build from BSI) as an example:

$ snap info konstructs-client
name:      konstructs-client
summary:   "A voxel based game client"
publisher: nsg
contact:   https://github.com/konstructs/client/issues
description: |
  An open source Infiniminer/Minecraft inspired multiplayer game.
snap-id:     vz0NCdgBzBeFaDlSVYCv7zC08ikS6ImI
channels:                          
  stable:    9                (11) 66MB -
  candidate: 9                (11) 66MB -
  beta:      ↑                          
  edge:      4+git165.6c16f07 (66) 70MB -

I have tried to add a chain of trust between the snap and the project. I refer to our GitHub repo (from the snap metadata), and that repo refers to our homepage (and BSI) that refers back to our snap. There is a chain of linkage between the konstructs-client snap, konstructs/client repo (and the users that has committed there) and the homepage.

My thought was, this is a lot of work and people will not do this. The metadata inside the snap is provided by the user so it can’t really be trusted unless the repo/webpage refers back. Then BSI builds the snap at least it knows for sure what the source of the incoming webhook is, it clones that repo, this is the information I like to store inside the metadata.

I suggest something like this:

$ snap info konstructs-client --all
name:      konstructs-client
summary:   "A voxel based game client"
publisher: nsg
contact:   https://github.com/konstructs/client/issues
description: |
  An open source Infiniminer/Minecraft inspired multiplayer game.
snap-id:     vz0NCdgBzBeFaDlSVYCv7zC08ikS6ImI
source: https://github.com/konstructs/client.git
channels:                          
  stable:    9                (11) 66MB -   commit:0a1e706d0eab87b3b2f340ef0efeea3c0dd7df98
  candidate: 9                (11) 66MB -
  beta:      ↑                          
  edge:      4+git165.6c16f07 (66) 70MB -   commit:6c16f07a38546f4969f1012508431d535287d86c

(added source and commit)

For the future it would also be nice to add a profile page or something for the publisher like the one on Launchpad, a place to inspect what projects the user is involved in. But the above suggestion is something simple that would not be to hard to implement.

… or did I miss something? I’m only human so my reasoning may be flawed :slight_smile: