I’ve been working on a snap for percollate. This is a node-based commandline app which converts websites into pretty pdf or epub files. It renders these through puppeteer (Chrome) via Mozilla’s Firefox Reader View. My intention is to pass this package upstream when it is ready.
The upstream package uses the Chrome sandbox by default. Running the snap under
strict confinement without plugs or plugging
browser-support causes a segfault. Possible solutions to this are:
- Set the command to
percollate --no-sandboxby default.
- After discussion with @cjp256 at the snapcrafters VC on Friday, he recommended toggling on
allow-sandbox: trueto the
browser-supportplug. This builds a functional snap which does not require
--no-sandboxbut gets rejected from store upload.
What is the best way to go forward with this? It seems counterintuitive to disable Chrome’s sandboxing in the interests of “security”. Which option is safest? Could I reassure upstream that automatically passing
--no-sandox is a sensible approach? If the second approach is best, can I request permission for this app, please?
The WIP snap source is at https://github.com/mcphail/percollate-snap .