Snap build transparency and trust


#1

When we install a snap, how do we know that they are safe?

Do we have access to the build scripts, or is it just a matter of trusting the uploader?

For example, https://snapcraft.io/thunderbird is quite popular. It’s not from Mozilla or the Snapcraft team. How can we audit it to make sure it doesn’t harvest email passwords or run a bitminer, for example?

Docker, for example, will link to the source or display the dockerfile. Flathub will also show the build script on github most time.

Not saying it is malicious, just asking how the trust is established.


#2

Anyone have any insight into this?


#3

the trust in snap is mainly established on a binary/execution level … to harvest any data from your system a snap would have to have access to the respective places on your filesystem which snaps typically do not have by default unless you connect the respective interfaces allowing them to do so … that said, it is indeed good practice to put a link to your snapcraft source into the package description (since we are still lacking a source: field in the metadata AFAIK) … perhaps @kenvandine would be willing to add some hint to the source of thunderbird here …


#4

Does @kenvandine have any relevance other than being the author of that snap? I only used that snap as an example.

And the snaps will get access to the data, users will agree to whatever the default permissions are. For Thunderbird it will know your email password because you enter it yourself. For something like Rambox, you enter all your social media and slack passwords.

For this community to be able to trust the snaps, we need to either trust the author of the snaps, or need to be able to easily see the build process so any diligent community member can raise concerns.

Also, simply linking to the source is not enough if there is no automatic build process, since a malicious snap author could simply upload a snap not based on that source.


#5

I really wish someone from the snap team would weigh in on this, but I am not sure how to properly raise this to their attention. Someone like @popey perhaps?


#6

not really, snaps are exactly designed for not needing to trust the author via the automated store reviews on upload that scan for malicious behaviour along with confinement on the users host and the use of intefaces …

indeed it is true that you give your email password to the email client app you are using … but you can also be sure that beyond this email password this application can not read your ~/.gitconfig or your steam login or whatnot …

not sure if @popey is much closer to the “snap team” than i am … but i moved this post to the snapd category so it will show up in the right queue…


#7

I’m not sure quite what you’re asking.

snap apps can be created and published by almost anyone, and you need to have some level of trust to use any snap. The whole of the snap confinement mitigates the worst cases and tries to make it easier to decide what and when to trust things, and the “verified publisher” checks should bolster that further. However, just as with regular packages, if you don’t trust a snap’s author, don’t install that snap!


#8

Also note: snaps created via build.snapcraft.io or indeed the launchpad build farm directly will have a snapcraft.yaml and a manifest.yaml with which you should be able to rebuild snaps to some degree. They’re not reproducible builds as there are dates and things in there, but maybe this is what you’re after?


#9

… but note too that you can create snaps with toothpicks, duct tape and pliers too, there isnt any requirement to use build.snapcraft.io or even a snapcraft.yaml (or snapcraft itself) to build a snap

… even though the vast majority is surely built using the build service nowadays, the upload scans, confinement (a snap is not actually executed on top of your host rootfs at all, all relevant bits of the sandbox are readonly etc etc) and interfaces are the bits that minimize the attack vector … but indeed you need some level of trust when giving the app credentials that it needs to operate.


#10

You can inspect the snap yourself. Here for example I download the snap from the store, unpack the manifest.yaml which shows what the build was made from, and links to the build in launchpad from where you can get the build log. Does this increase your confidence that the snap contains nothing nefarious?

https://launchpad.net/~ubuntu-desktop/+snap/thunderbird/+build/680989
https://launchpad.net/~ubuntu-desktop/+snap/thunderbird/+build/680989/+files/buildlog_snap_ubuntu_bionic_amd64_thunderbird_BUILDING.txt.gz

alan@KinkPad-K450:~/tb$ snap download thunderbird --edge
Fetching snap "thunderbird"
Fetching assertions for "thunderbird"
Install the snap with:
   snap ack thunderbird_41.assert
   snap install thunderbird_41.snap
alan@KinkPad-K450:~/tb$ unsquashfs thunderbird_41.snap snap/manifest.yaml
Parallel unsquashfs: Using 4 processors
1 inodes (1 blocks) to write

[=====================|] 1/1 100%

created 1 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos
alan@KinkPad-K450:~/tb$ ls
squashfs-root  thunderbird_41.assert  thunderbird_41.snap
alan@KinkPad-K450:~/tb$ ls squashfs-root/snap/
manifest.yaml
alan@KinkPad-K450:~/tb$ grep source: squashfs-root/snap/manifest.yaml
    source: https://github.com/ubuntu/snapcraft-desktop-helpers.git
    source: https://archive.mozilla.org/pub/thunderbird/releases/68.0/linux-x86_64/en-US/thunderbird-68.0.tar.bz2
alan@KinkPad-K450:~/tb$ grep build_url squashfs-root/snap/manifest.yaml 
  build_url: https://launchpad.net/~ubuntu-desktop/+snap/thunderbird/+build/680989

#11

Yes, thank you, that is what I am after!

I think there are several opportunities to display this information in the current snapcraft.io/store. Currently snapcraft only has the “Verified account” badge as a means to vouch for the snap.

Compared to https://hub.docker.com/search?q=&type=image, you can see that they have a few different levels. They use “Official Images” that are made by Docker, “Verified Publisher” that is sort of like the one snapcraft uses. There’s also “Docker Certified” which is above and beyond what I am suggesting here.

However, there are also ways to feel safe in using the ones that don’t carry the above badges, and this is what my point is. Take this one, for example: https://hub.docker.com/r/buildpkg/debian

I can directly and easily see the Dockerfile, and can tell right away that there are no shenanigans going on. I can also see the automatic build logs, so I know that the chain of trust is not broken between the source code and what was uploaded to the Docker repository.

So, my suggestion would be that snapcraft does something similar. Show the contents of the related snapcraft.yaml file directly on the store page (or link to it), and indicate that the build was performed on the build server and therefore matches the snapcraft.yaml recipe. Some sort of “Trusted build process” badge or whatever could also be used.

I think this would go a long way of increasing snap usage as people would be more inclined to trust snaps made by 3rd party developers. Realistically, why should someone trust them otherwise?

It could also help entice new developers as there would be more exposure to snapcraft.yaml files instead of having to go hunting for them. I think it has helped the Docker community by always showing the Dockerfile alongside the container description.


#12

Interesting points, thanks.

We had some discussions in the team recently about verification, and increasing user confidence. I expect these things might get discussed again and perhaps scheduled for the next cycle (starting in November). Everyone has a busy backlog right now, but it’s certainly something we’re aware of and can look again soon.


#13

Great, thank you. :+1:


#14

There are scans yes, but please note that scanning for runtime behavior is fraught. If the user enters a credit card number into a browser snap, there are no scans that would catch the browser exfiltrating the provided data to somewhere else.

It has always been my recommendation that people should consider the publisher when installing a snap in addition to things like classic vs strict, connected interfaces, what data to provide to the snap and ideally, yes, build logs for open source projects.