why don’t you suggest to validate that the output matches the original build directly through a whole snap file checksum?
seems to me more easy than a per file diff check.
is there some technical motivation?
Since some comments here have been misinterpreted a few times and since this thread still shows up on the top results of Google, I want to clarify something:
You can already check and trust the complete source code of a Snap today if it’s built on either Launchpad, the snapcraft.io build service or Github. You do this by looking at the file snap/manifest.yaml and look for the build_url key. This will give you a link to either Launchpad or Github. You can use this link to see if the manifest is spoofed or not. If it’s not spoofed, the manifest contains a recording of everything that was used to build the Snap.
For more information, read Verifying the source of a Snap package.
1 Like