Assume a snap is being pushed on each commit through build.snapcraft.io to the edge channel. The developer promotes release to the other channels when necessary.
What happens when a build/stage package is updated in the archive?
Currently the developer wouldn’t know to trigger a new build of their software. For an active project, it may be that coincidentally on a recent push to master, they get new build/stage packages as a byproduct, but unintentionally.
What can we do to assist developers hooking their software up to our build service to ensure they deliver secure updates to their users promptly? Is there a plan to notify a developer of CVEs in affected build/stage packages? Will this come out of the work to build a comprehensive manifest file?
Yes, we do plan to have a system that warns developers about the fact their snaps are affected by a CVE, and indeed we’ll use the manifest information for that purpose.
I’m not sure about how high in the roadmap the task is at the moment. @sergiusens will have more details about the manifest part at least.
There are two halves to this, first enable it, which we already have the code for; make an MP to tell build.snapcraft.io to generate these and then have the store side of the work for presenting this.
The work is a target for 18.04, so it will definitely be done by then, how soon in the cycle I cannot say.
On our side, we are pretty much done and have been iterating with the security team on the actual data and details; and it is the snapcraft version that has been on the release path for the past weeks.
Given we are starting to spec the required work store-side, we were wondering if this feature[1] will be eventually enabled by default[2] , or if it would be an optional flag[3] to pass when building the snap.
[1] it seems to be behind the SNAPCRAFT_BUILD_INFO env var, right?
[2] any ETA?
[3] including this manifest file would be an optional thing for developers?